Huge security vulnerability

My sensor is showing and updating on the map, and I also have a network PurpleAir-xxxx on my network list. I can connect to the PurpleAir network, and get the PurpleAir config screen which says “WiFi Connected Looking good!”

I’m not using 192.168.4.0 subnet. My network to which the sensor is successfully connected has internet access, which is why the sensor shows on the map. (And the map shows signal strength “good”)

Anyone in range, therefore, can connect to my sensor and tamper with the settings, easily knocking it offline, for example.

1 Like

Hello Michael,

The PurpleAir-**** network should become unavailable after the device has bee configured to WiFi. Feel free to email us with your device ID so we can investigate further.

Thank you

It is behaving correctly now. Thank you.

1 Like

Hello,
I am searching the Community for answers to problems I am having setting up a new PA II. I am not sure if this thread has anything to do with the issue but I read that “the PA network should become unavailable after the device has been configured to WiFi.”

Both screenshots show that my WiFi and the PA II “Network” are both active, and I assume are connected. However, I have not received any data from the outdoor unit.

My question is whether the “PurpleAir Network” is “unavailable” as you wrote? If I click on the PA WiFi it is labeled “unsecured network” but I still see no data, so I revert back to my secure network “Tivoli-V”. I am not sure if this could be a reason I am not receiving any data.

Thanks
Ron

Hello Ron,

Welcome to the PurpleAir community! I’m sorry that you’re having issues connecting to the Wi-Fi. Once you have connected your sensor to Wi-Fi, your PurpleAir**** network will no longer appear in your list of available networks.

If you have an Eero router, I would recommend reviewing this article: Trouble connecting with an Eero router

If you are not using an Eero router, are there any security settings that could affect the sensor’s ability to connect?

If you still have issues, please contact our support team at contact@purpleair.com with your device ID number.

In the theoretical scenario where my WiFi goes down, and the purpleair can be connected to directly after X number of minutes, my concern is whether someone connected to the sensor directly would then have the ability to extract my main network WiFi password from the PurpleAir device. Is PurpleAir able to comment?

Thanks

1 Like

If the PurpleAir-**** network has appeared, the device has deleted its previous WiFi connection settings and reverted to the default. This means that your SSID and password would not be on the device and could not be extracted. There is also no connection between the PurpleAir-**** network and the network that your device is configured to.

1 Like

Hi Ethan - Thanks for that information, that is reassuring!

Sorry one further question on this - does this mean that if my WiFi network is unavailable for more than 10 minutes and the purple air network becomes available again I would have to re enter my WiFi password in the purple air settings for it to reconnect again?

I’m thinking that has to be the case if it erases the previous WiFi configuration?

1 Like

You have that correct: if the sensor disconnects, the network information will need to be re-entered.

1 Like

Thanks for confirming.

Has this always been the case? I have generally felt that PurpleAir monitors seem to remember network information and re-attach after even an extended power outage. How would that be possible if they “forget” the credentials when disconnected? Thanks for your insights!

Best,
Mark