
Trying to deploy WPA3 on my home network - ynezz
https://gist.github.com/est31/d92d17acbb4ea152296f9b38764cd791
======
voltagex_
Worried enough about security to deploy WPA3, but still uses a Galaxy S2? Even
with LineageOS, aren't you still using ancient device drivers?

~~~
cbhl
Device drivers don't usually need to be updated unless the driver interface
changes (i.e. when you update the Linux kernel) or the driver needs to be
updated to accommodate quirks of new software (i.e. graphics drivers and new
video games).

They probably do want to be getting the latest security patches to the kernel
and base OS.

~~~
jtl999
I remember the creator of CopperheadOS claiming the "Nexus 5" (which is EOL)
is _not_ secure because of hardware (baseband?) vulnerabilities that wouldn't
be trivial to fix.

Citation:
[https://twitter.com/DanielMicay/status/1058103333414522880](https://twitter.com/DanielMicay/status/1058103333414522880)

~~~
ech000
Can anyone recommend a post that introduces these kind of issues for Android
outsiders?

I assumed Android ROMs carry a fully fledged distribution, including the
kernel and firmware. Sure, the latter might be out of date.

When I tried digging into the question "where does this so-called open source
come from", I stumbled upon Kernels that basically have one commit adding the
whole blob.

Is the ROM merely the application software built for a target kernel (which is
persistent on the device)?

I've hacked around with Kernel modules on Android before, but miss the big
picture in that regard.

Edit: especially the new update infrastructure (treble?), Does it change
anything here?

~~~
voltagex_
The ROM is kinda an inaccurate term for the whole "blob" of binaries that gets
copied to eMMC (or similar) storage. This can include multiple partitions,
firmware updates (including for your baseband) etc.

The device kernel is a fork of
[https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/)
or more accurately
[https://source.android.com/devices/architecture/kernel/andro...](https://source.android.com/devices/architecture/kernel/android-
common) at the end of the day. The "whole thing as one commit" is just people
not caring enough to maintain source history.

Treble seems to mean that the software can be updated separately from the
drivers and the firmware - [https://www.androidauthority.com/project-
treble-818225/](https://www.androidauthority.com/project-treble-818225/), it
could actually make things worse in terms of out of date drivers and firmware.

------
AlyssaRowan
Use WPA3-Enterprise (you can use Let's Encrypt to get a valid certificate so
it works fine in a home environment).

Don't use SAE (which is, indeed, an instantiation of Dragonfly). I have a
strong suspicion that the way it is used, there will be a practical attack.

~~~
zokier
Or just use WPA2-Enterprise, afaik there are no pressing security needs to
upgrade to WPA3 if you are using EAP, and it is widely supported out of the
box

~~~
xenithorb
The problem with this I found for home use is that IoT devices don't typically
support enterprise modes. And without PSK you just flat-out can't use those
devices with WiFi

~~~
zokier
Still, I imagine lot more devices support WPA2-EAP over WPA3-EAP that OP
recommended.

------
alexandernst
Synology Routers support WPA3 by default

~~~
maxyme
They also support a mode where they will use WPA3 when supported and fall back
to WPA2 when there isn't device support.

~~~
chaosite
That's just WPA2 with extra steps.

~~~
IshKebab
Not really - if all of your devices use WPA3 the attacker won't be able to
brute force your password for example. You might think "if all your devices
support WPA3 then why not disable WPA2?". The obvious reason is you might
occasionally want to use WPA2 without fiddling around with router settings,
e.g. if guests want to use your WiFi without recompiling their phone's kernel.

Then another obvious but naive response is "then your security is no better
than WPA2 anyway" but hopefully it's clear why that isn't the case in the real
world.

