This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3235MODS: AP Mode Security Type

Part Number: CC3235MODS
Other Parts Discussed in Thread: CC3235S

Tool/software:

Dear Sir,

    We are using CC3235MODS in the AP mode.

The security type is set to "SL_WLAN_SEC_TYPE_WPA_WPA2":

_i16 Status;

_u8 val = SL_WLAN_SEC_TYPE_WPA_WPA2;

Status = sl_WlanSet(SL_WLAN_CFG_AP_ID, SL_WLAN_AP_OPT_SECURITY_TYPE, 1, (_u8 *)&val);

Using the Linux command "nmcli" and it shows that the securiy type is WPA1 and WPA2.  (Channel 48)

Do you have any suggestion for us to disable WPA1 and only enable WPA2 security type in the AP mode?

Thanks for your time.

Best Regards,

Luke

  • Hi Luke,

    There is not API for such thing. For option SL_WLAN_AP_OPT_SECURITY_TYPE are supported this types only:

    • Open security: SL_WLAN_SEC_TYPE_OPEN
    • WEP security: SL_WLAN_SEC_TYPE_WEP
    • WPA security: SL_WLAN_SEC_TYPE_WPA_WPA2

    Jan

  • Dear Jan,

        Thanks for your reply.

    When CC3235S is in the AP mode and the security type is set to "SL_WLAN_SEC_TYPE_WPA_WPA2", is it WPA or WPA2 or mix?

    Thank you.

    Best Regards,

    Luke

  • Hi Like,

    I am not sure 100%, but I suppose that this option is for mixed mode. But please wait for confirmation from TI side.

    Jan

  • Hi,

    I tested it just to make sure and it includes both, RSN (WPA2) and WPA information elements.

    An d both have TKIP for the broadcast/multicast and AES/TKIP for the unicast.

    Regards,

    Shlomi

  • Dear Shlomi and Jan,

        Thanks for your time doing the test.

    WPA is known to be not as secure as WPA2.

    Since CC3235S in the AP mode could be connected through WPA or WPA2, does it means that CC3235S AP mode is as vulnerable as WPA?  Even if CC3235S AP mode could be connected with WPA2, the hacker can attack it through WPA.  Is it correct?

    To make our product with CC3235S running in the AP mode pass the requirement of the cyber security, WPA has to be disabled and only WPA2.

    Do you have any suggestions for us?

    Thank you.

    Best Regards,

    Luke

  • Hi Luke,

    As far I know attack vector to WPA-PSK is based on capturing initial handshake between AP and Client. Modern WiFi clients will never connect via WPA-PSK when WPA2-PSK is available. From this reason this can be security issue with very old clients which supports WPA-PSK only.

    But I agree much better approach from security standpoint is to allow WPA2-PSK only. Unfortunately I think this is not possible with CC32xx at present time. Only way could be if TI will decide change this behaviour via ServicePack.

    Jan

  • Dear Dan,

        Thanks for your reply.

    Our product is a medical device that utilizes CC3235S to transmit medical data. All medical devices must be approved by the FDA. Recently,
    the FDA mandates that all medical devices include cybersecurity measures to protect against cyber threats and ensure safe operation.  Since WPA1 is known to be unsecure, we cannot pass the cybersecurity check with WPA1 enabled.

    When CC3235S AP mode is connected by MacBook, Mac OS has a security warning:

    https://www.reddit.com/r/MacOS/comments/wkekjr/wpa_is_not_considered_secure_but_wifi_works_for/

    According to Apple, 

    Weak security settings to avoid on your router

    Don't create or join networks that use older, deprecated security protocols. They're no longer secure, they reduce network reliability and performance, and they cause your device to show a security warning:

    • WPA/WPA2 mixed modes

    • WPA Personal

    • WEP, including WEP Open, WEP Shared, WEP Transitional Security Network, or Dynamic WEP (WEP with 802.1X)

    • TKIP, including any security setting with TKIP in the name

    https://support.apple.com/en-vn/102766

    We desperately need WPA2 only security type.  Do you know if TI have the plan to provide such ServicePack to disable WPA1?

    Thanks for your time.

    Best Regards,

    Luke

  • Hi Luke,

    I am sorry, I am not able to comment whether TI have any roadmap to solve this issue, because I am not TI employee.

    But if you want to my own opinion, I would be sceptical. It seems that TI moved focus to new CC33xx devices instead older CC32xx/CC31xx and WiLink8. WiFi plugin for CC31xx is not updated for years and latest CC32xx SDK is more than year old. WiLink8 supports ancient linux kernel 4.19. Maybe you can create some pressure to TI via your TI sale representative (or FAE). If you are big customer, maybe you can have success.

    Jan

  • Hi Luke,

    Let me take it internally and see if we plan to do it since as Jan mentioned, this requires a new servicepack.

    Regards,

    Shlomi

  • Dear Jan,

        Thanks for time and your suggestions.

    We might need a MCU running TCP protocol to work with CC33xx, right?

    Best Regards,

    Luke

  • Dear Shlomi,

        Thanks your for the support.

    Since the "S" in CC3235S is for secure, I think it should be reasonable to turn off WPA1 in the AP mode to meet the minimum requirement of Apple's suggestions and, for medical products, to pass the cybersecurity required by FDA.

    Best Regards,

    Luke

  • Hi Luke,

    Yes, for CC33xx you need MCU/processor with integrated TCP/IP stack. But solution which will not need external MCU/processor may to come at near future (no more details).

    Jan

  • Dear Jan,

        Thanks for the hint.

    Best Regards,

    Luke

  • sure, will keep you in the loop.

  • Dear Shlomi,

        Thank you for the support.

    Best Regards,

    Luke

  • No problem, just to highlight, this fix along with other fixes piped in the last few months should be added to the new servicepack and released in Q3 (this is the plan).