Which hardware to buy - IR blaster

Excellent recommendation :+1:t3: Will reconfigure the RM’s right away.

1 Like

You can also just configure a open wifi directly in your case as with the double layer snake oil :snake: your network access is unbreakable for most anyway!

I believe there are other attack vectors within a home network more worth the effort for potential intruders in case someone really intends to break in into a WiFi network than looking for some WPA2 protected Broadlinks.

It is clear that you prefer ESPHome wherever you can which is fine.

Nevertheless it seems simply too far-fetched to talk down Broadlink IR-Blasters per se just because they are using WPA2 algorithms.

But then again, to each his own :wink:

1 Like

WPA2 can be sufficient if PMF is enabled. :white_check_mark:

If not (because it is not supported or wanted) it is enough for a bad actor to just de-auth your wifi client (like a broadlink device) and capture the handshake when it reconnects. A device which can does this is a $5 esp32 for example. The cracking of the handshake can then be conveniently done in the clouds :cloud:

But then again, if you have nothing to hide you can just use an open/unencrypted wifi :wink:

I am not opposing the fact that WPA2 authentication can be cracked. That is all too well known.

What I don’t see is why some bad actor would want to bother to sniff out some Joe Average’s hidden SSID for IoT devices? Besides of no MAC-address is allowed to connect to that network other than the known.

Thus as for the time being I see no urge to throw all RM’s away just to jump on the ESPHome train.

That’s simply a superfluous statement.

What’s all the FUD about? :thinking:

It might be a bright and sunny day but you don’t see it :person_shrugging: :sunny:

The average joe’s hidden wifi with mac positive list is nothing but snake oil. Both are not measures to secure a network. Decloaking hidden wifi or mac spoofing is nothing new. Joe certainly put his faith in the wrong people… :business_suit_levitating:

But again, what you (or joe) does with his private network is up to him. :tada:

The problem starts when suggesting to use broken/weak/obsolete WEP/WPA/WPA2(without PMF) and further more making false claims that their weaknesses could be mitigated by hiding a ssid or limit access by mac. :bulb:

No FUD, just facts :muscle:

https://www.wi-fi.org/beacon/philipp-ebbecke/protected-management-frames-enhance-wi-fi-network-security

There is no way a device can connect using MAC spoofing unless it has physical access to the network or knows the address in advance. Even in the link you quoted it is explicitly mentioned “… in MAC address spoofing the response is usually received by the spoofing party if MAC filtering is not turned on making the spoofer able to impersonate a new device”.

2 Likes

If you make use of WPA2 without protected management frames (801.11w) all devices permanently broadcast their MACs in plain text. That means the mac address is known in advance and physical access is not necessary. :house::no_entry_sign:

For the same reason (plaintext management frames) deauth attacks are possible :signal_strength::no_entry_sign:

[…] even when the session was established with Wired Equivalent Privacy (WEP), WPA or WPA2 for data privacy, and the attacker only needs to know the victim’s MAC address, which is available in the clear through wireless network sniffing.

to round :arrows_counterclockwise: it all up :arrow_up:

But WEP, WPA or WPA2 (without 801.11w) is not the way to go in 2024! :no_entry_sign:

The weakest link in your network is always the weakest device! It can be that you put all the snake oil :snake::oil_drum: techniques in place people with little expertise ramble about (mac positive list and what not) but still this all doesn’t mitigate the severe downgrade you do when not using WPA3 (or WPA2 with 801.11w) :warning:

In the end you might have 99 devices that support 801.11w and one broadlink device that isn’t capable. Depending on your AP you might need to downgrade all 100 devices to make use of WPA2 without PMF which greatly exposes your wireless communication and allows denial-of-service attacks that can’t be proper mitigated :put_litter_in_its_place:

A little bit like groundhog day… over 20 years ago I had people that just continued using their WEP only capable devices (like a roku internet radio)… not for to long as their network was compromised quickly. :boom:

Still you find “experts” that will still suggest to try WEP so you get your hardware with super sh*tty software support running - maybe… :person_facepalming:

There’s at least one report that changing to WEP made the SSID show up on the Roku.

@Tamsy I would highly suggest you talking to a professional for a second opinion. You probably will hear what you don’t want to hear… :hear_no_evil: But instead of dumping your broadlink device right away (and upgrade your wifi to make use of 801.11w) you could also might just invest $2 and put a esp32-c3 (supermini) inside so the device can continue to do it’s thing for another decade or two in a safe way. Beside you extend functionalities of your device as it also can handle bluetooth this way and work as a proxy for HA as an example :signal_strength:

Wow this thread has derailed quite a bit.

Anyways…

Brand: none
Model: ESP8285 based
Link to exact product: https://de.aliexpress.com/item/1005005777409596.html
Protocol: WIFI
HA Integration: ESP -Home
In use since: 2022?
Number of this item in use: 1
Positive:

  • Easy to flash
  • Local
  • You can add more things to it
  • DIY
  • Dirt cheap
  • Very small

Negative:

  • DIY
  • No case

My rating (1-5, 1 being bad, 5 being super): 4.5
Comment: you can solder other components to the board, it’s not easy but it’s doable.
The LED can be desoldered and extended using cables.

Well, I am a professional working as a system integrator and system administrator for over 30 years now and I am surrounded by IT pros in a data center nearly every single working day :wink:

Nevertheless I regard using WPA2 authenticating devices until their “natural death’s” (caused by hardware failure) still feasible at this time and I am convinced the risk of my RM’s are getting de-authenticated within a guarded housing estate neglectable. Maybe I have to point out that I am not talking about WEP here.

BTW, I have quite a few ESPHome based devices including bluetooth-proxies in place already since I have started this HA-journey.