UPDATE (10/17/17, 6:00pm PT): eeroOS version 3.5, which includes a patch for the KRACK vulnerability, is now available to all eero customers via an in-app OTA update, as well as through our rolling automatic updates.
News broke early this morning that researchers have discovered a flaw named KRACK (Key Reinstallation Attack) in the WPA2 security protocol that encrypts all traffic between modern WiFi access points and client devices. KRACK could allow attackers within physical range of a vulnerable WiFi access point or client device to intercept passwords and other vital personal information. Here’s a comprehensive article on KRACK from Ars Technica.
All routers — including whole-home WiFi systems like eero — and client devices like your smartphone are potentially affected by KRACK. To exploit KRACK, someone would need to be physically in or very near your home. There have been no reported exploitations of the vulnerability so far.
Our internal security and engineering teams have reviewed the vulnerability and applied fixes that have rolled out to our beta customers in eeroOS version 3.5. In addition to the KRACK update, eeroOS version 3.5 includes other regularly-scheduled performance, security, and stability improvements. Once beta testing is complete, we’ll roll the new eeroOS with the KRACK fix out to all eero customers. As always, there will be no action required from customers — the update will happen automatically. You’ll be able to manually trigger the update via the eero app. Please email email@example.com if you have any questions.
While this is a necessary first step in better securing your network, many client device manufacturers have yet to release patches. As they become available in the coming weeks, we recommend updating your devices — including phones, laptops, and IoT products. We’ll publish a list of patches in a future post.
As we roll out our KRACK patch, we’ll provide updates here on the blog. As always, thank you for being an eero customer.
Co-founder & CEO
P.S. Security researchers can get in direct contact with our security team here or by emailing firstname.lastname@example.org.