OpenWrt Forum Archive

Topic: KRACK Attack against WPA2

The content of this topic has been archived between 30 Mar 2018 and 3 May 2018. Unfortunately there are posts – most likely complete pages – missing.

Yeah, it would be most excellent if we could just update relevant OpenWRET packages via opkg.
Is anyone working on this? If not, is there any way to "wrap" relevant LEDE packages into "OpenWRT" envelope and install them instead?

For example, In my case (dumb AP's) it is only wpad and hostapd-common that need to be updated

The source of Chaos Calmer has been updated with prevention of Krack.

hxxps://github.com/openwrt/openwrt/tree/chaos_calmer

Checkout with git and build a hosapd package using wiki

hxxps://wiki.openwrt.org/doc/howtobuild/single.package

.

Yesterday I've build the hostapd package, after compilation you will get in bin directory the wpad-mini ipk file which is the wpad binary together with symbolic links to hostapd and wpa_supplicant.

I installed with

opkg install wpad-mini-...ipk

. Change wpad-mini...ipk to the file name found in bin directory after compilation.

I tested the router - everything is performing correctly.

I have a question about the fix in OpenWRT. Does the fix implement, that if used as an AP, the AP disconnects a "broken" client, if it notices, a client uses an all 0 key (something like "0000..."? Or what does:

0004-Prevent-installation-of-an-all-zero-TK.patch

mean? So, doesnt this meaning, it is only necessary to have a proper / patched AP, instead of needing all Clients to have patches too?

(Last edited by makedir on 22 Oct 2017, 11:23)

Some mitigation to be had on AP 802.11r, but client is the vulnerable attack surface which need to be patched, including client modes of a router (bridge,repeater). More discussion.

Do the Chaos Calmer hostapd update support the "wpa_disable_eapol_key_retries" workaround option to protect vulnerable clients? If so, which configuration file should contain it?

In the newly built wpad - it appears it doesn't have the changes discussed at hxxps://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 - but that is based on running 'strings(1)' against the binary and looking for the text for the os_strcmp(...) calls...
Question for @wigyori -- do you have plans to include that sort of functionality?  I'd love to have the AP protect the client as I intuit that there will be unpatched clients "forever" ... (for instance, my personal phone which will never get an update).
The possible impact to usability in cases where the client really missed the message seems small compared to the risks.
My viewpoint is from a small business perspective where I provide 'free wifi' to customers

Grund_Grunf wrote:

I have couple of OpenWRT routers as well, hopefully there is a way to "reuse" LEDE  packages or we will all be forced to go to LEDE ...

I just bit the bullet and 'upgraded to lede'.
Then I restored my config backup from openwrt.

Almost worked, but dnsmasq wouldnt run until I created a dnsmasq user and group.

I dont understand, or really want to understand the fork, but to me as an end user lede looks just like the chaos charmer I had been using.

tom_wlan_2016 wrote:

My viewpoint is from a small business perspective where I provide 'free wifi' to customers

As a home user, i also prefer to protect non-updatable wireless devices (my family have at least three of them) at a cost of possible "interoperability issues and reduced robustness of key negotiation especially in environments with heavy traffic load". So, i plead to implement the "wpa_disable_eapol_key_retries" option into the Chaos Calmer version of OpenWRT.

Does anyone think an opkg fix will be out for krack for chaos calmer?
I just got openwrt working (after a month) this year. I didn't know it was already abandoned.

(Last edited by shockedquartz on 25 Oct 2017, 23:32)

Still not clear on where to get these packages from?
Can someone please supply a link?
Compiling is not an option.

After monitoring this thread for updates and coming to the realisation that openwrt is now useless, also LEDE is useless as my dozen or so Tp-Link WR703n devices are 4/32 which is plastered all over the LEDE site as being not acceptable. Very windowish alarming!!!!

I have come to the conclusion that DD-WRT is the way to go and will update all my devices to a project which is not in limbo, supports its users and does not present with the 4/32 limitation of LEDE

I would put a link here, but that is not permitted due to spam. One would think a community would be able to organise a different method of preventing spam, but instead use a sledgehammer approach.

dd-wrt.com select, right click open in new tab if using firefox

an unsatisfied user

I'm not sure who did the fixes, but I find that the router I upgraded fully today has the EAPOL no-retransmit option in the "wireless" -> "security" options - well done - whoever did that (i'm on bleeding edge) - the build I note this on is 50130. I however was able to also upgrade luci on an older unit with 49933 and get the same option available there.

@shockedquartz - not sure what you mean by abandoned - check whether "trunk" can be used on your router, and update to that - there's unfortunate confusion about the discussion between two slightly different versions of openwrt, but the simple approach is to try not to be affected by that and stick with the basics...

