Re: KRACK Attack against WPA2

17.01.4 was put out to solve the issue. 
Read this post if you have not already: https://forum.lede-project.org/t/critic … rack/7450.

PC-Engines ALIX 2D13 CC 15.05 RC2 (Router - OpenVPN Server)
HooToo TM02 CC 15.05 (AP w guest)
GLi-AR150 CC15.05/GLi 2.13 (Travel Router - OpenVPN Client)
Kingston MLWG2 CC15.05 (Travel Router - OpenVPN Client, mini-DLNA)

Re: KRACK Attack against WPA2

snocrash wrote:

Can someone answer this please:  Do the current snapshots contain the KRACK patches?

downloads.openwrt.org  snapshots/trunk/ar71xx/generic/

What I infer from the developers post (embedded below) is that the snapshots are updated - build date 3 November

But I just want this confirmed before I go to the hassle of re-flashing?

This also means that all people have to do is download the latest snapshot image - flash it - and you're done.. all updated. There's very very little difference between the snapshot and 15.05.1, so no one should be worrying about the snapshot being "bleeding edge" and risky, simply because there's been so little development done since 05.1

Look forward to an informed response

wigyori wrote:

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

Regards,
-w-

The development snapshots are updated with Krack prevention.

Re: KRACK Attack against WPA2

kukulo wrote:

The development snapshots are updated with Krack prevention.

Thanks for the quick and straightforward answer. I'll download the snapshot and flash it up - see how it goes.

104 (edited by ExpertDeveloper 2017-12-20 13:44:15)

Re: KRACK Attack against WPA2

This is a problem on the client side but not on the AP side. The WPA2 implementation is faster as several changes have been made recently in response to serious weaknesses researchers have identified in the previous system, for details can read further.

--
Developer @ Top Android App Development Company

Re: KRACK Attack against WPA2

@ExpertDeveloper

Indeed you'd need to read a little more about the KRACK attack, here are some suggestions to start with:
https://www.krackattacks.com/
https://www.krackattacks.com/#patch-client-and-ap
https://www.krackattacks.com/#ap-mitigations

I'm still waiting for a confirmation from the openwrt core developers on whether the current trunk is patched or if a new patched openwrt version will be released - as mentioned in some posts above. Until then I consider openwrt WPA2 affected/broken. Period.

106 (edited by pparent 2018-03-12 15:41:10)

Re: KRACK Attack against WPA2

So is there now a way to patch routers running openwrt 15.05 so that they are no longer vulnerable to Krack attacks? I don't find a clear answer to this question.

If not what packages would need to be upgraded in order to do it? Would it be for some reason very hard to cross-compile them?

I have the feeling from dd-wrt fix, that having a corrected version of hostapd would be enough (I'm using hostpad), is that correct?

http://svn.dd-wrt.com/ticket/6005
http://svn.dd-wrt.com/changeset/33525

Thank's in advance!

107

Re: KRACK Attack against WPA2

The fix is called 17.01.4, and no just patching hostapd isn't sufficient.

108 (edited by pparent 2018-03-28 16:24:02)

Re: KRACK Attack against WPA2

Problem is that this so-called "fix" creates other important problems, that for now makes it unusable for me.

https://forum.lede-project.org/t/ram-us … 05/12989/2
https://forum.lede-project.org/t/high-c … qd/12992/8
https://forum.lede-project.org/t/sqm-bb … rformance/

Is there really no other solution?
What else that hostapd needs to be patched?

This topic sure seems to say that patching hostapd is enough:
http://www.linuxtopic.com/2017/10/krack-attack.html

Re: KRACK Attack against WPA2

Well actually it seems on archive hostapd was patched, we can just compile it from there:

https://github.com/openwrt/archive/comm … a45e495a12