Kr00k protection for ASUS routers?

[DonnyJohnny]

Beat me to it.
If I understand correctly, Kr00k would not be a problem if 'Protected Management Frames' worked with *all* existing kit. !!!

Tried enabling PMF 'Required' and all the phones dropped off the network.

I used to have a 6 yr old phone running on wifi-n (no ac) on android 8. It doesn’t connect.
Other than that, all my other phones (galaxy s8, huawei mate 20, iphone 9), iPad mini 4, LG smart tv are working.

I assumed those old phones don’t work. Say around 6 years old and above?

 

[DonnyJohnny]

According to https://www.cisco.com/c/en/us/suppo...configure-802-11w-management-frame-prote.html


Benefits of 802.11w Management Frame Protection

• Client Protection

This is achieved by addition of cryptographic protection to Deauthentication and Disassociation frames. This prevents an unauthorized user to launch a Denial of Service (DOS) attack by spoofing MAC address of legitimate users and send deauth/disassociation frames.

• AP Protection

Infrastructure side protection is added by addition of a Security Association (SA) teardown protection mechanism which consists of an Association Comeback Time and an SA-Query procedure. Prior to 802.11w, if an AP received either an Association or Authentication request from an already associated client, the AP terminates the existing connection and then start a new connection. When you use 802.11w MFP, if the STA is associated and has negotiated Management Frame Protection, the AP rejects the Association Request with return status code 30 Association request rejected temporarily; Try again later to the client.

Included in the Association Response is an Association Comeback Time information element which specifies a comeback time when the AP would be ready to accept an association with this STA. This way you can ensure that legitimate clients are not disassociated due to a spoofed association request.

 

[Twiglets]

I used to have a 6 yr old phone running on wifi-n (no ac) on android 8. It doesn’t connect.
Other than that, all my other phones (galaxy s8, huawei mate 20, iphone 9), iPad mini 4, LG smart tv are working.

I assumed those old phones don’t work. Say around 6 years old and above?

I might need to try again in a more controlled way !!!

The phones are various android no more than 18 months old !!!???

Thanks for the confirmation that it could/should work.

 

[silicon101]

Just enabled PMF on 68u and 2 year old Android phone seems to be able to connect to WiFi normally but I'll have to test a few more devices. If a router is configured as AIMesh node does it have to also have PMF enabled or just the parent router?

 

[Twiglets]

Just enabled PMF on 68u and 2 year old Android phone seems to be able to connect to WiFi normally but I'll have to test a few more devices. If a router is configured as AIMesh node does it have to also have PMF enabled or just the parent router?

Sorry, don't know not running any AIMesh setup.

Would assume that *all* should be set up with PMF set, as the nodes will talk to each other.
(This is a best guess !!!)

 

[dylanmitchell]

Yes, captain obvious told me I was a moron.

 

[Ah-Pin-Kor]

03/18/2020 Security Advisory for CVE-2019-15126 (Kr00k) ∇


A new firmware update is now available for selected ASUS routers. This latest firmware update contains fixes for the CVE-2019-15126 (Kr00k) vulnerability, which allows unauthorized decryption of some WPA2-encrypted traffic in devices using some Broadcom and Cypress WiFi chips. This includes some ASUS routers.

https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/