Reply
Posts: 104
Registered: ‎07-23-2006

Re: Patch for KRACK vulnerability WPA2?

 

Linksys updated their Security Advisory - https://www.linksys.com/us/support-article?articleNum=246427

 

 

At least my router and some other routers are not affected when configured as router but may be vulnerable when configured as a repeater or wireless bridge.

 

"Until a firmware is available, we recommend customers use WPA2-Personal or Enterprise with AES as the wireless encryption type and stop using WPA2/WPA Mixed Mode with TKIP or AES* to reduce the impact of this vulnerability.  Although WPA2-Personal or Enterprise does not prevent the attack, it makes the attack more difficult to execute effectively."

Posts: 1
Registered: ‎10-23-2017

Re: Patch for KRACK vulnerability WPA2?

Has there been any update to this?

Posts: 5
Registered: ‎10-23-2017

Re: Patch for KRACK vulnerability WPA2?


krobi64 wrote:

Has there been any update to this?


Apparently not, and that is rather disappointing - or should I say troubling?

 

Now Linksys/Cisco isn't alone in this. It seems to me that all of these companies, selling proprietary WiFi equipment, see this as more of an opportunity to sell newer versions of their now compromized equipment, than the need to plug a huge security hole that was just blown into every part owned by their existing customer base. Again it seems like marketing and the bean counters are making all the decisions and engieering is held to meet the existing deadlines for new products instead of reacting to an actual security emergency.

 

In an effort to fix this now (instead of waiting forever) I today replaced all Wireless access points here at my home with Raspberry Pi3 version B devices, running Raspbian 9 (Stretch). Together with hostapd they make decent access points. Security patches for Linux devices are usually out within days of a CVE publication, if not same day. So my network is secure again.

Sorry, but I probably won't buy much WiFi equipment from Linksys in the near future.

Posts: 11
Registered: ‎01-21-2007

Re: Patch for KRACK vulnerability WPA2?

[ Edited ]

Looking at the technical details of the flaw:

1. It mostly only affects client devices (PCs, MACs, smart phones, etc.). Microsoft has already patched Windows

2. Yes it can affect routers that are used as repeaters, wi-fi bridges or in any other way where the router itself tries to negotiate via WPA2

3. You are pretty safe at home or anywhere where an attacker can't access your router/access point

 

It is going to be along time before everything is fixed (all smart phones (Android, IOS, etc.), all IOT devices (thermostats, alarms, doorbells, etc.), smart TVs, etc.) Anything that uses Wi-Fi. But if they are used in your home, you are mostly OK.

 

Where you are least safe is when you are out at a public Wi-Fi access point, because an attacker at the same place could cause the key replay attack.

 

If you are using sites that use https, you are safe. If you use a VPN, you are safe.

Posts: 5
Registered: ‎10-23-2017

Re: Patch for KRACK vulnerability WPA2?


charley000 wrote:

Looking at the technical details of the flaw:

1. It mostly only affects client devices (PCs, MACs, smart phones, etc.). Microsoft has already patched Windows

2. Yes it can affect routers that are used as repeaters, wi-fi bridges or in any other way where the router itself tries to negotiate via WPA2

3. You are pretty safe at home or anywhere where an attacker can't access your router/access point

 

It is going to be along time before everything is fixed (all smart phones (Android, IOS, etc.), all IOT devices (thermostats, alarms, doorbells, etc.), smart TVs, etc.) Anything that uses Wi-Fi. But if they are used in your home, you are mostly OK.

 

Where you are least safe is when you are out at a public Wi-Fi access point, because an attacker at the same place could cause the key replay attack.

 

If you are using sites that use https, you are safe. If you use a VPN, you are safe.


As far as I understand the technical detais, it also affects the whole network segment wherever a vulnerable client connects to a vulnerable access point. In that case the attacker can become a "man-in-the-middle" between the access point and the client and then fake any kind of traffic from the client to the local network. This would include accessing unencrypted network shares, printers, scanners ... you name it. The access point will happily bridge the traffic from the "man-in-the-middle" device to the server/printer/scanner. 

This is why it is so important to fix the access points NOW.

Posts: 11
Registered: ‎01-21-2007

Re: Patch for KRACK vulnerability WPA2?

MostlyHarmless,

 

You are correct. But only for vulnerable access points. And most home routers aren't vulnerable. In fact, most routers aren't vulnerable.

 

But it needs to get fixed soon. So I hope Linksys (and Apple, Samsung, etc.) get on it soon.

Posts: 30
Registered: ‎07-10-2017

Re: Patch for KRACK vulnerability WPA2?

This is not Cisco/Linksys...it is Belkin....and it is more apparent to me everyday
Posts: 11
Registered: ‎01-21-2007

Re: Patch for KRACK vulnerability WPA2?

rgtwng

 

I think you are being a little bit unfair. No this is not Cisco. This is Belkin. They don't have the resources of Cisco nor the level of experience with routers, Wi-Fi, security, etc. But they still make good low cost home/small business Wi-Fi routers.

 

I remember the first Cisco Wi-Fi routers and they cost in the $1000s of dollars! (I worked at Cisco at that time.)

 

I doubt that Belkin has the level of experience to deal with a crisis of this magnitude very quickly. But I am willing to give them the benefit of the doubt, especially since it won't affect my home router. As I said earlier, I am more concerned about when I will get updates for my Android phones and tablets.

 

I don't know which client devices Belkin makes, and those will need the software upgrades more urgently. I suspect they are focusing on that.

 

But I still hope they will get updates out soon for their routers.

 

If you are worried, you can install DDWRT. But unless you are using your Belkin/Linksys Wi-Fi router or access point in a public or small business environment, I would just wait for the updates.

Posts: 5
Registered: ‎10-23-2017

Re: Patch for KRACK vulnerability WPA2?

charley000,

I've got several EA3500 devices. They are vulnerable as charged. Got any link to fixed firmware?

If not, stop telling people "you are fine". Because they are not!

 

Posts: 11
Registered: ‎01-21-2007

Re: Patch for KRACK vulnerability WPA2?

MostlyHarmless,

 

After this message I will stop commenting. But this exploit is difficult for an attacker to use in practice. If you want a complete understanding of it, read the paper by Marty Vanhoef at https://www.krackattacks.com/ or various commentaries on it.

 

At home you are mostly safe.

 

From Krebs on Security: "First off, this is not an attack that can be pulled off remotely: An attacker would have to be within range of the wireless signal between your device and a nearby wireless access point."

 

From the paper by Vanhoef: "

Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable."

 

You can read more if you are interested.

 

And if you use only https sites or a VPN you are safe anyway.