Description
Note
This issue is transferred from WLED wled/WLED#4052 I'm not in posession of the hardware, which is required for testing this. I found the issue through a packet capture and reported it at WLED, where the maintainers noted, that it's an issue in this library. I filled out the fields to my best knowledge, but this is definitely a software issue, across all boards.
Basic Infos
- This issue complies with the issue POLICY doc.
- I have read the documentation at readthedocs and the issue is not addressed there.
- [?] I have tested that the issue is present in current master branch (aka latest git).
- I have searched the issue tracker for a similar issue.
- If there is a stack dump, I have decoded it.
- I have filled out all fields below.
Platform
- Hardware: Any
- Core Version: 4.2.1
- Development Env: PlatformIO
- Operating System: Any
Settings in IDE
- Module: Any
- Flash Mode: Any
- Flash Size: Any
- lwip Variant: Any
- Reset Method: Any
- Flash Frequency: Any
- CPU Frequency: Any
- Upload Using: Any
- Upload Speed: Any
Problem Description
When operating a SoftAP initialized With WiFi::SoftAP, the encryption defaults to TKIP aka WPA1, which has been deprecated for over a decade by now, due to it being insecure. Alternatively, CCMP aka WPA2 should be used.
I'm aware, that this might be for backwards compatibility, but if TKIP is used, a warning should be emitted.
If WPA/WPA2 is used, this still presents a risk, because TKIP is implicitly used as the group cipher, which makes all group addressed traffic vulnerable.
MCVE Sketch
See minimal WiFi SoftAP example.