Cyber Security Update: WPA2 "KRACK" WiFi Wireless Security Vulnerability Notice

Security researchers have discovered an apparent flaw in the commonly used wireless network security protocol (WPA2) which may allow an attacker to compromise and/or gain unauthorized access to wireless devices and networks. The vulnerabilities are reportedly in the WPA2 protocol, not within individual WPA2 implementations, which means that all WPA2 wireless networking may be affected. Actions to potentially mitigate these vulnerabilities include installing updates to affected products and hosts as they become available from manufacturers. These vulnerabilities reportedly go by the name ‘Key Reinstallation Attacks’ or ‘KRACK’. For more details on the vulnerability specifics see the industry links below.

Resideo, the manufacturer of Honeywell Home products, takes the security of our products seriously, and we are actively assessing the impact of these findings on our products and identifying potential corrective actions as necessary. We will communicate, as necessary, with our customers potential mitigations and fixes regarding the above-mentioned vulnerabilities.

Some of Resideo's related solutions utilize wireless networking and wireless devices. These events highlight the importance for homeowners and organizations to ensure that their systems are up to date with the most current software versions and updates, and properly maintained and monitored. Prevention is often the best protection.

Recommended Action

Resideo recommends that customers undertake preventative measures to enhance the security of their home or building systems, including the following:

• Security Updates: The WPA2 protocol is ubiquitous in wireless networking. The vulnerability is reportedly with the standard itself as opposed to the implementation, meaning this issue would appear to affect nearly all Wireless Access Points (AP), Mobile Devices and OS wireless clients. Updates to affected devices should be promptly installed as/when they become available from manufacturers.
• WiFi Usage: Until patches are available, continue to use WPA2 encryption as it is believed to be safer than alternative WiFi security options. Avoid the use of public WiFi services. If public WiFi must be used, utilize a Virtual Private Network (VPN) connection to enhance the security of your network traffic. Consider the use of Intrusion Detection & Intrusion Prevention Systems (IDS & IPS) on the network and firewalls that may identify an attacker or rouge traffic.
• Anti-Virus: Always ensure that anti-virus software is up to date and installed across all assets.
• Keep Current: Unpatched or outdated operating systems and application software are often more susceptible to cyber-attacks, ensure updates are being installed on a timely and regular basis.
• Backups: Ensure appropriate backups and system restoration procedures are in place, with copies of the most recent backup stored in an offline/disconnected state to reduce infection susceptibility.
• Awareness: Educate system users to take care when opening emails and attachments. Ensure building control system servers and workstations are not being used for email access or general web browsing, and logically separated if running on a shared network. Inform and educate system users on how to identify scams, malicious links, and social engineering attempts.
• Report concerns: Promptly report any unusual system activity or unplanned disruption to your product's manufacture or service team.

For more specific guidance, or if you have concerns with the security of your Honeywell Home products in your home or building, please contact the Resideo team via this Cyber Security Inquiry Webpage.

Additional Resources

• Vulnerability Note VU#228519
• WPA2 Key Reinstallation Attacks