WPA2 KRACK security vulnerability in Duet WiFi

  • administrators

    By now most of you have probably heard of the KRACK (Key Reinstallation Attack) security vulnerability that has been discovered in the WPA2 encryption protocol used by WiFi devices. The vulnerability allows an attacker to read the content of a message transmitted wirelessly using WPA2 encryption.

    Like other wireless devices using WPA2, the firmware running on the ESP8266 WiFi module used in the Duet WiFi needs to be patched to avoid this vulnerability.

    Expressive (the makers of the ESP8266) are aware of the problem and have already issued a patch to the firmware. However, it appears that this patch causes the ESP8266 to no longer work with some routers. So they are working on an updated patch.

    We are tracking this and we will do a new release of DuetWiFiServer when the patch is stable. The new version will probably be compatible only with DuetWiFiFirmware 1.20beta1 and later. Although 1.20 is still in beta, users who are running beta 1 have reported it stable with no new issues.

    We don't regard the vulnerability as critical for most Duet WiFi users, because it does not allow the WPA key to be determined, only the encrypted messages to be read; and with the exception of the login password if you have configured one, the messages between the Duet and your PC do not normally contain confidential information. But of course we shall fix it when the patch is available. If you do use a login password, please do not use the same password for other accounts.

  • administrators

    Its also worth pointing out that all Wifi routers and other devices will need to be patched. Basically everything that "implement WPA2 correctly" have this vulnerability.

    Details here: https://www.kb.cert.org/vuls/id/228519

  • administrators

    Also worth pointing out that some devices, including Android-based devices and Linux-based clients, are much more vulnerable than others. It is not clear to me whether the ESP8266 also falls into this category.

    A more readable account of the vulnerability can be found at https://www.krackattacks.com.

Log in to reply