WPA2 cracked... virtually all wifi routers affected...

Wow. I wonder how they're going to fix that one?
 
As you would expect, initial coverage is somewhat sensationalized. The truth is that while the issue is widespread the fixes are very straightforward, which even the researcher acknowledges. Major platform vendors have already deployed patches. Microsoft, for example, has acknowledged that they updated Windows. You should see additional public disclosures on patch status published throughout the day. See https://www.wi-fi.org/security-update-october-2017 and the linked resources there.
 
As you would expect, initial coverage is somewhat sensationalized. The truth is that while the issue is widespread the fixes are very straightforward, which even the researcher acknowledges. Major platform vendors have already deployed patches. Microsoft, for example, has acknowledged that they updated Windows. You should see additional public disclosures on patch status published throughout the day. See https://www.wi-fi.org/security-update-october-2017 and the linked resources there.

It’s not that patches from big name vendors won’t be available. It’s the magnitude of the number of routers out there in consumer land that won’t ever get patched or won’t have them made available.

All sorts of fly by night consumer router makers, and even more clueless consumers who have no idea and won’t even with “sensationalized” news to break through the highly important stuff like which oligarch is playing golf.

This one is going to be a real threat to a lot of people for a very long time. The long tail on this one will drag out for a decade.
 
I know NetGear emailed me last week and basically said install this new firmware now. I checked and there were updates for their complete wireless router range.
 
Huh. AT&T hasn’t pushed a fix for their branded box in my closet yet. Go to manufacturer website and no mention of a fix for this model.

I’m guessing it’ll be a cold day in hell before AT&T spends a dime on the upgrade.

And that’s how the next Equifax-type incident will work.
 
Looks like DLink is dragging their feet on updates also. The say access points aren't exposed but that clients are.
 
Linksys doesn't have a new updates for my older router. Sigh.
 
Linksys doesn't have a new updates for my older router. Sigh.

They're working on fixes for LEDE, OpenWrt, and Gargoyle as we speak. One of them might be flashable to your old Linksys.

Rich
 
It’s not that patches from big name vendors won’t be available. It’s the magnitude of the number of routers out there in consumer land that won’t ever get patched or won’t have them made available.

Huh. AT&T hasn’t pushed a fix for their branded box in my closet yet. Go to manufacturer website and no mention of a fix for this model.

There is a good chance that your residential routers won't need a patch. Of the 10 CVEs related to this vulnerability, only 1 (related to Fast Transition) requires patching on the network side, though some could benefit from patching on both sides. Fast Transition is more commonly found in enterprise equipment that requires a mobile client to move between multiple access points rapidly without dropping packets. Most of the patches for this vulnerability are on the client side. That is why you see companies like Microsoft (who quietly deployed patches last week on patch Tuesday) and individual maintainers in the Linux community moving quickly to update. Apple is still only rumored to have patched (reported in iMore). One reason you might see updates for consumer routers is that some of them offer a client mode, e.g. allowing them to connect with another access point and serve as a range extender. This isn't to say you shouldn't check for router updates, only explain how there are legitimate reasons why you may not see any.

Definitely get those clients patched though.
 
Last edited:
There is a good chance that your residential routers won't need a patch. Of the 10 CVEs related to this vulnerability, only 1 (related to Fast Transition) requires patching on the network side, though some could benefit from patching on both sides. Fast Transition is more commonly found in enterprise equipment that requires a mobile client to move between multiple access points rapidly without dropping packets. Most of the patches for this vulnerability are on the client side. That is why you see companies like Microsoft (who quietly deployed patches last week on patch Tuesday) and individual maintainers in the Linux community moving quickly to update. Apple is still only rumored to have patched (reported in iMore). One reason you might see updates for consumer routers is that some of them offer a client mode, e.g. allowing them to connect with another access point and serve as a range extender. This isn't to say you shouldn't check for router updates, only explain how there are legitimate reasons why you may not see any.

Definitely get those clients patched though.

Yeah. Sure throws a monkey wrench in BYOD shops though. Telling people they have to get off until their vendor puts out a patch and then proving it, will just lead to even worse alternatives to get their devices online. Ugh.

