ASUS Krackattack patch?

[schwasskin]

Does anyone know if the latest firmware has been patched for the recent WPA2 vulns?

Sent from my Moto G (4) using Tapatalk

 

[MacG32]

Not yet, but here's what you can do:

• Until further notice, treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
• Stick to HTTPS websites so your web browsing is encrypted even if it travels over an unencrypted connection.
• Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.
• Apply KRACK patches for your clients (and access points) as soon as they are available.

Taken from: https://nakedsecurity.sophos.com/2017/10/16/wi-fi-at-risk-from-krack-attacks-heres-what-to-do/

 

[adampk17]

I’ve got what may be a dumb question. From what I’ve read so far the fix for the Krack issue is a client side fix. The issue cannot be fixed with a patch on the AP.

So how can your WPA2 network ever be safe again?

Sure, responsible people will patch their clients when patches become available.

But the guy that wants to break in to networks - he doesn’t and you’re screwed, right?

 

[orion44]

 

[RMerlin]

So basically, you should rather be asking Motorola when they will patch your phone, as it's the one that's vulnerable.

 

[joegreat]

Does anyone know if the latest firmware has been patched for the recent WPA2 vulns?

Pls. continue reading here: WPA2 Vulnerability Exposed

 

[Grigione]

Hello,I would to know if will be available a Merlin security firmware patch to repair WPA2 vulnerability.Also,will be available in the next future a new Merlin firmware based on 382 code base for ac68u?
Thanks

 

[muffintastic]

So basically, you should rather be asking Motorola when they will patch your phone, as it's the one that's vulnerable.

Even so, still good practice to release a patch as it's still vulnerable, listed here: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Even Ddwrt, lede have patched their firmwares, shouldn't it be considered really? Server or client both should be parched regardless.. If not guess I'll have to switch to ddwrt.

 

[throwaway2034830]

So basically, you should rather be asking Motorola when they will patch your phone, as it's the one that's vulnerable.

According to the researcher Mathy Vanhoef a patch on both the client and the AP is necessary to fix the issue.

Source, the FAQ on the website he has published for his research: https://www.krackattacks.com/#faq under 'Do we now need WPA3?'

... Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!

 

[JDB]

Please see the numerous other threads on the matter.

In summary, if you are using it as just a router (AP) it’s not a problem the router can fix. If you are using it as a media bridge/extender (Client) then Asus need to fix it, not @RMerlin


Sent from my iPhone using Tapatalk

 

[schwasskin]

So basically, you should rather be asking Motorola when they will patch your phone, as it's the one that's vulnerable.

not worried about my phone. easy enough to disable wifi all together. But I will be patching my clients. thanks

Sent from my Moto G (4) using Tapatalk

 

[RMerlin]

Even so, still good practice to release a patch as it's still vulnerable, listed here: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Even Ddwrt, lede have patched their firmwares, shouldn't it be considered really? Server or client both should be parched regardless.. If not guess I'll have to switch to ddwrt.

And I'm telling you that routers in router mode are NOT vulnerable. Here is the direct quote I got from upstream this morning:

Broadcom will release patch to us soon, and we will release new firmware ASAP.

For Broadcom models only STA/repeater mode is impacted. AP mode is not after all.

Most of Broadcom uses are not affected.

The wpa_supplicant you've seen patched in those other firmware projects is not used by Broadcom's router mode, they use a proprietary nas executable for WPA2 management.

And also, the update for Media Bridge/Repeater mode must come from Broadcom, there's nothing I can do about it.

Running DD-WRT without updating ALL of your clients will provide you with zero security improvement. They're the ones vulnerable, not your router.

 

[RMerlin]

According to the researcher Mathy Vanhoef a patch on both the client and the AP is necessary to fix the issue.

Source, the FAQ on the website he has published for his research: https://www.krackattacks.com/#faq under 'Do we now need WPA3?'

That's not what your quoted FAQ said - it says that patches don't prevent connecting compatibility. The relevant FAQ entry is this one. Pay attention to the first sentence:

What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

 

[Patrick0525]

Please see the numerous other threads on the matter.

In summary, if you are using it as just a router (AP) it’s not a problem the router can fix. If you are using it as a media bridge/extender (Client) then Asus need to fix it, not @RMerlin


Sent from my iPhone using Tapatalk

I am using my RT-AC68U (Asus-Merlin firmware) as a wifi Access Point attached to a switch which gets DHCP from my pfSense router (PC based). Should I be concerned? Which part needs to be fixed? Asus-Merlin or pfSense?

 

[RMerlin]

I am using my RT-AC68U (Asus-Merlin firmware) as a wifi Access Point attached to a switch which gets DHCP from my pfSense router (PC based). Should I be concerned? Which part needs to be fixed? Asus-Merlin or pfSense?

Access Point is not vulnerable.

 

[Patrick0525]

Access Point is not vulnerable.

Thanks.
My RT-AC68U AP uses WPA2 security to connect my clients. Why should I not be concerned?
Sorry for the newbie question.

 

[IronSchramm]

So is it accurate that converting my authentication method from WPA2-Personal to WPA2-Enterprise would protect against the exploit on my home network? Or is that not correct?

 

[sfx2000]

hostapd has been pulling in changes - probably due to more eyes on the problem and finding other potential bugs - same goes with wifisupplicant and various drivers.

I've been keeping an eye on the openwrt and lede...

 

[sfx2000]

So is it accurate that converting my authentication method from WPA2-Personal to WPA2-Enterprise would protect against the exploit on my home network? Or is that not correct?

Does not protect you - the hack is below that layer in the stack...

 

[joltdude]

What *might* be vulnerable would be something like a mesh system... since its primarily a client side issue... depends on how the mesh is implemented i think..