11WPA2 security flaw - is eero impacted?
Hi there - I have been using my Eero (1st gen) for 6 months now and absolutely love it. I recently noticed a variety of news around a security flaw found in the WPA2 protocol which sounds very concerning (e.g. link to zdnet here).
1. Does this apply to Eero?
2. If so, what is Eero doing about it?
-
Hi everyone!
We're happy to share that starting tonight, users can update their networks to eeroOS 3.5, which contains the patch to address the KRACK WPA2 vulnerability. As always, this update will be automatically installed to your network, however, you are free to manually push it if you'd like. To do so:
- Open the eero application
- Tap on the menu option in the top left corner
- Tap on Network Settings
- Scroll to the section titled Network software
- If you see the option Update available, you can tap that and update your network to the latest OS version
For more, visit the eero blog: https://blog.eero.com/krack-update-fix-available-eero-ota/
-
Jeff C. Awesome, thanks! And like always, the update was super easy and only took a few moments. Everything's back up and running in a KRACK-free network!
-
+1. This is hitting all the news sites, so brace yourselves, eero team...
-
More information can also be found here: https://www.krackattacks.com
-
I would imagine it does affect the eero. Hopefully like Microsoft (that already announced they already patched it) the eero team will also be super quick about this. No reason to think otherwise. :D
-
Well, it's been about 6.5 hours since official announcement of the vulnerability and eero didn't release any statement. Based on information available at https://www.kb.cert.org/vuls/id/228519 , eero wasn't even notified prior. So, my estimates are that firmware will be available in couple weeks... I want to be wrong about this.
-
+1 I want to know how vulnerable my Eero is at this point. Could Eero please put out an official statement on the matter! This is core to your business after all.
-
Yes, #infosec is on fire. However, the media tends to exaggerate things and misreport.
-
According to https://www.cbsnews.com/news/wi-fi-security-flaw-wpa2-protocol-hijack-krack-attack/ :
Aruba, Ubiquiti, and Eero are said to have patches available, according to sources we spoke to at the time of writing.
-
Hi everyone —
Thanks for checking in. We are aware of the KRACK vulnerability and our team is working to determine what next steps are necessary. As soon as we have more information, we will be sure to pass it along.
We will also have a blog post available later today with more information on our findings, as well as updates to what actions are being taken.
Your privacy and security are of most importance to us. Thanks again.-
Thanks everyone for reaching out and for your support. We have a patch currently in beta.
Please see the following blog post for more details: https://blog.eero.com/krack-update-1-fix-beta/
-
Jeff C. Thank you for the update.
What does Eero 3.5 patch mean for unpatched devices connected to Eero? Is it purely for Eero talking to each other? Or does it eliminate KRACK vulnerability for unpatched devices connecting to a patched Eero?
-
nutmac
Thanks for the question. With our patch, your eero network should be protected against the KRACK security flaw. However, considering that the vulnerability affects pretty much all WiFi connected devices, we highly recommend updating any connected devices as soon as an update is available.
As per Ars Technica, the attack can be targeted at both an AP or client device.
The researcher went on to say that the weakness allows attackers to target both vulnerable access points as well as vulnerable computers, smartphones and other types of connecting clients, albeit with differing levels of difficulty and effectiveness.
There are some other good recommendations in that article, so we definitely recommend reading it all the way through if you are curious.
For additional details, visit the official KRACK FAQ.
-
-
Open Mesh says they'll release a patch tomorrow and to disable 802.11r in the meanwhile. Don't think that's available to us eero users, but perhaps they can use this workaround for us until our gear is updated.
-
KRACK update 1: fix in beta: https://blog.eero.com/krack-update-1-fix-beta/
-
Update released https://support.eero.com/hc/en-us/articles/209636523-eero-Software-Release-Notes
eeroOS-v3.5.0-312 - Released October 17, 2017
- KRACK WPA2 Vulnerability Patches
- Fix potential vulnerability in dnsmasq
- System stability improvements
- Bug fixes
