question

syharlequin avatar image
syharlequin asked

CerboGX: WiFi Security prevents successful authentication of connection to WiFi router

The WiFi on our yacht supports WPA2-PSK, WPA/WPA2-PSK, WPA3-SAE, and WPA2-PSK/WPA3-SAE as options.

The first issue we have is that enabling any of these WiFi Security Encryption Standards (operative word there, STANDARDS), the CerboGX fails to connect. The same Wifi router when OPEN connects without issue.

It would be good if the documentation actually specified the supported encryption standards on the CerboGX, but more important (especially with remote work), stronger standards SHOULD be supported if you want devices like this talking off network (i.e.TLS, etc.).

Can someone specify which WiFi encryption standards are supported on the CerboGX, and then go poke the documentation folks?

cerbo gxVRMwifi
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

3 Answers
Stefanie (Victron Energy Staff) avatar image
Stefanie (Victron Energy Staff) answered ·

Hi @SYHarlequin,

The Cerbo GX WiFi uses WEP, WPA and WPA2, as outlined in the manual. WPA2 encryption as per AES. I'm just not sure about PSK, but will find out.

1 comment
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

bwmoore22 avatar image bwmoore22 commented ·

If support is only WPA2, please also check to see if it supports protected management frames (PMF); this helps in defending against deauthentication attacks. I learned A WHOLE LOT about WiFi security after researching some strange behavior by my iPhone and travel router at a public meeting; it likely was a deauthentication attack.

Support for WPA3 should be a part of you product plan, and for older devices, adding support for PMF on WPA2 would be a good thing. Sadly, very few IoT devices support WPA3 or PMF on WPA2.

0 Likes 0 ·
syharlequin avatar image
syharlequin answered ·

WEP (40 bit, not even 128 bit which is also insecure) can be compromised by a child.

WPA and WPA2 are no longer secure. I actually do secops for the government, and am an editor on multiple NIST Special Publications in the security arena, and you'd be surprised at how many products are released in such a vulnerable state. This should be addressed by your team as it represents a security risk to your customers, and a financial risk to the company.

Imagine the damage someone could do to a large lithium bank by remotely mis-configuring DVCC.

WPA3 should be the minimum encryption, with WPA2 only as an option when warning the user that they are using a known insecure encryption standard.

https://www.fortinet.com/blog/business-and-technology/wpa2-has-been-broken-what-now

A good bit of guidance Victron should be following is: https://www.cisa.gov/news-events/news/securing-wireless-networks

All of that said WPA does not connect, the password has been checked multiple times.

Firmware is v3.00 (20230529211714)

The rather public and nasty breach of the Brunswick Corporation last week, which includes the Navico portfolio of companies, including CMap, Simrad, B&G, Lowrance, etc., should be a loud and urgent wake up call.

1 comment
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

seb71 avatar image seb71 commented ·
Disable Wi-Fi and use a LAN/UTP cable instead.
3 Likes 3 ·
nickdb avatar image
nickdb answered ·

It is an IOT device, like most IOT devices it only supports 2.4Ghz and is thus not the most progressive with security.

Expecting pentagon grade security from an IOT device is having unrealistic expectations.

As mentioned, run it wired then, but if you try poke holes in the OS you will find them as well as plenty of the comms/protocols are not exactly robust, so not ideal for the CIA but fit for purpose for a yacht.

Thought I guess the bad guys could pop up underneath you in their stealth submarine and try brute force their way in.

2 comments
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

syharlequin avatar image syharlequin commented ·

Duke Energy had the same attitude. The folks at Amazon had the same attitude with RING.


Linking to an updated library when building the firmware is not too much to ask, and this kind of response begs how much software/firmware engineering expertise you bring to the conversation. I personally have 30+ years, and expecting baseline competence is not too much to ask, it's table stakes in the game where remote exploit of the BM<S config on a multi-KW lithium bank can cause significant damage to a vessel.


This is why it's getting harder and harder, and more and more expensive to insure yachts.

Finally, a lot of exploits don't happen because someone's out to get you, a lot of them happen because some script kiddie decided it would be fun.

1 Like 1 ·
nesswill avatar image nesswill commented ·
...agreed if we all adopted this approach we would never leave the house let alone turn anything on, what quality of life would that be!!

A Common sense approach using best practices that is appropriate for what you need/do is just fine...(for most ;))

As said Fit for Purpose.

0 Likes 0 ·