I am not opposing the fact that WPA2 authentication can be cracked. That is all too well known.
What I don’t see is why some bad actor would want to bother to sniff out some Joe Average’s hidden SSID for IoT devices? Besides of no MAC-address is allowed to connect to that network other than the known.
Thus as for the time being I see no urge to throw all RM’s away just to jump on the ESPHome train.
It might be a bright and sunny day but you don’t see it
The average joe’s hidden wifi with mac positive list is nothing but snake oil. Both are not measures to secure a network. Decloaking hidden wifi or mac spoofing is nothing new. Joe certainly put his faith in the wrong people…
But again, what you (or joe) does with his private network is up to him.
The problem starts when suggesting to use broken/weak/obsolete WEP/WPA/WPA2(without PMF) and further more making false claims that their weaknesses could be mitigated by hiding a ssid or limit access by mac.
There is no way a device can connect using MAC spoofing unless it has physical access to the network or knows the address in advance. Even in the link you quoted it is explicitly mentioned “… in MAC address spoofing the response is usually received by the spoofing party if MAC filtering is not turned on making the spoofer able to impersonate a new device”.
If you make use of WPA2 without protected management frames (801.11w) all devices permanently broadcast their MACs in plain text. That means the mac address is known in advance and physical access is not necessary.
For the same reason (plaintext management frames) deauth attacks are possible
But WEP, WPA or WPA2 (without 801.11w) is not the way to go in 2024!
The weakest link in your network is always the weakest device! It can be that you put all the snake oil techniques in place people with little expertise ramble about (mac positive list and what not) but still this all doesn’t mitigate the severe downgrade you do when not using WPA3 (or WPA2 with 801.11w)
In the end you might have 99 devices that support 801.11w and one broadlink device that isn’t capable. Depending on your AP you might need to downgrade all 100 devices to make use of WPA2 without PMF which greatly exposes your wireless communication and allows denial-of-service attacks that can’t be proper mitigated
A little bit like groundhog day… over 20 years ago I had people that just continued using their WEP only capable devices (like a roku internet radio)… not for to long as their network was compromised quickly.
Still you find “experts” that will still suggest to try WEP so you get your hardware with super sh*tty software support running - maybe…
There’s at least one report that changing to WEP made the SSID show up on the Roku.
@Tamsy I would highly suggest you talking to a professional for a second opinion. You probably will hear what you don’t want to hear… But instead of dumping your broadlink device right away (and upgrade your wifi to make use of 801.11w) you could also might just invest $2 and put a esp32-c3 (supermini) inside so the device can continue to do it’s thing for another decade or two in a safe way. Beside you extend functionalities of your device as it also can handle bluetooth this way and work as a proxy for HA as an example
Brand: none Model: ESP8285 based Link to exact product: https://de.aliexpress.com/item/1005005777409596.html Protocol: WIFI HA Integration: ESP -Home In use since: 2022? Number of this item in use: 1 Positive:
Easy to flash
Local
You can add more things to it
DIY
Dirt cheap
Very small
Negative:
DIY
No case
My rating (1-5, 1 being bad, 5 being super): 4.5 Comment: you can solder other components to the board, it’s not easy but it’s doable.
The LED can be desoldered and extended using cables.
Well, I am a professional working as a system integrator and system administrator for over 30 years now and I am surrounded by IT pros in a data center nearly every single working day
Nevertheless I regard using WPA2 authenticating devices until their “natural death’s” (caused by hardware failure) still feasible at this time and I am convinced the risk of my RM’s are getting de-authenticated within a guarded housing estate neglectable. Maybe I have to point out that I am not talking about WEP here.
BTW, I have quite a few ESPHome based devices including bluetooth-proxies in place already since I have started this HA-journey.
Hey orange. I realize this post is getting a bit old but I was hoping you could do me a favor… can you find a current link to this product? Or just an image to show me which to look for?
I tried but didn’t find the exact device I have… still it is essentially enough to have any device that’s supported by esphome … so like a esp82xx, esp32, beken on realtek chips…
Thanks. I mostly just want to avoid having to swap a module. I have some extra esp32-c2 superminis that I believe would fit, but I have less time to play with than I did 5-10 years ago. I ordered this https://a.aliexpress.com/_mrXCjUG and will report back for anyone interested what my experience is like. Thanks again for the reply.
For anyone interested… I received this device in the mail yesterday, played around with it (until way too late) last night, and it seems to be doing everything I want it to do. The item I linked is IR only so it does not have 315/443. Ignore the wires other than brown, white, and black. Those are connected to clearly marked (on the board, not in my pic) pads for rx/tx/gnd.
This page is about the exact board that I linked.
This page has this pinout. I thought it was odd that the button on pin 9 was not mentioned since that is the easiest to determine, but… button is pin9. For me there is no use case for it, but that’s where it is.
I backed up the stock image with ltchiptool, then used that same tool to flash a binary that can now be made directly in esphome gui.
I used one of these cheap CH340 programmers from Amazon, connecting only rx/tx/gnd and powering with the on-board type C port of the board. Quick tip on that… if you are simple like me and connect rx to rx you might waste some time troubleshooting.
There’s nothing fancy in my esphome yaml and there probably won’t be because my only goal here is to not send data through the internet (possibly to the other side of the planet) and back just to turn on my AC. Formatting was annoying me on here, so I used pastebin.
Have you increased the bandwidth on the frequency you are using? I had similar problems with devices and increasing bandwidth from 20 to 40 MHz in the router fixed this.
Kincony KC868-AG ESP32 WiFi IR RF. Wish they sold just an IR version. They also have a Pro version with Zigbee, ESP32, and a tasmota chip. Still don’t understand why it has both. Can be setup is ESPHome but there built in software is nice. It can connect to an MQTT broker and can be a http/https server to send IR commands via http_request commands.
If you’re that worried about WiFi and smart home devices, setup a VLAN, put all your iOT/smart home devices on it and only allow traffic from your HA server on your main LAN, that way if something does happen all it could do is talk to one machine on your network. They would have to hack or brute force to get into your HA server and I find that practically impossible if you use 2FA. If you don’t want to mess with your router settings, or your router doesn’t have VLAN settings then don’t complain about security there are so many free options that require a maybe 100 dollar PC, just needs 2 NICs. Then install Pfsense or OPNsense. Honestly, just doing that will help you security wise.
Mesh setups are convenient but they tend to poor in the features and capability department, sometimes the security department also. I still remember when some script kiddies hacked a bunch of routers and sent DDOS attacks that brought down Xbox live and PSN. Mostly sent from compromised routers granted that was a while ago but one thing remains the same. Router makers suck at security patches and updates because they already sold you the hardware. hardwire when it has a NIC but mostly due to speed and reliability but there is an extra layer of security to some degree depending on how you
configure your network.