OpenWRT has an, in my opinion, excellent rate of bug fixes - including the last SAMBA issue, the DNSMASQ issues, and now this KRACK issue.  The "secret" is to not think you have to be wedded to the older stable releases.  I have a couple of really old WRT54G's with BB that are in a plastic bag waiting until I have time to either recycle them or update them. They surely don't belong in use, as several have noted - BB isn't getting updates and hasn't for a long time.

This shouldn't be a surprise, and it's way better than major software vendors near redmond or major hardware / driver vendors near hillsboro - they obsolete s/w and h/w about the day after you first get it :-)

(Last edited by tom_wlan_2016 on 25 Oct 2017, 04:01)

Dear friends,

sorry to bother you with my amateurish question. I am using

OpenWrt Chaos Calmer 15.05.1 / LuCI 15.05-149-g0d8bbd2 Release (git-15.363.78009-956be55)

with my TP-Link TL-MR3420 v1 for some months now and was very happy to get it installed, because I must admit that normally I am using only Windows-Software... Therefore I have a humble question: What should I do now to update the firmware to be up-to-date regarding the KRACK-attack? Is there some easy way for a noob like me to update?

Many thanks in advance for useful answers!

Yours
Indy-Fan

Indy-Fan wrote:

Is there some easy way for a noob like me to update?

No, at least it seems not possible at this time at least with OpenWrt Chaos Calmer

Because your Tp-Link is 4/32 you can try DD-WRT

select the address below, right click and then open in tab, search for TL-MR3420

dd-wrt.com/site/support/router-database

Yours is supported!

You might want to search their forums to see what others have done, again
select the address below, right click and then open in tab, search for TL-MR3420

dd-wrt.com/phpBB2/


Good luck!

Thank you very much for your quick answer. May be I will wait for some time and hope that an easy solution appears at the horizon...

daxigua wrote:

After monitoring this thread for updates and coming to the realisation that openwrt is now useless, also LEDE is useless as my dozen or so Tp-Link WR703n devices are 4/32 which is plastered all over the LEDE site as being not acceptable. Very windowish alarming!!!!

I have come to the conclusion that DD-WRT is the way to go and will update all my devices to a project which is not in limbo, supports its users and does not present with the 4/32 limitation of LEDE

I would put a link here, but that is not permitted due to spam. One would think a community would be able to organise a different method of preventing spam, but instead use a sledgehammer approach.

dd-wrt.com select, right click open in new tab if using firefox

an unsatisfied user


Yes 4\32 are highly discouraged as there is no room to add much if anything to these images.  But at least you can.  DD-WRT does not offer a package manager.

DD-WRT is not as rosey as you point out.  The router database on the home page is not maintained so the versions you see may (are) not the KRACK patched product.  The latest versions are in folders that are not clearly visible.  I had to actually make a post get a link to the KRACK patched product which is here:  https://www.dd-wrt.com/phpBB2/viewtopic.php?t=311799  There may be versions after this too.

OpenWrt does not seem to be doing anything to help the user of "Release" product which is unfortunate.  If you use trunk and can build, both your issues are resolved, but not mine.

LEDE has made packages available for the older versions of 17.01, but on 4\32 devices there may not be enough room to install and 17.01.04 compiled versions may be available.

LEDE has a build for the 703 and you can find it on the bottom of the device page.
https://lede-project.org/toh/hwdata/tp- … -wr703n_v1

There are different versions of the MR3420 and they are available by drilling down from here.
https://lede-project.org/toh/start?data … %5D=mr3420
I do not see a version for this in the DD-WRT router database, but there is a V1 solution at the DD-WRT link above.

I do not think you did sufficient research on any of these products.

Regarding links, after you reach a level of trust, I think about 10 posts, you will be allowed to post links.

I have patched the router with the latest compilation from Chaos Calmer tree, but after a test with hxxps://github.com/vanhoefm/krackattacks-test-ap-ft - this shows still some key re-use.

Does the standard package compilation cover the patches in the patch directory?

RangerZ wrote:

Yes 4\32 are highly discouraged as there is no room to add much if anything to these images.  But at least you can.  DD-WRT does not offer a package manager.

DD-WRT is not as rosey as you point out.  The router database on the home page is not maintained so the versions you see may (are) not the KRACK patched product.  The latest versions are in folders that are not clearly visible.  I had to actually make a post get a link to the KRACK patched product which is here: MANUALLY REMOVED QUOTED URL!  There may be versions after this too.

OpenWrt does not seem to be doing anything to help the user of "Release" product which is unfortunate.  If you use trunk and can build, both your issues are resolved, but not mine.

LEDE has made packages available for the older versions of 17.01, but on 4\32 devices there may not be enough room to install and 17.01.04 compiled versions may be available.

LEDE has a build for the 703 and you can find it on the bottom of the device page.
MANUALLY REMOVED QUOTED URL!

