The Industrial Raspberry Pi Forum

Hi,

I just found a news alert that WIFI WPA2 Security might have been compromised.

Here's the source, multiple security news refer to it.
https://www.krackattacks.com

Heise News (German) In Short: Especially when using wpa_supplicant the WIFI connection seems to be vulnerable. So that applies to Rev Pi, too. According to the news, it's not possible to get the key itself, but to read the transmissions.
If one would use WIFI as only source of security, this is likely to be a great risk. Encrypting the transmitted communication or payload (SSH or HTTPS) is important.

I'm pretty glad Rev Pi offers hardware encryption so we can get the transmissions pretty safe.

@kunbus I'd love to see some webinar about how this can be used in sample applications.

Cheers,
Boris

Boris Crismancich wrote:In Short: Especially when using wpa_supplicant the WIFI connection seems to be vulnerable. So that applies to Rev Pi, too. According to the news, it's not possible to get the key itself, but to read the transmissions.

My 2 cents:

1. the RevPi does not come with Wifi out the box. So no problem, unless you add a wifi stick or connect to the Pi via a wireless device.
2. it is in my opinion better to assume, that every message send by a wireless device can and will be logged by someone. Therefore: if you want security: use a wired connection from end to end. Otherwise use SSH and HTTPs (as mentioned by you).

Yes you're right. Cable LAN ist not affected of course.

I had a chat with a security expert today. He said the breach would even allow adding data to the conversation. Any WIFI device in the network can open a vector for attackers.

I totally agree with Timo that it should become common sense that anything - even in internal Network or WIFI - should happen in a secured and encrypted way.

"This application is only in our internal network and does not need encryption." is absolutely wrong. For me one thing is very interesting: Even encrypted information may be a security risk. This is in case a device will only transmit data to a certain system in case of an event: Let's say you have a factory, where a Rev Pi with a camera does a quality check every time a product is ready and sends an encrypted update to the stock management system via TCP. In this case, you can't see whats inside this message because it's encrypted. But when you know the factory, you can just count the messages. Then you see how many products they produce, what their current production speed is and maybe you learn about the production capacity and their order situation. This is highly sensitive information. So although IIoT lets you create solutions much faster, easier and cheaper than old school industrial solutions, you have to wrap your brain around security and really invest some time here.