Critical WiFi Vulnerability Found - KRACK

Please let us know which packages need to be upgraded.

Pls. use the front page and make a formal statement about the security threat and how people can mitigate the problem until a new release is out. If done right, it could draw more users to the platform instead of scare them away.

1 Like

I don't think there is something to be scared of.

Scary is the thought that millions or routers around the globe that are linux based will be unpatched indefinitely, at least until (and if) the X OEM decides to provide updated/patched firmwares.

We are "the lucky ones", in some way. :slight_smile:

Even with a fully patched LEDE, clients (e.g. smartphones) that are un-patched will still be vulnerable, correct?

https://downloads.lede-project.org/releases/17.01.3/packages/arm_cortex-a9_vfpv3/

hostapd, wpad and wpa-supplicant packages for arm_cortex-a9_vfpv3 (WRT AC/ACS/ACM) have been updated...

from:

hostapd_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
hostapd-common_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
hostapd-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
hostapd-utils_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

to:

hostapd_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
hostapd-common_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
hostapd-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
hostapd-utils_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

from:

wpad_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpad-mesh_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpad-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

to:

wpad_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpad-mesh_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpad-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

from:

wpa-supplicant_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mesh_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-p2p_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

to:

wpa-supplicant_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mesh_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-p2p_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

Not upgrading yet, waiting for further info (tomorrow I guess).

Updated wpad-mini and hostapd-common, the only two that were installed on my TP-Link TL-WDR4300 v1, rebooted, and nothing's exploded so far. :slight_smile:

Have also updated wpad and hostapd and everything OK so far.

But there is also a kernel patch as part of the fix:

https://git.lede-project.org/?p=source.git;a=commitdiff;h=2f701194c29da50bfda968a83c6609843f74a7f4

Does anyone know when the 17.01.4 release is planned for?

More background info

I suppose Windows will be updated via “Windows Update” patches.

MS pushed patches for all supported versions (Win 7/Server 2008 and higher) as part of last weeks patch Tuesday update. If you've already installed the patches you should be safe from this vulnerability.

As a dumb Windows user, I am trying to understand the practical aspect of what all this means, with no geek speak or drama.

How does the perpetrator gain access to a network? Specifically does the flaw enable them access to any wireless network secured by WPA2 or do they need to be already granted access to the network to perpetrate this attack? This is basically the difference between a home network and a public hotspot.

Is this network access or just data collection from an unpatched device?

If one patches all the wireless clients does this address the issues from practical perspective?

As this is a wireless issue, do the patches\fixes for this impact non-wireless devices like my PC-Engines ALIX?

Why or how does this impact IoT devices on a home network? I don't really know how these devices work under the covers, but (based up on the match.com video) if one has already configured creds to say Netflix on a smart TV are these sent each time I request a video and thus available to the hacker? What about other devices like smart locks?

I realize this is a problem which should get patched, but it sounds like it may not be possible to patch some devices at all. All the technical stuff is good for those with the skills to freshen things up with patches, it's another thing to do a sysupgrade to a highly configured device.

I realize some of you consider this black and white, but I see shades of gray, and trying to determine how light or dark they are.

How does the perpetrator gain access to a network?

He does not. The flaw is client side, it tricks a client into connecting to a rogue network transparently.

Specifically does the flaw enable them access to any wireless network secured by WPA2 or do they need to be already granted access to the network to perpetrate this attack?

This flaw doesn't cover those "use case".

Is this network access or just data collection from an unpatched device?

If the attacker perpetrate the attack successfully he has:

  • His own network that's a spoofed version of your network and that he is the master of
  • Your clients (smartphone, computer) connected to it thinking they are connected to your own original network

From then he can do a lot of things to your client.

If one patches all the wireless clients does this address the issues from practical perspective?

Yes, that's exactly what you need to do.

As this is a wireless issue, do the patches\fixes for this impact non-wireless devices like my PC-Engines ALIX?

This is purely a Wireless issue, if your client does not use wireless there's nothing to worry about.

Why or how does this impact IoT devices on a home network?

Oh boy! Welcome to 2017 when you need to patch your lightbulbs because they're also affected!

I don’t really know how these devices work under the covers, but (based up on the match.com video) if one has already configured creds to say Netflix on a smart TV are these sent each time I request a video and thus available to the hacker?

It depends on the device really, you have to hope they are using secure encrypted connections to the different servers used with proper HSTS and be resistant to SSL striping attacks.

What about other devices like smart locks?

Every. Single. Wi-Fi. Device. Is. Affected. And needs to be patched.

I realize this is a problem which should get patched, but it sounds like it may not be possible to patch some devices at all.

Welcome to the Internet of Shit!

1 Like

Every. Single. Wireless. Device. Is. Affected. And needs to be patched.

afaik only wifi devices (Bluetooth for instance isn't affected)

Yeah sorry I said Wireless while I was meaning Wi-Fi, my bad :confused:

Not quite, you need to patch your wireless access points as well as the clients.

How about IoT devices. My home projects make use of the ESP8266 (family) WiFi-SoC. Software running on them use an API to the hardware; not even sure if they can be patched. User software reflash definitely not a problem.

Other hardware, like my washing machine has wifi (happend to have it), for sure not easy to update from the user side.

Only updating Lede will not help, correct? So I need to hope that a strong AES-CCMP password is enough for my neighbor not to attempt to hack/spoof my network.

You need to patch your "AP" if it is acting as a client, like a Wi-Fi repeater or a Wi-Fi router configured in bridge mode, that's why I said multiple times "client", otherwise you're good on that side.
There's a second flaw on the Fast BSS Transmission implementation but that's a "niche" feature and I'm not even sure that a single LEDE compatible router supports it.

you could still install vpn server on your washing machine and wash your laundry securely from within your couch :smiley:

1 Like

Anyone interested in how the attack works or which devices are affected and how should probably have a look at this page previously linked to by @ambientsummer:
https://www.krackattacks.com/#faq

Espressif has released fixed to the ESP8266 family. But the manufacturer must create the fix, and you have to hope they decide to do it (or that it is even possible...)

About your washing machine, a strong password won't help. Your best option is not to use the WiFi capabilities until (or if) the manufacturer decides to push an update.

OR, you can leave it exposed. It's up to you, really. It's very likely none of your neighbors are technologically capable of exploiting KRACK, but also, even if they could, they are probably not interested in messing up a Washing Machine.

1 Like

the writeups I've read indicate that the vulnerability exists in both
directions, so it's not enough to just patch the clients, you also need to patch
the AP side or transmissions from it can be vulnerable.