**WiFi WPA2 "KRACK" patch
Implemented
In light of the publicly reported (10/16/2017, CVEs 2017-13077...13088) WPA2 KRACK security vulnerability, I urge the Rainmachine development team to provide the necessary firmware/App updates ASAP.
Thanks for addressing this promptly.
(I reiterate my former suggestion that Rainmachines also be provided with an ethernet port so that a more secure and reliable wired connection is possible.)
-
Official comment
Hi,
We are in process of evaluating the impact of this vulnerability on our devices. Since we aren't using the same versions and the software deemed vulnerable we must investigate in the source code if this vulnerability applies to any of our devices without an existing exploit being available.
The vulnerability would allow an attacker to see the traffic between the user access point and the RainMachine device. There is no sensitive data being exchange by RainMachine and without considering the Remove Access service RainMachine only *receives* data from the well known weather providers by secure HTTPS. No data is *sent*.
For optional Remote Access this is encrypted by SSL but doesn't use HTTPS and it's not vulnerable to a HTTP downgrade attack exemplified in this vulnerability. This connection for remote access is authenticated by our servers on both ends, client and server certificates and it's always encrypted.
On top of all these we have another layer of security by device password and tokens which are required for any actions.
Without minimizing the possible impact of this vulnerability the attacker must be in range of device and emulate your access point and then disconnect the device from the user access point. The attacker must also know the MAC address of the device. After this sequence is successful the attacker could be able to manipulate the packages being *sent*.
Comment actions -
I am not sure I agree with RainMachine's assessment that they may not be affected. The vulnerability affects ANY device using WPA2. Period. Therefore a RainMachine device is affected, and can therefore compromise other devices on the network. So, trying to cop out of a fix is misleading to the end users.
Please update the firmware ASAP.
Thank you.
-
Pierre,
I'm sorry that I left that impression but it wasn't our intention to "cop out", but I wanted to reassure the users that even being vulnerable, there are still other security considerations that offer protection. As you mention, most likely all devices using WPA2 are affected in one way or another.
-
It's been 2 months and not a peep from RainMachine. The manufacturers for all my devices have provided a patch except ..... RainMachine. Does RainMachine understand the urgency of providing a patch for a security vulnerability? Two months is plenty of time to write a patch, unless of course you don't understand programming. Do we have to resort to social media? I am sure that would get the attention of RainMachine's executives.
-
Hi Pierre,
We have the patch ready, included in the next update which should be released in beta channel this week. This update has been extensively tested but since there are many new features along with the WIFI stack change we will keep it in beta for at least 2 weeks to get a better coverage on different WIFI access points the customers use.
-
Hi,
The beta version for the next update is now available and includes the WPA KRACK vulnerabilities fixes: https://support.rainmachine.com/hc/en-us/articles/230333608
If you encounter any WIFI issues with this beta please let us know.
-
Hi Pierre,
Current beta is being updated and released as stable but we are restricting how may users can get a stable update at once, then we stop the stable release and evaluate the updated units. Since we are changing the WIFI stack we don't want to risk releasing the update to all users at once.
Please sign in to leave a comment.
Comments
19 comments