ASUS Krackattack patch?

[kryptto]

https://rog.asus.com/forum/showthread.php?96750-WiFi-using-WPA2-KRACK-attack

Today 10:36 AM
MasterC@ASUS MasterC@ASUS
Administrator


Quote Originally Posted by Ljugtomten View Post
Almost 4K reads of thread but no reply from ASUS yet..

Intel released updated drivers for their current WiFi cards, but I have not seen anything from Qualcomm yet, as the chip on the Zenith Extreme is based upon.
Microsoft has released updates for Windows, the module is updated for many Linux distributions aswell (such as Ubuntu).

Still deadly silent from ASUS, who have several network devices on the market, ranging from access points to wireless network cards.


Hi guys,

ASUS is aware of the recent WPA2 vulnerability issue. We take security and your privacy seriously, so we are working towards a solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network. We are co-working with chipset vendors and will release patched firmware for affected routers soon. Before new firmware is released, here are a few ways to stay safe:
(1) Only visit HTTPS websites.
(2) Keep your operating system and antivirus software up-to-date.
(3) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet.

 

[joegreat]

Hi guys,

ASUS is aware of the recent WPA2 vulnerability issue. We take security and your privacy seriously, so we are working towards a solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network. We are co-working with chipset vendors and will release patched firmware for affected routers soon. Before new firmware is released, here are a few ways to stay safe:
(1) Only visit HTTPS websites.
(2) Keep your operating system and antivirus software up-to-date.
(3) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet.

I translate this marketing message like this:
Bloody hell this issue is serious and we had no idea that it's coming our way. Now we are confused, have no solution and we ask others to solve the problem for us - then we might pass the solution over to our customers or there will be no solution.
But until then (or if we do not get a solution from somebody else) good luck with this issue - we cannot help!

 

[joegreat]

Hello,
I hope I raise my question in the proper place, as I not found any answer on the https://asuswrt.lostrealm.ca/ homepage, what is: Does the Merlin firmware already patched against KRACK (Key Reinstallation Attacks) what is a recently discovered serious weaknesses in WPA2 protocol?

Why you do not start reading this thread titled with "ASUS Krackattack patch?" from the beginning??? Then you would find posing #32 which answers your question!

 

[domjant]

Why you do not start reading this thread titled with "ASUS Krackattack patch?" from the beginning??? Then you would find posing #32 which answers your question!

You are right, I was confused by the sticky threads on the top of the forum, and not noticed that there is 'normal' thread below. So I started a new one, but as there was an existing thread about KRACK, one of the forum administrator moved my forum entry from a separate thread into this one as a normal reply. That was a time when I realized there is already a discussion about it.
I'm new in this forum, and new in Merlin firmware. But maybe not I'm the only one who is confused about the actual status of this firmware and KRACK and who should fix this (thank you for point me to the correct entry!), so wouldn't be useful to post a statement to the https://asuswrt.lostrealm.ca/ homepage?

 

[lamont]

I would think the majority of the people concerned here run their Asus in Router mode.

That is not helpful to those of us, though, who run one router and also two bridges in their home network.

 

[RMerlin]

I translate this marketing message like this:
Bloody hell this issue is serious and we had no idea that it's coming our way. Now we are confused, have no solution and we ask others to solve the problem for us - then we might pass the solution over to our customers or there will be no solution.
But until then (or if we do not get a solution from somebody else) good luck with this issue - we cannot help!

Asus told me they are waiting for patches from Broadcom, so they're not confused - they're just waiting for their upstream providers.

I don't know what's the situation for their Qualcomm products, I assume it's the same.

Why upstream haven't been notified ahead of disclosure is beyond me however. Broadcom/Qualcomm could have fixed this ahead of time, just like Intel has done - Intel had a driver update available the same day of the disclosure.

The whole security disclosure ecosystem is suspicious at times. Like how Google recently disclosed Windows vulnerabilities ahead of a Microsoft fix on the basis that Microsoft "took too long" to fix it. In the end, it leaves end users caught in the crossfire.

 

[torchddv]

I have a number of legacy devices that I bet won't be updated any time soon (if at all) by the respective manufacturers. Fortunately they don't carry any sensitive data.

If I have them connected to a guest network on the same router (RT-N66U running 3.80 firmware) does connecting those unpatched devices compromise the security on my main network?

 

[ColinTaylor]

If I have them connected to a guest network on the same router (RT-N66U running 3.80 firmware) does connecting those unpatched devices compromise the security on my main network?

No, only the clients' information is at risk in that scenario.

 

[jim769]

I have a number of legacy devices that I bet won't be updated any time soon (if at all) by the respective manufacturers.

