Critical WiFi Vulnerability Found - KRACK

Details are scarce at the moment as more details will be published soon. But I would recommend everybody to stop using WiFi completely by disabling it at home, and not connecting to anything in public either. It seems to be a protocol level exploit, so it's not yet sure whether this can easily be patched. Stay safe, all!

"This is a core protocol-level flaw in WPA2 wi-fi and it looks bad. Possible impact: wi-fi decrypt, connection hijacking, content injection."

2 Likes

More details about the attack can be found here:
https://www.krackattacks.com/

Apparently it's patchable and Mikrotik have already patched their OS two weeks ago as they were informed before this was made public. (See https://forum.mikrotik.com/viewtopic.php?f=21&t=126695)

1 Like

Thanks a lot for the info!!!

I hope John-117 and Cortana will find a solution :grinning::grinning::grinning:

1 Like

As far as I understand, it has been fixed in LEDE with this commit (by backporting the fixes from upstream hostapd):

See also: http://lists.infradead.org/pipermail/lede-dev/2017-October/009348.html

Ps. and it sounds like a 17.01.4 release may be forthcoming,

3 Likes

Thanks @hnyman, great news and speed resolving big problems!!!

I was just coming here to report this to the forum. To see that it has already been solved speaks volumes about the power of an active open-source community.

-Shaun

That is very good news! Will patching the router firmware be sufficient to mitigate this attack, or will the clients also need to be updated? And thank you very much to the developers for all their hard work! Amazing to see a fix already pushed :slight_smile:

1 Like

wpa_supplicant seems to be affected on the client side and also has patches ready: http://lists.infradead.org/pipermail/hostap/2017-October/037989.html

1 Like

Hi! Total noob question: how do I install these patches? I currently run LEDE Reboot 17.01.0-rc2 r3131-42f3c1f / LuCI e306ee6c93c1ef600012f47e40dd75020d4ab555 branch (git-17.033.24085-e306ee6)

Thanks a lot for any help!

You wait for the 17.01.4 release and flash that.

(In any case, strange that you are still using the release candidate 17.01.0-rc2 instead of the actual releases 17.01.0, 17.01.1 17.01.2 or 17.01.3 ...)

PPPoE didn't work with the "actual" release when I switched to LEDE. rc2 was fine so I just stayed with that...

For Fedora I assume these fixes will be incorporated through regular updates or "dnf update"?
What about our 2 android phones?
And what about my Windows laptop?

Can this exploit still be triggered if the AP is patched, but the clients are not? And is there any way to check whether my devices are vulnerable or not?

You're missing important security patches in that case. If things break from one release to another, please report it to LEDE bugtracker so a fix can be pushed :slight_smile: https://bugs.lede-project.org/

Running outdated versions is never a good solution :wink:

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients.
For ordinary home users, your priority should be updating clients such as laptops and smartphones.

https://www.krackattacks.com/#faq

1 Like

@AmbientSummer Interesting. But then why does the AP require these updates? Does this also effectively solve the issue? Or will the clients also need an update?

"you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes)" and something something "fast roaming".

Seems pretty clear that all clients need to upgrade. Some AP boxes just happen to also be configured as clients of an upstream AP.

EDIT: looks like the fast roaming attack is a second avenue, with patches available for hostapd. I don't know if fast roaming is enabled "by default". Source: https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

The official FAQ seems to recommend concentrating on the clients and not worrying too much about the AP. Which is good for the millions of unpatchable APs out there! I think you're right to want a bit more clarification though.

Good news for the AP side, but bad for the millions of unpatchable clients out there (think IoT and lot of mobile phones)...

1 Like

is there also going to be an update for CC as well?

David Lang

Good stuff guys! Way to be ahead of the game...

I suppose Windows will be updated via "Windows Update" patches.

In my opinion the problem will be for TV/Phones.
Many brands don't update their firmware because they prefer to sell you a new TV/Phone/etc... with a patched version of wifi, instead of updating the old devices.

Sadly is another way to take people's money.