2

I've found description of vulnerability here.

The kankun smart socket device and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. The communication happens over UDP. An attacker on the local network can use the same key to encrypt and send unsolicited commands to the device and hijack it.

Then how it should be done in a secure way, I mean how to encrypt communication without hard coding key in client?

gnat
20.5k29 gold badges117 silver badges308 bronze badges
asked Mar 1, 2016 at 10:37

1 Answer 1

5

You use a key exchange protocol, such as Diffie Hellman key exchange, which allows each side of the communication to generate a random number and derive a key from those numbers without an eavesdropper being able to find the result from the data actually exchanged.

In general, using a peer-reviewed protocol such as SSL/TLS avoids issues like this.

answered Mar 1, 2016 at 10:46

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.