not capable of running linux? There is such a high percentage chance that is running some embedded variant or custom modified version on the hardware.
None of the responses I have seen so far are adequate - this is why iot stuff is laughed at.
get with the hardware vendor and have someone who knows what they’re doing actually look at the exploit and CONFIRM with the technical details that the exploit doesn’t the way the low level wifi handling works, or confirm that it could be exploited and post details of plans to FIX IT with mitigating steps to take during the wait.
the responses i’ve seen on twitter of “don’t worry” and the responses here are not adequate.
The help page article linked above WPA2 KRACK Attack. Huge new security bug that pretty much everyone needs to solve
is pretty weak
for the gen1 the hardware vendor has responded with the appropriate technical details, but no guidance on how patches or upgrades to the underlying OS are pushed by rachio, is this automatic? does the user need to do something?
for the gen 2…nothing, consulting with the people who developed and have an understanding of the actual hardware and the low level software. So there is no answer as to if this vulnerability affects gen2. It is disingenuous to tell customers not to worry without telling them the truth.
you can say AS WE UNDERSTAND IT NOW there is little reason to be concerned in the immediate future as you would have to be specifically targeted.
The ripples of this vulnerability are going to last a long time. because it is brand new it will take some time for attackers figure out ways to utilize in a broader attach sense, by that time the responsible companies will have patched it and it will just be attacking the leftover internet of things crap that don’t take this sort of thing seriously.
this is going to be a long lasting attack vector that should be taken seriously. is someone going to hack you tomorrow? probably not. is the rachio data “important” even if someone possibly exploited “just your sprinkler times” i’ve seen mentioend is all thats at risk…not true. can rachio say with certain and provide techincal proof that this can’t be exploited to gain access to your network and wreak havoc on your home network computuers?
having a fast and transparent and technically sound response to a vulnerability that affects pretty much everyone should be a layup for a company that provides a technical product with a web service and app. look into it, provide mitigating advice in mean time, provide fix or technical confirmation that your device is not vulnerable. very easy.
the issue with IoT devices like this is they outsource the hardware and the lowlevel software taht goes on it. or use some COTS hardware with little concern over security items as long as they can sell their service/product. They don’t ever anticipate it changing or needing to change it or update the device OS/firmware.
The responses to a bug like this should shape consumers opinions of the companies they choose to do business with. If a company is silent on this bug, or tells you it’s not a big deal and doesn’t explain how they’ll fix it, or how they are CERTAIN it doesn’t affect their product, then you should be very wary of doing business with that company in the future, because they just don’t have your best interest in mind.
if they don’t want to talk about it, they don’t make a clear statement on it outlining actions being taking or technical confirmations. it doesn’t take much to spin up a lot of iot type of products. get some hardware platform, hack it up to do what you need, and then get web dev guys to make some backend with bootstrap and data visualization libraries then get some app devs and you have a business. notice in there the lack of focus on security or protecting user data…it’s optional to some. then something like this happens, and this is where consumers need to look at these responses and decide for themselves if you feel comfortable