Background:
On April 10th 2019, researchers disclosed several vulnerabilities affecting authentication for wireless networks. These vulnerabilities describe a range of effects, from resource exhaustion on wireless access points, to downgrading encryption strength, to causing crashes.
At the time of writing eero does not implement WPA3 or EAP-pwd authentication for client devices, so most of the vulnerabilities disclosed do not affect eero networks.
eero networks do use a component of WPA3 authentication called SAE when establishing the mesh network among themselves. SAE was subject to a resource exhaustion attack which in some cases could affect eero’s mesh implementation, and a common implementation of SAE contained a vulnerability related to state validation. eero networks were patched to protect customers from both issues before this news was made public.
Vulnerability ID |
Name |
Is eero affected? |
CVE-2019-9494 |
SAE cache attack against ECC groups |
No |
CVE-2019-9495 |
EAP-pwd cache attack against ECC groups |
No |
CVE-2019-9496 |
SAE confirm missing state validation |
Patched |
CVE-2019-9497 |
EAP-pwd missing commit validation (reflection attack) |
No |
CVE-2019-9498 |
EAP-pwd missing commit validation - network impact |
No |
CVE-2019-9499 |
EAP-pwd missing commit validation - rogue AP |
No |
Patches for eero customers were applied automatically in eeroOS v3.12.1. To confirm whether or not your network is patched, please refer to this article.