Forum Thread

WPA2 crack revealed - Patch your router as soon as new code is available

8,619 1,372 October 16, 2017 at 07:37 AM
https://hackaday.com/2017/10/16/o...is-broken/

Quote from hackaday.com :
WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. [krackattacks.com] Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It's fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF) [mathyvanhoef.com].

24 Comments

1 2

Sign up for a Slickdeals account to remove this ad.

This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L10: Grand Master
14,197 Posts
5,243 Reputation
#2
This is a pretty good article on this https://arstechnica.com/informati...sdropping/

Very few manufactures have patched anything yet. Ubiquiti has but it has not hit their automated AP Patches yet. If you have a really old router or are renting one from your ISP now is a great time to upgrade soon to something that will be upgraded.

Here is a list of manufactures who have issued patches so far https://char.gd/blog/2017/wifi-ha...y-fixed-it
Reply Helpful Comment? 0 0
Vague questions receive vague answers . . . . . .
This comment has been rated as unhelpful by Slickdeals users
Joined Jul 2005
Ye wacky olde frogge
8,619 Posts
1,372 Reputation
Original Poster
#3
DD-WRT has a patch [dd-wrt.com], but new images have yet to be built.
Reply Helpful Comment? 0 0
Quote from Frogstar
:
Fo dreezy up on the wizzle dim dang.
Quote from chevvy
:
I'm gonna get little baby sneakers for my chickens so that they know what it's like to step in chicken shit.
Quote from slickdeals
:
How did I end up here...
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L9: Master
4,798 Posts
2,102 Reputation
Pro
#4
The larger issue is that it's more client devices that are affected.

Android/Linux-based devices are pwned. IoT devices probably too as a gateway into networks.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L10: Grand Master
14,197 Posts
5,243 Reputation
#5
Quote from Mike A.
:
The larger issue is that it's more client devices that are affected.

Android/Linux-based devices are pwned. IoT devices probably too as a gateway into networks.
Ya a lot of things that won't get updated need updating. Hopefully someone develops an App to test for this. It's not a super easy attack at this point. IOT things were a problem to start and now even more so.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2009
L10: Grand Master
7,535 Posts
3,229 Reputation
#6
I updated our wifi access point this morning, but not sure if Asus has the patch in it's new firmware. Anyone know?

Our cable modem is a dual modem-router (wifi), and they won't allow any firmware updates. This modem is a rental, so not sure how the to get an update. Do they remotely update the firmware in situations like this, or do I need to go demand a newer router when one is available with the patch?
Reply Helpful Comment? 0 0
Last edited by Conformer101 October 16, 2017 at 11:49 AM.
This comment has been rated as unhelpful by Slickdeals users
Joined Feb 2008
Custom User Title.
38,970 Posts
6,569 Reputation
#7
not all routers are patch-able.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L10: Grand Master
14,197 Posts
5,243 Reputation
#8
Quote from Conformer101
:
I updated our wifi access point this morning, but not sure if Asus has the patch in it's new firmware. Anyone know?

Our cable modem is a dual modem-router (wifi), and they won't allow any firmware updates. This modem is a rental, so not sure how the to get an update. Do they remotely update the firmware in situations like this, or do I need to go demand a newer router when one is available with the patch?
Almost certainty the update you applied this morning was not fixing this bug. So far it's been corporate devices that have been patched mostly. Very few consumer companies have patched many devices so far. https://char.gd/blog/2017/wifi-ha...y-fixed-it

Is your ISP's device's wireless turned on? If it's turned off and your bridging to your own router then you probably don't need to do anything. They would be responsible for doing the update. If you can login and monitor firmware versions I would do so but not expect a patch for a while. While this is a big deal it's not a world ending deal right now. You have to be in range of the router to exploit it and even then it's not easy. Having patched clients is also very important.

If history shows us anything ISP's and device manufactures will be slow to patch, vet and test patches. IOT devices will be the real crap shoot. I would expect almost none of your $20 Light switches or even Light bulbs to be updated.

My hope is we see someone come up with an app for our phones that we can use to test stuff and see if it's still vulnerable or not. Until then it most likely is.
Reply Helpful Comment? 0 0

Sign up for a Slickdeals account to remove this ad.

This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2009
L10: Grand Master
7,535 Posts
3,229 Reputation
#9
Quote from LiquidRetro
:
Almost certainty the update you applied this morning was not fixing this bug. So far it's been corporate devices that have been patched mostly. Very few consumer companies have patched many devices so far. https://char.gd/blog/2017/wifi-ha...y-fixed-it

Is your ISP's device's wireless turned on? If it's turned off and your bridging to your own router then you probably don't need to do anything. They would be responsible for doing the update. If you can login and monitor firmware versions I would do so but not expect a patch for a while. While this is a big deal it's not a world ending deal right now. You have to be in range of the router to exploit it and even then it's not easy. Having patched clients is also very important.

If history shows us anything ISP's and device manufactures will be slow to patch, vet and test patches. IOT devices will be the real crap shoot. I would expect almost none of your $20 Light switches or even Light bulbs to be updated.

