You may have seen in the news in the past couple of days that a WPA2 vulnerability has been discovered that can allow data to be sniffed from your WiFi network.
Most big equipment manufacturers are rolling out client patches to close the hole:
My concern is all the IoT devices that we’ll have installed in our homes - the WiFi Bulbs, the weird and wonderful ESP8266 based stuff that people are making, TVs, remote controls, Zigbee Hubs etc etc…
Clearly some IoT devices will not be sharing sensitive information… but many will.
Note that:
Both AP and clients need to be patched - just patching your router/AP is not enough
Check the link above for products that are already fixed
There are a few IoT manufacturers in the list, and they are all non-compliant so far:
This topic is to:
Bring KRACK to your attention. Done. See above
Allow people to post when they are aware of updated firmwares, libraries etc for WiFi connected devices so we can update…
This, https://www.engadget.com/2017/10/16/wifi-vulnerability-krack-attack/ was the first article that I read on this and in the last paragraph they say “That means if you patch your Android device and not your router, you can still communicate and be safe, and vice-versa.” This makes it sound like an update on either side will fix this problem. I assume they did a better job reading the official paper than I did, but that doesn’t mean they are correct. Just thought I would share. I hope this is the case because updating one device is a lot easier than updating everything else.
I read/like engaget but I think they got it wrong this time.
From the horses mouth:
Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!
Yeah - its pretty much as bad as it can be.
At home you can take measures to patch up or disconnect devices - or take the risk that you’re unlikely to be a target.
I wonder how high up the priority list patching is for hotels, cafes etc though.
Still at least using HTTPS/TLS adds another layer of encryption.
[joke]
The easiest fix for this is to use a firewall - get a huge plot, build a very high wall and put it on permanent fire so no one can receive your Wi-Fi signal!
[/joke]
But yeah this is pretty serious issue and paired together with issues in VPNs, HTTPS, it’s pretty much guaranteed that if someone wants to sniff your data - they have the tools to do so.
I’m just about to update (wpa supplicant specifically) my pi running raspbian so that at least that end of the equation is patched.
Dumb question, is there anything I have to do inside my virtual environment (venv) to make sure that’s patched? Or just update the packages of my pi overall?
No, there’s nothing you should do. This is at the OS level - i.e. WPA Supplicant. Your Venv doesn’t know whether you are running via Wi-Fi or wired connection. When you update your router and your Pi you should be good. I don’t know how things stand with Hass.io however.
