SmartThings Community

KRACK - WI-FI security has been breached, say researchers


(jkp) #1

https://www.krackattacks.com/


(Kirk Hilzinger) #2

The only choice I can do is hit the like button but I do not like this. Update your WiFi devices.


#3

(jkp) #4

LOL I was trying to add that link a few minutes ago but was blocked


#5

More on individual devices that are affected:

iOS devices are mostly OK, android devices 6.0 and above are mostly not. And google is time traveling again:

Google has officially issued a fix and says devices with a security patch level of November 6 2017 or later are protected against these vulnerabilities.

Don’t know how to update your router? See this:

https://decentsecurity.com/#/routerwifi-configuration/


(Ron Talley) #6

Yeesh man. Seems like we are never safe. Luckily, I am a nobody and therefor I have nothing to actually steel that worth the effort. :joy:


(Gary Leatherman) #7

Looks like we will need to hear from Samsung on what needs to be updated to secure our systems asap!


(Dan Swihart) #8

The smartthings hub doesn’t use WiFi to connect to devices does it? Everything is either wired, zigbee, zwave, and Bluetooth (not activated) Can someone else please confirm this?


#9

That is true for the hub itself. It does not have a Wi-Fi radio. However, there are Wi-Fi devices that can communicate with SmartThings either via cloud to cloud or by LAN, so those might be affected. For example, WeMo devices.

In addition, many people run their mobile devices on Wi-Fi when they are home, so their connection to the SmartThings cloud from the SmartThings app would be by Wi-Fi.

In all these cases, it would be the manufacturer of the device with the Wi-Fi Radio that would have to issue a patch, not SmartThings.

But it certainly an issue which is likely to be of concern to most people who have SmartThings accounts. :sunglasses:


(Kirk Hilzinger) #10

I think this will be mostly things that work with SmartThings that work off of WiFi, like Ecobee, Nest, Ring, Phillips Hue, Logitech, smart appliances, etc. Anything you joined to your wireless network is at risk.

Z-Wave and Zigbee are not on WiFi as they are different protocols and work at layer-2 with your hub being the thing that accesses the Internet, though Zigbee uses the same frequencies. SmartThings is wired so it would be immune.

The problem is the 3rd step on the 4-way handshake in wireless with clients accepting zeroed keys. That means clients are at risk. Update those clients, especially your phones. If these WiFi smart devices are not used for accessing your personal data, I would not be as worried because it is basically a man in the middle attack where a device that is compromised acts as a go-between between the target device and your wireless access point. I use different web site passwords for my Smart devices at home than I do for my bank and other web sites.

I am actually thinking about adding another SSID to my wireless and moving all my home devices to it and putting them on a separate VLAN with some sort of rudimentary firewall between that VLAN and my normal VLAN to further isolate any potential issues…but I am a network engineer and I can do those things. At a minimum, it might not be a bad thing to use at least a separate SSID to isolate IoT devices from user devices since users can get into a lot of trouble with some of the sites they visit.

My 2 cents…adjusted for inflation.


#11

I use a completely separate wi-Fi network for my home automation than for anything else, not out of fear of hackers, but just in case there’s some runaway denial of service glitch on either system that I don’t want to affect the other. :sunglasses:

But in my case, I am quadriparetic, and much of the technology in my home is performing essential tasks and I do invest extra time, money, and devices to keep it as reliable as I can.

But I’m also a network engineer, so I’m sure I tend to overcomplicate things somewhat occasionally. :wink: