1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

ASUS Krackattack patch?

Discussion in 'Asuswrt-Merlin' started by schwasskin, Oct 16, 2017.

  1. schwasskin

    schwasskin New Around Here

    Joined:
    Sep 17, 2017
    Messages:
    7
    Does anyone know if the latest firmware has been patched for the recent WPA2 vulns?

    Sent from my Moto G (4) using Tapatalk
     
    brettule likes this.
  2. MacG32

    MacG32 Regular Contributor

    Joined:
    Jan 19, 2017
    Messages:
    75
    Location:
    PT US
    Not yet, but here's what you can do:
    • Until further notice, treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
    • Stick to HTTPS websites so your web browsing is encrypted even if it travels over an unencrypted connection.
    • Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.
    • Apply KRACK patches for your clients (and access points) as soon as they are available.
    Taken from: https://nakedsecurity.sophos.com/2017/10/16/wi-fi-at-risk-from-krack-attacks-heres-what-to-do/
     
    Last edited: Oct 20, 2017
    dP21, buddyp and ScratchMonkey like this.
  3. adampk17

    adampk17 Regular Contributor

    Joined:
    Sep 17, 2013
    Messages:
    144
    I’ve got what may be a dumb question. From what I’ve read so far the fix for the Krack issue is a client side fix. The issue cannot be fixed with a patch on the AP.

    So how can your WPA2 network ever be safe again?

    Sure, responsible people will patch their clients when patches become available.

    But the guy that wants to break in to networks - he doesn’t and you’re screwed, right?
     
  4. orion44

    orion44 Occasional Visitor

    Joined:
    Jan 4, 2017
    Messages:
    40
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    So basically, you should rather be asking Motorola when they will patch your phone, as it's the one that's vulnerable.
     
    paulbates likes this.
  6. joegreat

    joegreat Very Senior Member

    Joined:
    Jan 9, 2013
    Messages:
    1,690
    Location:
    Vienna, Austria
    Pls. continue reading here: WPA2 Vulnerability Exposed
     
    skeal likes this.
  7. Grigione

    Grigione Regular Contributor

    Joined:
    Jun 4, 2017
    Messages:
    72
    Hello,I would to know if will be available a Merlin security firmware patch to repair WPA2 vulnerability.Also,will be available in the next future a new Merlin firmware based on 382 code base for ac68u?
    Thanks
     
  8. muffintastic

    muffintastic Regular Contributor

    Joined:
    Nov 3, 2015
    Messages:
    118
    Even so, still good practice to release a patch as it's still vulnerable, listed here: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

    Even Ddwrt, lede have patched their firmwares, shouldn't it be considered really? Server or client both should be parched regardless.. If not guess I'll have to switch to ddwrt.
     
  9. throwaway2034830

    throwaway2034830 New Around Here

    Joined:
    Oct 17, 2017
    Messages:
    1
    According to the researcher Mathy Vanhoef a patch on both the client and the AP is necessary to fix the issue.

    Source, the FAQ on the website he has published for his research: https://www.krackattacks.com/#faq under 'Do we now need WPA3?'

     
    TeaDragon and muffintastic like this.
  10. JDB

    JDB Very Senior Member

    Joined:
    Aug 28, 2016
    Messages:
    815
    Please see the numerous other threads on the matter.

    In summary, if you are using it as just a router (AP) it’s not a problem the router can fix. If you are using it as a media bridge/extender (Client) then Asus need to fix it, not @RMerlin


    Sent from my iPhone using Tapatalk
     
    paulbates and skeal like this.
  11. schwasskin

    schwasskin New Around Here

    Joined:
    Sep 17, 2017
    Messages:
    7
    not worried about my phone. easy enough to disable wifi all together. But I will be patching my clients. thanks

    Sent from my Moto G (4) using Tapatalk
     
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    And I'm telling you that routers in router mode are NOT vulnerable. Here is the direct quote I got from upstream this morning:

    The wpa_supplicant you've seen patched in those other firmware projects is not used by Broadcom's router mode, they use a proprietary nas executable for WPA2 management.

    And also, the update for Media Bridge/Repeater mode must come from Broadcom, there's nothing I can do about it.

    Running DD-WRT without updating ALL of your clients will provide you with zero security improvement. They're the ones vulnerable, not your router.
     
    Last edited: Oct 17, 2017
  13. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    That's not what your quoted FAQ said - it says that patches don't prevent connecting compatibility. The relevant FAQ entry is this one. Pay attention to the first sentence:

     
    cvx01 likes this.
  14. Patrick0525

    Patrick0525 Occasional Visitor

    Joined:
    Feb 10, 2017
    Messages:
    20

    I am using my RT-AC68U (Asus-Merlin firmware) as a wifi Access Point attached to a switch which gets DHCP from my pfSense router (PC based). Should I be concerned? Which part needs to be fixed? Asus-Merlin or pfSense?
     
  15. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,853
    Location:
    Canada
    Access Point is not vulnerable.
     
  16. Patrick0525

    Patrick0525 Occasional Visitor

    Joined:
    Feb 10, 2017
    Messages:
    20
    Thanks.
    My RT-AC68U AP uses WPA2 security to connect my clients. Why should I not be concerned?
    Sorry for the newbie question.
     
  17. IronSchramm

    IronSchramm Occasional Visitor

    Joined:
    Jan 29, 2017
    Messages:
    17
    Location:
    St. Louis, Missouri. USA
    So is it accurate that converting my authentication method from WPA2-Personal to WPA2-Enterprise would protect against the exploit on my home network? Or is that not correct?
     
  18. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    hostapd has been pulling in changes - probably due to more eyes on the problem and finding other potential bugs - same goes with wifisupplicant and various drivers.

    I've been keeping an eye on the openwrt and lede...
     
  19. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    Does not protect you - the hack is below that layer in the stack...
     
    IronSchramm likes this.
  20. joltdude

    joltdude Regular Contributor

    Joined:
    Nov 8, 2012
    Messages:
    122
    Location:
    Boston, MA US
    What *might* be vulnerable would be something like a mesh system... since its primarily a client side issue... depends on how the mesh is implemented i think..