There are different versions of the MR3420 and they are available by drilling down from here.
MANUALLY REMOVED QUOTED URL!
I do not see a version for this in the DD-WRT router database, but there is a V1 solution at the DD-WRT link above.

I do not think you did sufficient research on any of these products.

Regarding links, after you reach a level of trust, I think about 10 posts, you will be allowed to post links.

Thank you for your constructive and informational post RangerZ

I see that what I referred to as 'windowish alarming' 4/32 warnings have been toned down on the LEDE website. A positive improvement.

I hope more work can be done to better communicate because it seems LEDE with a 4/32 device is simply not possible when in fact it might not be the case.

I concur, more research is needed and I will test LEDE on one of my Tp-Link WR703n and contribute feedback by posting.

The effect this is having means that a user with a 4/32 device on OpenWrt Chaos Calmer is unable to update by any strait forward method and is presented with unnecessarily dire warnings when researching LEDE.
This makes it seem the user has no other choice than to seek an alternate such as DD-WRT

For the noobs and everyone else; ____OpenWrt, PLEASE SIMPLY UPDATE_____ the Binary Releases so that all users including noobs can update using their defined Distribution feeds without any difficulty, after all that is what was designed in the first place!

The 10 post rule makes it harder for users to communicate and I repeat a sledgehammer approach. There must be better alternates....

daxigua wrote:

For the noobs and everyone else; ____OpenWrt, PLEASE SIMPLY UPDATE_____ the Binary Releases so that all users including noobs can update using their defined Distribution feeds without any difficulty, after all that is what was designed in the first place!.

Yes please. We're kind of out on a limb here.

LEDE and DD-WRT already have "wpa_disable_eapol_key_retries" option implemented. Looks like OpenWRT may lose some loyal customers in the near future.

UPD: I compile LEDE for my TL-WR941ND v3.1 today. It seems to work normally despite 4/32 warning. Hope it will pass long time stability testing.

Hi, I am running Chaos Calmer 15.05.1 (r49261) on a TP-Link Archer C7 v2. It's working so good, it's a little miracle smile and I spent quite a lot of time configuring the fine details (I have a somewhat complex home network).

So, now I would like to patch it against KRACK with the least effort possible, and possibly without switching to LEDE which, as I understand, will be rebranded "OpenWRT" soon anyway. Is there a patched OpenWRT build out there already? Thanks!

daxigua wrote:

For the noobs and everyone else; ____OpenWrt, PLEASE SIMPLY UPDATE_____ the Binary Releases so that all users including noobs can update using their defined Distribution feeds without any difficulty, after all that is what was designed in the first place!

I also quote this, it was already confusing enough to have LEDE vs OpenWRT, it would be awesome to have the update procedure just work smoothly.

(Last edited by gaglia83 on 28 Oct 2017, 23:44)

@gaglia83, i think, you can use your configuration with LEDE successfully. If you change any config files outside /etc/config, backup the files manually.

Would it be OK if I update to a latest snapshot version of OpenWRT, like hxxps://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-archer-c7-v2-squashfs-factory.bin ? (currently it says, it's updated to Oct 26th) What is the difference between "squashfs" and "squashfs-sysupgrade", i.e. hxxps://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-archer-c7-v2-squashfs-sysupgrade.bin ?

EDIT: wow, what's this c**p with forbidding links in forum posts?

gaglia83 wrote:

Would it be OK if I update to a latest snapshot version of OpenWRT, like hxxps://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-archer-c7-v2-squashfs-factory.bin ? (currently it says, it's updated to Oct 26th) What is the difference between "squashfs" and "squashfs-sysupgrade", i.e. hxxps://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/openwrt-ar71xx-generic-archer-c7-v2-squashfs-sysupgrade.bin ?

* squashfs-factory is for updating from OEM firmware,
* squashfs-sysupgrade is for updating a system already running Openwrt/LEDE.

Updating from CC15.05 to LEDE is recommended to do without settings saved. There have been changes to LED, VLAN etc. definitions in between, so especially /etc/config/system and /etc/config/network can be problematic. Better to sysupgrade to default settings and manually edit/import most other config files. It is possible that the current settings work ok, but that does not hold true for all router models.

(Latest buildbot snapshot of Openwrt is mainly the April 2016 code plus some security fix backports. CC15.05 is mainly the May 2015 code plus some security backports.)

hnyman wrote:

* squashfs-factory is for updating from OEM firmware,
* squashfs-sysupgrade is for updating a system already running Openwrt/LEDE.

OK, thanks for the clarification!

As I said, though, I feel a bit uncomfortable upgrading to LEDE instead of a latest build of OpenWRT. What would be the advantage? As far as I understand, the LEDE brand is anyway going to die, and the codebase merged back to OpenWRT. Did I understand wrong? Not trolling, honest question, just asking smile

(Last edited by gaglia83 on 30 Oct 2017, 16:12)