Not that BYOD isn’t a semi-nightmare anyway.

Telling the boss his Apple toy won’t be patched for a month (typical Apple release speed) and all his iThingys too... here’s your ethernet cable, use it... isn’t going to make anybody happy.

Oh well. We put out the warning that “if we need to do something drastic with the WiFi Access, we’ll let you know” and are running the slight risk of data loss for the moment. I can’t imagine a HIPAA or PCI or similar environment has that luxury today. Or if they’re putting their heads in the sand, they’re out of bounds on their certs once they’ve been made aware of the issue until everything is patched.
 
By the way, want to put $20 on this shining a spotlight on that code in all products and at least two more major problems in the implementation of the WPA2 code are found within a couple of months, including fair warning time to the vendors? LOL.

The “many eyes” BS on most of this code doesn’t work. Nobody is actually reading any of it.
 
Virtually doesn't mean "almost." It means in appearance, not in fact. You can replace it with "not" or "no" to get a proper read on the sentence.
 
Virtually doesn't mean "almost." It means in appearance, not in fact. You can replace it with "not" or "no" to get a proper read on the sentence.
I disagree:

vir·tu·al·ly
ˈvərCH(o͞o)əlē/
adverb
  1. 1.
    nearly; almost.
    "virtually all those arrested were accused"
    synonyms: effectively, in effect, all but, more or less, practically, almost, nearly, close to, verging on, just about, as good as, essentially, to all intents and purposes, roughly, approximately; More
 
By the way, want to put $20 on this shining a spotlight on that code in all products and at least two more major problems in the implementation of the WPA2 code are found within a couple of months, including fair warning time to the vendors? LOL.

The “many eyes” BS on most of this code doesn’t work. Nobody is actually reading any of it.

I remember working on fixing a TCP/IP bug back in the early 2000's. Can't remember which it was. Maybe SYN loopback attack, or RST attack. It escapes me now. But that bug was in every single implementation of TCP/IP since the 1970's. 1000s of people ported it by hand over to 100s of platforms, and nobody ever noticed it. Open source, proprietary source vendors - didn't matter - everybody had that bug.

IIRC - the bug wasn't even in the RFC. People just used reference implementations and everybody copied the same mistake.

I don't think that can happen anymore, proprietary vendors will do everything from spec instead of from code to avoid GPL poison pills. But it was a jungle back then. But if a bug is in a spec, you still have an issue.
 
Virtually doesn't mean "almost." It means in appearance, not in fact. You can replace it with "not" or "no" to get a proper read on the sentence.

Now that more information is out, it should read “all”. It’s a protocol level problem. Every device that does WPA2 is affected.

Sorry I couched it, but the information was early.

Whether or not it’s the client that gets patched to cover the problem up or not, is immaterial, the protocol itself is bad and the router certainly understands the protocol and will happily participate with a bad client and an attacker’s additional bad behavior, wherever both exist.

Millions of bad clients exist, and a significantly large number will never be patched by clueless folks. They’ll be vulnerable forever until the routers all stop participating, and many routers will never be patched.

The industry is a sad joke, really. WPA2 was the fix to two other protocol level problems before it. Like the OpenSSL problem, this one has been in this “secure” protocol for over a decade. Let’s all fire up some WEP and enjoy that again, shall we? LOL. It was “secure” once, too.

Craptacular.
 
This sounds like the nefarians may access your computers when connected to any wifi?
Ie no different than using the wifi at a hotel? (where they warn you the network is insecure)?

How about my server, which gets its internet from a Uverse box via cable and a firewall. The Uverse box transmits wifi too.
 
I remember working on fixing a TCP/IP bug back in the early 2000's. Can't remember which it was. Maybe SYN loopback attack, or RST attack. It escapes me now. But that bug was in every single implementation of TCP/IP since the 1970's. 1000s of people ported it by hand over to 100s of platforms, and nobody ever noticed it. Open source, proprietary source vendors - didn't matter - everybody had that bug.

IIRC - the bug wasn't even in the RFC. People just used reference implementations and everybody copied the same mistake.

I don't think that can happen anymore, proprietary vendors will do everything from spec instead of from code to avoid GPL poison pills. But it was a jungle back then. But if a bug is in a spec, you still have an issue.

