Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Well that sucks. I have probably 20 esp8266 chips around the house doing various things (when you can get an MCU for like $2, you find a lot more uses!), but I don't think any of them really need to worry about this aside from the DoS attacks taking them offline. I'll need to maybe look into some alerts when they start going offline, but not much.

I'm not familiar with the Enterprise WPA2 stuff. Is it widely used in high security environments or "enterprise" areas? and is the ability to gain control over a device on those networks a big deal?

Enterprise WPA2 always seemed crazy complex, and the fact that many devices can't even seem to do WPA2 Personal completely correctly, I never had a good feeling about the Enterprise stuff.



I don't have any experience with Enterprise Wifi, but according to the article:

> This practically means that unpatched ESP devices are more secure by actually using just WPA2 Personal.

This is good for all of us DIY'ers that are only using Personal WPA2 - the worst we're exposed to is targeted DOS attacks.


Wonder if WeWork is on WPA2 Enterprise? Although they probably have Broadcom chipsets doing the work.


> I have probably 20 esp8266 chips around the house doing various things

How do you power them all? 20 AC adaptors or battery/solar or something?


A few are powered by mains (I have a habit of using them to automate "dumb" appliances. So I put one in a cheap dehumidifier in place of the physical on switch), and the rest with repurposed small lithium ion rechargable batteries meant to be used with drones.

The battery powered ones need to be careful with how they sip power, but in most cases I can rig something up to get them to last. And the batteries I got off eBay all came with their own USB charger, so like 30 minutes of charging every few months and they are good.

I want to look into solar, but I just haven't had time to tinker with it yet.


> I'm not familiar with the Enterprise WPA2 stuff.

WPA2 Enterprise doesn't use a preshared key, instead relying on something like RADIUS Authentication to validate usernames/passwords and then providing a custom key.

If you uses your Active Directory credentials to login to corporate WiFi then you're using WPA2 Enterprise.


yes, what was discovered is that no matter what master key was exchanged after the radius authentication, the attacker can still hijack the device.


Reading carefully the documents presented by the author Enterprise mode seems to be even less secure than the normal WiFi mode. Quite ironic I agree.


Enterprise requires everyone to use a different key while wireless communication in a group wants traffic to be possible between the clients directly and broadcasted. That’s conflicting.


That's like E-TLS. The enterprise version of TLS.


It feels somewhat irresponsible to not have some scare quotes or a disclaimer or something in there. There's probably some people who are just learning about "enterprise TLS" who don't know that it's hobbled: https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-s...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: