On October 16, 2017, security researchers revealed a widespread WiFi security exploit known as KRACK that makes the common WPA2 wireless security protocol vulnerable to exploit. Your Konnected devices, like most WiFi enabled devices in your home, are vulnerable to this newly discovered security flaw. However, we believe that most Konnected users are a very low risk and we do not recommend that you need to take any action at this time. This articledetails the specifics about the vulnerability and the risks related to Konnected users, as well as our plan for addressingthe problem. This page will be updated as we make progress on that plan.
KRACK and Konnected
Konnected devices communicate to SmartThings in two different ways:
- Directly to the SmartThings Cloud via HTTPS secured API requests
- Over your local LAN to your SmartThings hub over unencrypted WiFi
Status updates of your security system sensors, such as open/close events or motion events, are transmitted directly tothe SmartThings Cloud over HTTPS secured traffic. This means that even using the KRACK exploit, attackers would notbe able to eavesdrop on your sensor status.
However, because the local LAN traffic is not encrypted, the KRACK exploit may allow a malicious person in physicalproximity to your WiFi network to eavesdrop on traffic between your Konnected device and your SmartThings hub. This localcommunication is only used in a few circumstances:
- When configuring the pins/zones via the Konnected SmartApp
- When triggering the siren, door chime or switch
- When the SmartThings hub is discovering new Konnected devices
The largest risk here is in #1 above, when configuring pins/zones in the Konnected SmartApp, the SmartApp passes Konnectedan OAuth token. If this token were compromised, the attacker could gain partial access to your SmartThings account (thesame level of access that the Konnected app has).
We believe this risk to be very low for most users for the following reasons:
- The KRACK exploit requires close proximity to execute, meaning that the attacker would have to be within WiFi range of the Konnected device. In most residential installations, it would be exceedingly unlikely that a sophisticated WiFi hacker would target a home WiFi network.
- The exchange of the sensitive OAuth token only takes place when you use the Konnected SmartApp to save or update the pin/zone assignments or update the settings of a device. During normal monitoring operation, the Konnected device only communicates over HTTPS secured traffic to the SmartThings Cloud, which is not vulnerable to KRACK exploits.
Konnected is built on top open source software and hardware libraries and SDKs that are maintained by hundreds ofdevelopers all over the world. In this case, the KRACK exploit is a flaw in the underlying WPA2 security protocol, whichin this is implemented by the maker of the WiFi chip. Konnected devices use the Espressif ESP8266WiFi microprocessor, and Espressif has already created a fix for the KRACK exploit.
It will take some time, however, for the WiFi chip SDK fix from Espressif to make its way into a usable firmware updatefor Konnected. The Konnected firmware is built on top of the open-source NodeMCU firmware, and an issue is already open for this new release.
Once a new NodeMCU firmware build is available, we’ll work on a fix in the form of a Konnected firmware update.