As you may be aware, there is a recently discovered key reinstallation attack against WPA2 (used to secure wireless networks) that can allow an attacker to decrypt or spoof wireless traffic. For more details see https://www.krackattacks.com/
The wireless software in PiAware sdcard images (and more generally in Debian/Raspbian) - wpasupplicant - is affected by this. Mitigating this is that the security-sensitive parts of PiAware (the connection to FlightAware, and ssh access) are separately encrypted, so losing the wireless encryption layer is not a massive problem.
To update to a version that prevents the attack, you can do one of the following things.
Upgrade to PiAware 3.5.3
If you are using a PiAware sdcard image, upgrading to 3.5.3 will also install an updated version of wpasupplicant that fixes the problem. See https://flightaware.com/adsb/piaware/upgrade for instructions.
Reimage with a new sdcard image
The current PiAware 3.5.1 bis sdcard image includes an updated version of wpasupplicant that fixes the attack. This sdcard image is available at https://flightaware.com/adsb/piaware/build. It is a rebuild of 3.5.1 with updated versions of the Raspbian packages, but otherwise has no changes to PiAware.
If you reimage, a new feeder site will be created. To continue feeding to your old site:
- Find the “Unique Identifier” shown on your old site’s stats page and record it
piaware-config.txton the sdcard from another machine (e.g. your PC) and add this line at the end, using that unique identifier:
- Save your changes and safely remove/eject the sdcard
Upgrade wpasupplicant on an existing install
This requires command-line access, either by logging in with an attached keyboard+monitor, or by logging in via ssh. This will work for both sdcard images and Raspbian package-based installs.
$ sudo apt-get update $ sudo apt-get install wpasupplicant $ sudo reboot
To verify that you have the fixed version of wpasupplicant:
$ dpkg -l wpasupplicant Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=============================================-===========================-===========================-=============================================================================================== ii wpasupplicant 2.3-1+deb8u5 armhf client support for WPA and WPA2 (IEEE 802.11i)
2.3-1deb8u4 and older are vulnerable. Versions
2.3-1deb8u5 and newer are fixed.