We really need Cerbo to support WPA3. Its insane that boats have to rely on using WPA2, leaving their networks exposed, only to support a CerboGX connection.
This is a simple implementation to add.
Use the lan connection if its such an issue.
2 Likes
It absolutely isn’t.
WPA3 uses a way more complex encryption which is a very cpu intense operation. Small devices supporting WPA3 therefore usually ship with an external, dedicated crypto acceleration chip to offload that calculations, which the cerbo doesn’t have (I think).
So, adding WPA3 by just providing the required software-capabilities would significantly increase the cerbos cpu load, which is a valuable good these days.
WPA2 is still save, as long as you are not using TKIP encryption on your wifi network.
Just the fact that some highly sophisticated attacks against WPA2 with AES are possible doesn’t mean anyone ever will take this effort to gain access to a private boats wifi network.
2 Likes
I have mine connected via a RJ45 LAN cable and use a dedicated Unify Pro 7 when I need WiFi access for something without a LAN port. I’m using a smart energy socket for the power supply of that access point. Nothing exposed. Only when I need it, and with WPA3 support of course.
The extra CPU utilisation for WPA3 should be around 6% and yeah WPA2 is hacked in seconds these days. In short. If security is what you want. Don’t use WiFi.
The latest chipsets on the cheap Raspberry Pi 5 support WPA3. A simple revision to the board to replace the current chipset (which uses the same exact pinouts as the previous version) and the addition of WPA3 software support would take them maybe a day or two to design and implement.
If their engineers are not designing their boards for these types of clearly planned roadmaps then they need to be replaced with more forward looking folks.
Cerbo just isn’t a priority for the company I guess. Which is a shame because its a key component of what makes people on boats interested in victron.
1 Like
With respect, your Pi’s have a 12 month warranty, so can be discontinued at will so they churn out newer, better, faster replacements constantly. Pi’s have a broad user base for a wide variety of applications.
The GX is purpose built for providing a stable controller for the victron ecosystem. They have a 5 to 10 year warranty. The ccgx just retired has been in use since 2013. This longevity means that a GX needs to be able to scale as the software stack grows over time, which it has done constantly, so being careful with resource usage is a key part of ensuring longevity.
Victron have a capable and progressive team, if something can be easily done, and the market demands it, then they tend to get it done. So there is more to decision making than you might be considering.
Ultimately, best practice has always been to use wired connections, or at least to segment your network to isolate IOT devices.
When mobile, the probability of someone getting close enough to execute a man-in-the-middle attack, and to then be able to intercept the keys to decrypt a secure HTTPS channel, is mighty tiny.
If your information is that sensitive and you are so concerned about it, you would never be using wireless tech to start with.
(as a side note, WPA3 networks can often be forced down to WPA2 regardless for compatibility, so there is no guarantee that you would be secure)
3 Likes
Also I doubt that the Allwinner processor that it’s in the Cerbo, 13 year old now, will still be “alive” after 5 years, let alone 10 years, Victron warranty…
What I want to say is that no matter Victron offers 5/10 years warranty, if the components inside are to be phased out soon and what’s more odd is the fact that Cerbo just passed through a hardware revision (MK2) and many components inside weren’t updated to newer/recent ones.
But this is just me and I am known to be picky… 
I’m not into hardware development, but I know from various customers, that even exchanging small chips in a device can be quite challenging.
Especially, if you have a lot of bundled drivers for a variety of devices. You gotta run tests for every device that is currently supported, eventually get new driver versions for some of them, and further more from now on ship the software with a way bigger driver bundle, so, depending on if it’s going to run on a Rev A or Rev B device the suitable drivers are there.
A PI doesn’t face this issues. If they decide to replace the whole chipset, it is what it is, customer has do deal with that, they don’t have to maintain any compatibility with devices beeing used with the predecessor.
2 Likes
Victron shouldn’t be in the business of telling clients what is safe to them and in fact should be striving to provide the best possible security and solutions at the same price we enjoy today. That’s what driving value is, especially from a leader in the business. Your Chinese competitors (Fangpusun) are doing so.
LOL Fangpusun isn’t a competitor, they’re a counterfeit company - literally selling knockoffs of Victron, Outback, and other legitimate manufacturer components. Feel free to trust whatever specs they claim, everyone’s free to believe what they choose, but I’d sure advise against it.
Bottom line, you’re right, Victron isn’t in the business of telling clients what is safe… And they’re not telling anyone that. They only tell you that WPA2 is available if you choose to use it, else -and recommended- use a wired connection.
2 Likes