Was it smurf?

I forget which one my staff used to use against the Director to get him off the phone. If he wouldn’t end a conference call, they’d just toss the magic packets his way and blue screen his desktop machine, until I caught them doing it.

They fessed up because I pointed out to them that the Director had had three expensive desktop machines and a laptop replaced in less than a year because he kept telling the other help desk the hardware was bad. lol. I knew this from our management meetings.

“Knock it off, kids... you know better now... this is costing us real money and if he figures it out, it won’t go well for you...”

But I quietly laughed my butt off back in my office that afternoon. I knew who figured out how to do it and taught my other staff how, too. He still works in security. Last papers he published were on attacking laptops through USB and FireWire DMA. Nice of those specs to leave direct access to the machine’s RAM open to something plugged into an external port, eh?

LOL. It’s been a while since that mistake was understood. Everyone just wanted their external hard drives and flash drives to go faster... let’s just hook them straight to the RAM... brilliant.
 
They already have your credit info via the equifax hack, 'the evil doers' don't need to get into your pc.
 
Disagree. Several someones are reading the code and finding the bugs. Only, they probably call them exploits, and they probably don't work for people that have your best interests in mind.

Air gap, shut off wifi, bluetooth, step into the cage. Oh, wait, ultrasonic beacons are now a thing. And then there's google somehow magically showing the thing I happen to be having a conversation about as the first item in search results more often than not, even with "ok, google" supposedly disabled.
 
Yay, my firewall supplier sent out this message
So I have no worries....right?
:D
On Monday, a critical vulnerability in the WPA2 wireless security protocol was published by Dutch researchers. KRACKs — or key reinstallation attacks — can theoretically be deployed by attackers to steal sensitive information from unsuspecting wireless users leveraging flaws in the Wi-Fi standard.

The SonicWall Capture Labs investigated the WPA2 vulnerabilities and found the following:
  • SonicPoint and SonicWave wireless access points, as well as SonicWall TZ and SOHO wireless firewalls, are not vulnerable to KRACK attacks.
  • No updates are needed for SonicWall wireless access points or firewalls with integrated wireless.
  • Attackers must be in physical proximity to the wireless client or access point to execute a KRACK-based man-in-the-middle (MITM) attack.
As a customer with SonicWall access points or firewalls with wireless capabilities, you are not susceptible to KRACK attacks and no updates are needed at this time.
 
Disagree. Several someones are reading the code and finding the bugs. Only, they probably call them exploits, and they probably don't work for people that have your best interests in mind.

Air gap, shut off wifi, bluetooth, step into the cage. Oh, wait, ultrasonic beacons are now a thing. And then there's google somehow magically showing the thing I happen to be having a conversation about as the first item in search results more often than not, even with "ok, google" supposedly disabled.

You’ve noticed that too? Mine isn’t Google but it’s pretty eerie.

Zuckerberg supposedly has tape over both the video camera and the microphone holes in his own smartphone when using his own products.

Oh. And the latest South Park with The Zuck in it, is freaking hilarious. You’re welcome, if you haven’t seen it yet. :)
 
Yay, my firewall supplier sent out this message
So I have no worries....right?
:D
Well, "no worries" is a little strong. You may have no worries about your firewall being "Kracked" while you are using it at your house, but do you ever use WIFI at the gym, or starbucks, or the FBO or . . . anywhere?
 
Set up AES encryption and segregate any devices that need WPA2.
 
Was it smurf?

No, smurf was before my time.

I forget which one my staff used to use against the Director to get him off the phone. If he wouldn’t end a conference call, they’d just toss the magic packets his way and blue screen his desktop machine, until I caught them doing it.

They fessed up because I pointed out to them that the Director had had three expensive desktop machines and a laptop replaced in less than a year because he kept telling the other help desk the hardware was bad. lol. I knew this from our management meetings.

“Knock it off, kids... you know better now... this is costing us real money and if he figures it out, it won’t go well for you...”

But I quietly laughed my butt off back in my office that afternoon. I knew who figured out how to do it and taught my other staff how, too. He still works in security. Last papers he published were on attacking laptops through USB and FireWire DMA. Nice of those specs to leave direct access to the machine’s RAM open to something plugged into an external port, eh?

