Duet3D Logo Duet3D
    • Tags
    • Documentation
    • Order
    • Register
    • Login

    WPA2 KRACK security vulnerability in Duet WiFi

    Scheduled Pinned Locked Moved
    General Discussion
    2
    3
    972
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dc42undefined
      dc42 administrators
      last edited by

      By now most of you have probably heard of the KRACK (Key Reinstallation Attack) security vulnerability that has been discovered in the WPA2 encryption protocol used by WiFi devices. The vulnerability allows an attacker to read the content of a message transmitted wirelessly using WPA2 encryption.

      Like other wireless devices using WPA2, the firmware running on the ESP8266 WiFi module used in the Duet WiFi needs to be patched to avoid this vulnerability.

      Expressive (the makers of the ESP8266) are aware of the problem and have already issued a patch to the firmware. However, it appears that this patch causes the ESP8266 to no longer work with some routers. So they are working on an updated patch.

      We are tracking this and we will do a new release of DuetWiFiServer when the patch is stable. The new version will probably be compatible only with DuetWiFiFirmware 1.20beta1 and later. Although 1.20 is still in beta, users who are running beta 1 have reported it stable with no new issues.

      We don't regard the vulnerability as critical for most Duet WiFi users, because it does not allow the WPA key to be determined, only the encrypted messages to be read; and with the exception of the login password if you have configured one, the messages between the Duet and your PC do not normally contain confidential information. But of course we shall fix it when the patch is available. If you do use a login password, please do not use the same password for other accounts.

      Duet WiFi hardware designer and firmware engineer
      Please do not ask me for Duet support via PM or email, use the forum
      http://www.escher3d.com, https://miscsolutions.wordpress.com

      1 Reply Last reply Reply Quote 0
      • T3P3Tonyundefined
        T3P3Tony administrators
        last edited by

        Its also worth pointing out that all Wifi routers and other devices will need to be patched. Basically everything that "implement WPA2 correctly" have this vulnerability.

        Details here: https://www.kb.cert.org/vuls/id/228519

        www.duet3d.com

        1 Reply Last reply Reply Quote 0
        • dc42undefined
          dc42 administrators
          last edited by

          Also worth pointing out that some devices, including Android-based devices and Linux-based clients, are much more vulnerable than others. It is not clear to me whether the ESP8266 also falls into this category.

          A more readable account of the vulnerability can be found at https://www.krackattacks.com.

          Duet WiFi hardware designer and firmware engineer
          Please do not ask me for Duet support via PM or email, use the forum
          http://www.escher3d.com, https://miscsolutions.wordpress.com

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Unless otherwise noted, all forum content is licensed under CC-BY-SA