For those who want to get a better idea of what this is all about, here is a nice video dealing with some technical aspects in a more friendly matter:
The point, as I understand it, is that in order for this attack to work the network traffic has to be different each time the “key” is reset. What this means is that if someone has encoded “Hello” using the key and then encrypted “Aloha” using the same key; attacker would be able to figure out the key by applying xor to the two different streams, explanation @ 6:31 (link).
What to take from this:
- Each individual connection between the client and the router is encrypted seperately
What this means: If someone cracks Rachio’s wifi encryption, they will only be able to see data from Rachio, all other devices on the network are still encrypted and Rachio does not reduce their security (your windows laptop is still safe). - This does not affect other levels of encryption
What this means: since rachio is using SSL to encrypt the data on top of the WPA2 wifi encryption, the attacker will only be able to get the SSL data stream, useless without a proper decryption key. - Rachio is secure as is
Explanation: Because rachio controller is only using SSL (never unencrypted data), data will be randomized due to use of a random symmetric session key and xor commands needed for KRACK to operate will yield random noise.
In conclusion: using HTTPS as much as possible is important (especially for your bank, email, etc…); worrying about your sprinkler for this attack is less so.
Cheers,
Gene