PiAware & KRACK


As you may be aware, there is a recently discovered key reinstallation attack against WPA2 (used to secure wireless networks) that can allow an attacker to decrypt or spoof wireless traffic. For more details see https://www.krackattacks.com/

The wireless software in PiAware sdcard images (and more generally in Debian/Raspbian) - wpasupplicant - is affected by this. Mitigating this is that the security-sensitive parts of PiAware (the connection to FlightAware, and ssh access) are separately encrypted, so losing the wireless encryption layer is not a massive problem.

To update to a version that prevents the attack, you can do one of the following things.

Upgrade to PiAware 3.5.3

If you are using a PiAware sdcard image, upgrading to 3.5.3 will also install an updated version of wpasupplicant that fixes the problem. See https://flightaware.com/adsb/piaware/upgrade for instructions.

Reimage with a new sdcard image

The current PiAware 3.5.1 bis sdcard image includes an updated version of wpasupplicant that fixes the attack. This sdcard image is available at https://flightaware.com/adsb/piaware/build. It is a rebuild of 3.5.1 with updated versions of the Raspbian packages, but otherwise has no changes to PiAware.

If you reimage, a new feeder site will be created. To continue feeding to your old site:

  1. Find the “Unique Identifier” shown on your old site’s stats page and record it
  2. Edit piaware-config.txt on the sdcard from another machine (e.g. your PC) and add this line at the end, using that unique identifier:
  1. Save your changes and safely remove/eject the sdcard

Upgrade wpasupplicant on an existing install

This requires command-line access, either by logging in with an attached keyboard+monitor, or by logging in via ssh. This will work for both sdcard images and Raspbian package-based installs.

$ sudo apt-get update
$ sudo apt-get install wpasupplicant
$ sudo reboot

To verify that you have the fixed version of wpasupplicant:

$ dpkg -l wpasupplicant
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                          Version                     Architecture                Description
ii  wpasupplicant                                 2.3-1+deb8u5                armhf                       client support for WPA and WPA2 (IEEE 802.11i)

Versions 2.3-1deb8u4 and older are vulnerable. Versions 2.3-1deb8u5 and newer are fixed.