Yes and this is unfortunate. I guess the wifi industry is about to get a much larger market soon. LOL I bet you will see marketing terms all over them like. This product is Krack patched. O shirt i better buy it.

 

[RMerlin]

I have a number of legacy devices that I bet won't be updated any time soon (if at all) by the respective manufacturers.

I hope that something good will come out of this, and manufacturers will become legally forced to provide a required minimum of support for products that are still fully usable. A three years old phone is NOT an unusable product, it should still be covered by security updates.

I hope organizations and customers will start applying pressure on those abandonware manufacturers.

 

[XIII]

Did anyone run this script against ASUS routers?

https://github.com/vanhoefm/krackattacks-test-ap-ft

With what result?

 

[ColinTaylor]

Did anyone run this script against ASUS routers?

No, but that's because the Asus doesn't have 802.11r.

 

[XIII]

No, but that's because the Asus doesn't have 802.11r.

Ah, I did not know that 802.11r was about "fast BSS transition (FT)". Learned something new today

 

[Matt Humphrey]

Hello,
I hope I raise my question in the proper place, as I not found any answer on the https://asuswrt.lostrealm.ca/ homepage, what is: Does the Merlin firmware already patched against KRACK (Key Reinstallation Attacks) what is a recently discovered serious weaknesses in WPA2 protocol?
Details of KRACK can be found on https://www.krackattacks.com/ webpage.
Also I would like to know, if Merlin firmware patched already, what release include the fix? If not yet, what is the expected date for it?
Is it depend on ASUS released firmware, or can it be fixed within Merlin firmware separately?
Thank you in advance!

Hi domjant. I've just finished reading through this thread, and here are the conclusions I came to after that:

1. The primary security vulnerability of the KRACK exploit is a client-side issue. In other words, it impact clients that connect to routers. This includes laptops and other computers, phones, tablets, etc. - any device that connects via WiFi to some router or access point and which uses WPA2 to secure the connection. Note that if you have a router configured in "Repeater mode", than this device qualifies as a WiFi client, and will need a patch. Otherwise, there is no urgent need to patch the router firmware, and you should be focused on making sure that all your client devices (phones, computers, tablets, etc.) are patched.
2. A patch to the Asus-Merlin router firmware is not yet available. The patch is dependent on a change from Broadcom, which I assume will be made and passed on to Asus, and then RMerlin will add it to the Asus-Merlin firmware. I have not seen any time estimate on the availability of that.

 

[alexandro]

Lede (OpenWRT) and DD-WRT patched, but it’s not real patch without patched drivers?

 

[ok_bbq]

Greetings:
I'm new here. I installed Merlin firmware on my RT-AC66U about a month ago for the OpenVPN capabilities... LOVE IT.
My question: I have always used Wifi Mac address (permit-only) filtering on my routers, would this not prevent the KRACK exploit from being successful? If not, could someone explain why not?

 

[Fitz Mutch]

... I have always used Wifi Mac address (permit-only) filtering on my routers, would this not prevent the KRACK exploit from being successful?

This exploit allows you to spy on authenticated clients via MITM attack. You cannot steal your neighbor's Wi-Fi with this.

 

[ok_bbq]

This exploit allows you to spy on authenticated clients via MITM attack. You cannot steal your neighbor's Wi-Fi with this.

"Man-In-The Middle" attack, GOT-IT, thanks. Actually, I'm worried about what my neighbors are doing to ME. Not the other way around...

 

[sfx2000]

"Man-In-The Middle" attack, GOT-IT, thanks. Actually, I'm worried about what my neighbors are doing to ME. Not the other way around...

Yeah - and it's relatively non-trivial to actually do the attack. And the target must be really interesting for someone to spend time to attack the edge inside the WiFi handshake - there are easier ways to get info without having to do this.

Like many of the name exploits (Shellshock, Ghost, Heartbleed), it gets a lot of attention - KRACKattack is notable as it is one of the first public disclosure of an exploit that can impact WPA2 - it's not the only one... and it exploits an weak implementation of WPA2, not the actual concept of WPA2 itself - so easy to fix at a code level - the hard part is getting fixes deployed...

Yes, KRACKattack needs a client fix - and vendors are pushing them out at the mobile and desktop level - my concern is more the embedded space where older devices might no longer be under development - and many were contract/white label in the first place.

 

[Steffe]

I hope that something good will come out of this, and manufacturers will become legally forced to provide a required minimum of support for products that are still fully usable. A three years old phone is NOT an unusable product, it should still be covered by security updates.

I hope organizations and customers will start applying pressure on those abandonware manufacturers.

I agree, but what I read so far nothing happens. Even new phones aren't updated regularly... Shame..