Critical WiFi Vulnerability Found - KRACK

"Fast roaming" is not enabled by default in LEDE. It involves two or more AP's on the same network telling each other the client's key over the "backhaul" network. This allows a client to physically move to a new AP (e.g. walking down a hallway) and communicate data immediately by re-using its old key.

Since hostapd / wpad is a user-space program, likely one could put the new binary on an old version of the OS and still have it work. But if you're in an environment where over the air hacking is a concern, you should run the latest versions of everything.

So if we are on latest .... need a full flash? Or just upgrade hostapd package?

The fix is available now. Update wpad (or wpad-mini) and hostapd-common to the latest version.

wpad - 2016-12-19-ad02e79d-5
hostapd-common - 2016-12-19-ad02e79d-5

1 Like

I have just updated my packages lists, but can still only see:

wpad - 2016-12-19-ad02e79d-4 and hostapd-common - 2016-12-19-ad02e79d-4

Am I doing something wrong?

Model - Linksys WRT1900AC
Firmware Version - LEDE Reboot 17.01.3 r3533-d0bf257c46 / LuCI lede-17.01 branch (git-17.232.21093-079f65a)

I'm having the same issue where the updated versions don't show up on my TP-Link TL-WDR4300 v1 on 17.0.3.

Different targets update at different times, just be patient. Updated packages will appear within the next hours.

2 Likes

Check this Reddit post:

The AP can be used to forward injected packets to any other device on the network.

So updating AP is not only about "roaming" it seems.

hmm, from another discussion on the topic, I was pointed at
https://marc.info/?l=linux-wireless&m=150814547710569&w=2 which seems to
indicate a need for a slight change in the kernel mac80211 code.

David Lang

Please let us know which packages need to be upgraded.

Pls. use the front page and make a formal statement about the security threat and how people can mitigate the problem until a new release is out. If done right, it could draw more users to the platform instead of scare them away.

1 Like

I don't think there is something to be scared of.

Scary is the thought that millions or routers around the globe that are linux based will be unpatched indefinitely, at least until (and if) the X OEM decides to provide updated/patched firmwares.

We are "the lucky ones", in some way. :slight_smile:

Even with a fully patched LEDE, clients (e.g. smartphones) that are un-patched will still be vulnerable, correct?

https://downloads.lede-project.org/releases/17.01.3/packages/arm_cortex-a9_vfpv3/

hostapd, wpad and wpa-supplicant packages for arm_cortex-a9_vfpv3 (WRT AC/ACS/ACM) have been updated...

from:

hostapd_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
hostapd-common_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
hostapd-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
hostapd-utils_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

to:

hostapd_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
hostapd-common_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
hostapd-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
hostapd-utils_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

from:

wpad_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpad-mesh_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpad-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

to:

wpad_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpad-mesh_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpad-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

from:

wpa-supplicant_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mesh_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mini_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-p2p_2016-12-19-ad02e79d-4_arm_cortex-a9_vfpv3.ipk

to:

wpa-supplicant_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mesh_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-mini_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk
wpa-supplicant-p2p_2016-12-19-ad02e79d-5_arm_cortex-a9_vfpv3.ipk

Not upgrading yet, waiting for further info (tomorrow I guess).

Updated wpad-mini and hostapd-common, the only two that were installed on my TP-Link TL-WDR4300 v1, rebooted, and nothing's exploded so far. :slight_smile:

Have also updated wpad and hostapd and everything OK so far.

But there is also a kernel patch as part of the fix:

https://git.lede-project.org/?p=source.git;a=commitdiff;h=2f701194c29da50bfda968a83c6609843f74a7f4

Does anyone know when the 17.01.4 release is planned for?

More background info

I suppose Windows will be updated via “Windows Update” patches.

MS pushed patches for all supported versions (Win 7/Server 2008 and higher) as part of last weeks patch Tuesday update. If you've already installed the patches you should be safe from this vulnerability.

As a dumb Windows user, I am trying to understand the practical aspect of what all this means, with no geek speak or drama.

How does the perpetrator gain access to a network? Specifically does the flaw enable them access to any wireless network secured by WPA2 or do they need to be already granted access to the network to perpetrate this attack? This is basically the difference between a home network and a public hotspot.

Is this network access or just data collection from an unpatched device?

If one patches all the wireless clients does this address the issues from practical perspective?

As this is a wireless issue, do the patches\fixes for this impact non-wireless devices like my PC-Engines ALIX?

Why or how does this impact IoT devices on a home network? I don't really know how these devices work under the covers, but (based up on the match.com video) if one has already configured creds to say Netflix on a smart TV are these sent each time I request a video and thus available to the hacker? What about other devices like smart locks?

I realize this is a problem which should get patched, but it sounds like it may not be possible to patch some devices at all. All the technical stuff is good for those with the skills to freshen things up with patches, it's another thing to do a sysupgrade to a highly configured device.

I realize some of you consider this black and white, but I see shades of gray, and trying to determine how light or dark they are.

How does the perpetrator gain access to a network?

He does not. The flaw is client side, it tricks a client into connecting to a rogue network transparently.

Specifically does the flaw enable them access to any wireless network secured by WPA2 or do they need to be already granted access to the network to perpetrate this attack?

This flaw doesn't cover those "use case".

Is this network access or just data collection from an unpatched device?

If the attacker perpetrate the attack successfully he has:

  • His own network that's a spoofed version of your network and that he is the master of
  • Your clients (smartphone, computer) connected to it thinking they are connected to your own original network

From then he can do a lot of things to your client.

If one patches all the wireless clients does this address the issues from practical perspective?

Yes, that's exactly what you need to do.

As this is a wireless issue, do the patches\fixes for this impact non-wireless devices like my PC-Engines ALIX?

This is purely a Wireless issue, if your client does not use wireless there's nothing to worry about.

Why or how does this impact IoT devices on a home network?

Oh boy! Welcome to 2017 when you need to patch your lightbulbs because they're also affected!

I don’t really know how these devices work under the covers, but (based up on the match.com video) if one has already configured creds to say Netflix on a smart TV are these sent each time I request a video and thus available to the hacker?

It depends on the device really, you have to hope they are using secure encrypted connections to the different servers used with proper HSTS and be resistant to SSL striping attacks.

What about other devices like smart locks?

Every. Single. Wi-Fi. Device. Is. Affected. And needs to be patched.

I realize this is a problem which should get patched, but it sounds like it may not be possible to patch some devices at all.

Welcome to the Internet of Shit!

1 Like

Every. Single. Wireless. Device. Is. Affected. And needs to be patched.

afaik only wifi devices (Bluetooth for instance isn't affected)