LOL. It’s been a while since that mistake was understood. Everyone just wanted their external hard drives and flash drives to go faster... let’s just hook them straight to the RAM... brilliant.

I remember at some point I discovered a bug in the way Windows XP displayed shortcuts icon. I could form a way to create a shortcut (.lnk file) by hand in a way that it would instantly crash whatever application is trying to display the icon for that .lnk fle.

For extra effect, I added a .lnk file to the bug report :).

Ahh, good times.
 
So now it looks like the 5 GHz radio in my wireless system died. Running on the 2.4 GHz radio for now.

Wait to replace? Replace with what? Cheap is always good. This is a home network without VPN in or any of that type of crap.

Edit: current unit is an N600 dlink thing. It was cheap.
 
So now it looks like the 5 GHz radio in my wireless system died. Running on the 2.4 GHz radio for now.

Wait to replace? Replace with what? Cheap is always good. This is a home network without VPN in or any of that type of crap.

Edit: current unit is an N600 dlink thing. It was cheap.

AC3200 tri-band is probably the sweet spot between price & performance right now. You can get a refurb one for $65:

https://www.linksys.com/us/p/EA9200...e2wcp_c-3lF63HXZgKaWflAJ2ci3BAkMaAu5PEALw_wcB

This is if you like Linksys as a brand. All brands have A3200's.
 
I'm pretty happy with my 2 MR-33s from Meraki.. they were patched the morning the exploit was discovered
 
When mine die or I get bored and decide to do the upgrade, my next setup for the house is going to be Ubiquiti. We went with them at the office and they’re up where you need a man lift or a very tall ladder to get at them, and that’s only after you kick a couple people out of their cubicles to set the ladder up over them.

We put them up there a few years ago and have never had any reason to get up there and mess with them ever again.

Rock solid except for one firmware update and all that one did was reboot them about once a week on their own due to a memory leak. Reverted them backward a version easily (unlike other companies who give no reverse firmware path) and waited for another version.

3 APs and about 100 users. All access is handled off of Active Directory to them and people as devices attach to their “correct” VLAN as well. (Multiple companies in the building have their Ken VLANs as well as the Guest WiFi isolated on its own VLAN also. And can Mix and Match authentication methods. The Guest network has an automated way to issue expiring login credentials.
 
This is all over my head. I got Cable. Comcast/Xfinity. The cable screws in to that box over there on the floor with all the lights that blink some of the time. That's my WiFi. Am I in danger
 
This is all over my head. I got Cable. Comcast/Xfinity. The cable screws in to that box over there on the floor with all the lights that blink some of the time. That's my WiFi. Am I in danger
Blinking lights you say? The aliens are monitoring you. Soak it in water for 24 hours then call Comcast and say it broke.
 
Netgear is telling their customers that KRACK is really a client side issue. In other words, a router is only compromised if you're using it as a bridge. Is this true?
 
Netgear is telling their customers that KRACK is really a client side issue. In other words, a router is only compromised if you're using it as a bridge. Is this true?
dlink is saying the same thing. Post 12 in this thread suggests otherwise.
 
I'm swamped right now; traveled away from home, on my laptop with wifi and don't have time to sort this. Can anyone tell me the bottom line with this hack? Do I need to disable wifi and go plug in a patch cable if I do banking on my laptop? That's what I did yesterday. Do I need to worry somebody is seeing my password to log into PoA and is going to hijack my identity and start posting "boobs" or something? Here it's just the cable company provided "box" with wifi in it, I don't think that means it's a "bridge"; does that mean it's not an issue here?

But back at my house I have Airport Extreme which connects to the cable companies box. Does that mean it's a bridge? Excuse my ignorances.
 
But back at my house I have Airport Extreme which connects to the cable companies box. Does that mean it's a bridge? Excuse my ignorances.

Rushie - you are not bridged. If you had a router communicating to another router (extending your network’s range), that would be a bridge. But your AirPort Extreme is just the router coming off the cable modem. I would make sure you have the latest firmware installed, however.
 
Back
Top