My hope is we see someone come up with an app for our phones that we can use to test stuff and see if it's still vulnerable or not. Until then it most likely is.
Turned on for now, but could go without for a while. But, yes, I understand it's highly unlikely that I will fall victim in the near future.

I read that Microsoft patched Win 7,8,10 on Oct 10th. So, that would mostly cover me, assuming there's not a lower level wifi card driver update also required (like intel's driver patches). Android phone is still showing a security update of a month back, so nothing pushed to my phone yet.

Will just have to keep an eye on Manufacturer sites, and SD! It's kind of a catch 22 for them: post a notice that you have patches, and it's like announcing you have vulnerabilities in all un-patched units.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L9: Master
4,798 Posts
2,102 Reputation
Pro
#10
Quote from Conformer101
:
I updated our wifi access point this morning, but not sure if Asus has the patch in it's new firmware. Anyone know?

Our cable modem is a dual modem-router (wifi), and they won't allow any firmware updates. This modem is a rental, so not sure how the to get an update. Do they remotely update the firmware in situations like this, or do I need to go demand a newer router when one is available with the patch?

Don't think so for Asus. My router shows 3.0.0.4.380_7743 as the latest and that's from June to fix earlier problems.

Most cable companies can push things out to their routers as long as there's a path to it and you haven't otherwise blocked it.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2009
L10: Grand Master
7,535 Posts
3,229 Reputation
#11
Quote from Mike A.
:
Don't think so for Asus. My router shows 3.0.0.4.380_7743 as the latest and that's from June to fix earlier problems.

Most cable companies can push things out to their routers as long as there's a path to it and you haven't otherwise blocked it.
Our modem/router shows firmware version#, but I can't find an update date anywhere. And, searching the manufacturer with version# is also useless, as they don't (publicly) list any. But, given TW (now Spectrum), they've probably never updated it.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L9: Master
4,798 Posts
2,102 Reputation
Pro
#12
Quote from Conformer101
:
Our modem/router shows firmware version#, but I can't find an update date anywhere. And, searching the manufacturer with version# is also useless, as they don't (publicly) list any. But, given TW (now Spectrum), they've probably never updated it.
Probably isn't one yet. The major players were given notice a while back but even some of them still don't have things ready yet (e.g., Cisco, Apple, Google, etc.).

As above though, while you obviously should patch whatever you can, the bigger concern with this is one right now is on the client end especially mobile devices that are out and about and could be subject to man-in-the-middle exploits. Android in particular. That probably will expand to other client devices as easy to use "AirKrack" type drive-by programs come out.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2009
L10: Grand Master
7,535 Posts
3,229 Reputation
#13
Quote from Mike A.
:
Probably isn't one yet. The major players were given notice a while back but even some of them still don't have things ready yet (e.g., Cisco, Apple, Google, etc.).

As above though, while you obviously should patch whatever you can, the bigger concern with this is one right now is on the client end especially mobile devices that are out and about and could be subject to man-in-the-middle exploits. Android in particular. That probably will expand to other client devices as easy to use "AirKrack" type drive-by programs come out.
I've temporarily turned my Android phone to no-wifi, cell only data. I think this is a complete overreaction for most people, but I never get anywhere near my cell data limit, and I don't need the speed of wifi. I'll wait for the security update before allowing wifi again. It's not a big deal for me.

When I said they probably never updated it (the modem/router), I mean for smaller updates (that may exist) since we rented 2+ years ago. I don't expect TWC to do anything proactive!
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Aug 2005
L10: Grand Master
14,197 Posts
5,243 Reputation
#14
Quote from Conformer101
:
I've temporarily turned my Android phone to no-wifi, cell only data. I think this is a complete overreaction for most people, but I never get anywhere near my cell data limit, and I don't need the speed of wifi. I'll wait for the security update before allowing wifi again. It's not a big deal for me.

When I said they probably never updated it (the modem/router), I mean for smaller updates (that may exist) since we rented 2+ years ago. I don't expect TWC to do anything proactive!
Ya It is overkill at this point, depending on your phone and carrier you could be waiting quite a while or until you upgrade phones. This is most likely to be exploited in a targeted attack, not a random one. Remember attackers have to have to be in range of your wifi too for this too be exploited.
Reply Helpful Comment? 0 0
This comment has been rated as unhelpful by Slickdeals users
Joined Mar 2015
L3: Novice
436 Posts
30 Reputation
#15
Is it worth calling our ISPs?
Or the ISP will really just handle it when they can?

Maybe they would agree to send a new router that has the firmware update if you make some noise?
Reply Helpful Comment? 0 0
Page 1 of 2
1 2
Join the Conversation
Add a Comment
 
Copyright 1999 - 2018. Slickdeals, LLC. All Rights Reserved. Copyright / Infringement Policy  •  Privacy Policy  •  Terms of Service  •  Acceptable Use Policy (Rules)  •  Interest-Based Ads
Link Copied to Clipboard