11

WPA2 security flaw - is eero impacted?

Hi there - I have been using my Eero (1st gen) for 6 months now and absolutely love it.  I recently noticed a variety of news around a security flaw found in the WPA2 protocol which sounds very concerning (e.g. link to zdnet here).

1. Does this apply to Eero?

2. If so, what is Eero doing about it?

17 replies

    • eero Community Manager
    • Jeff_C
    • 7 yrs ago
    • Official response
    • Reported - view

    Hi everyone!

    We're happy to share that starting tonight, users can update their networks to eeroOS 3.5, which contains the patch to address the KRACK WPA2 vulnerability. As always, this update will be automatically installed to your network, however, you are free to manually push it if you'd like. To do so: 

    1. Open the eero application 
    2. Tap on the menu option in the top left corner
    3. Tap on Network Settings
    4. Scroll to the section titled Network software
    5. If you see the option Update available, you can tap that and update your network to the latest OS version

    For more, visit the eero blog: https://blog.eero.com/krack-update-fix-available-eero-ota/

      • Gravity Brings Me Down...
      • stevebaker
      • 7 yrs ago
      • Reported - view

      Jeff C. Awesome, thanks! And like always, the update was super easy and only took a few moments. Everything's back up and running in a KRACK-free network!

    • tc60045
    • 7 yrs ago
    • Reported - view

    +1.  This is hitting all the news sites, so brace yourselves, eero team...

    • account443322
    • 7 yrs ago
    • Reported - view

    More information can also be found here: https://www.krackattacks.com

    • Gator
    • 7 yrs ago
    • Reported - view

    I would imagine it does affect the eero. Hopefully like Microsoft (that already announced they already patched it) the eero team will also be super quick about this. No reason to think otherwise. :D

    • sashk
    • 7 yrs ago
    • Reported - view

    Well, it's been about 6.5 hours since official announcement of the vulnerability and eero didn't release any statement. Based on information available at https://www.kb.cert.org/vuls/id/228519 , eero wasn't even notified prior. So, my estimates are that firmware will be available in couple weeks... I want to be wrong about this.

    • samsoir
    • 7 yrs ago
    • Reported - view

    +1 I want to know how vulnerable my Eero is at this point. Could Eero please put out an official statement on the matter! This is core to your business after all.

    • Stay Vigilant #NSA is always watching!
    • rlocone
    • 7 yrs ago
    • Reported - view

    Yes, #infosec is on fire.  However, the media tends to exaggerate things and misreport.  

    • Fluffer
    • Lightning
    • 7 yrs ago
    • Reported - view

    According to https://www.cbsnews.com/news/wi-fi-security-flaw-wpa2-protocol-hijack-krack-attack/ :

    Aruba, Ubiquiti, and Eero are said to have patches available, according to sources we spoke to at the time of writing.

    • eero Community Manager
    • Jeff_C
    • 7 yrs ago
    • Official response
    • Reported - view

    Hi everyone —

    Thanks for checking in. We are aware of the KRACK vulnerability and our team is working to determine what next steps are necessary. As soon as we have more information, we will be sure to pass it along.

    We will also have a blog post available later today with more information on our findings, as well as updates to what actions are being taken.

    Your privacy and security are of most importance to us. Thanks again.

      • eero Community Manager
      • Jeff_C
      • 7 yrs ago
      • Reported - view

      Thanks everyone for reaching out and for your support. We have a patch currently in beta.

      Please see the following blog post for more details: https://blog.eero.com/krack-update-1-fix-beta/

      • nutmac
      • 7 yrs ago
      • Reported - view

       Jeff C. Thank you for the update.

      What does Eero 3.5 patch mean for unpatched devices connected to Eero? Is it purely for Eero talking to each other? Or does it eliminate KRACK vulnerability for unpatched devices connecting to a patched Eero?

      • eero Community Manager
      • Jeff_C
      • 7 yrs ago
      • Reported - view

      nutmac  

      Thanks for the question. With our patch, your eero network should be protected against the KRACK security flaw. However, considering that the vulnerability affects pretty much all WiFi connected devices, we highly recommend updating any connected devices as soon as an update is available.

      As per Ars Technica, the attack can be targeted at both an AP or client device.

      The researcher went on to say that the weakness allows attackers to target both vulnerable access points as well as vulnerable computers, smartphones and other types of connecting clients, albeit with differing levels of difficulty and effectiveness.

      There are some other good recommendations in that article, so we definitely recommend reading it all the way through if you are curious.

      For additional details, visit the official KRACK FAQ.

    • jjwolf
    • 7 yrs ago
    • Reported - view

    Open Mesh says they'll release a patch tomorrow and to disable 802.11r in the meanwhile. Don't think that's available to us eero users, but perhaps they can use this workaround for us until our gear is updated.

    • Fluffer
    • Lightning
    • 7 yrs ago
    • Reported - view

    KRACK update 1: fix in beta: https://blog.eero.com/krack-update-1-fix-beta/

    • Fluffer
    • Lightning
    • 7 yrs ago
    • Reported - view

    Update released https://support.eero.com/hc/en-us/articles/209636523-eero-Software-Release-Notes

    eeroOS-v3.5.0-312 - Released October 17, 2017

    • KRACK WPA2 Vulnerability Patches
    • Fix potential vulnerability in dnsmasq
    • System stability improvements
    • Bug fixes

Content aside

  • 11 Likes
  • 7 yrs agoLast active
  • 17Replies
  • 1290Views
  • 20 Following