What's new

ASUS Krackattack patch?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

https://rog.asus.com/forum/showthread.php?96750-WiFi-using-WPA2-KRACK-attack

Today 10:36 AM
MasterC@ASUS MasterC@ASUS
Administrator


Quote Originally Posted by Ljugtomten View Post
Almost 4K reads of thread but no reply from ASUS yet..

Intel released updated drivers for their current WiFi cards, but I have not seen anything from Qualcomm yet, as the chip on the Zenith Extreme is based upon.
Microsoft has released updates for Windows, the module is updated for many Linux distributions aswell (such as Ubuntu).

Still deadly silent from ASUS, who have several network devices on the market, ranging from access points to wireless network cards.



Hi guys,

ASUS is aware of the recent WPA2 vulnerability issue. We take security and your privacy seriously, so we are working towards a solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network. We are co-working with chipset vendors and will release patched firmware for affected routers soon. Before new firmware is released, here are a few ways to stay safe:
(1) Only visit HTTPS websites.
(2) Keep your operating system and antivirus software up-to-date.
(3) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet.
 
Hi guys,

ASUS is aware of the recent WPA2 vulnerability issue. We take security and your privacy seriously, so we are working towards a solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network. We are co-working with chipset vendors and will release patched firmware for affected routers soon. Before new firmware is released, here are a few ways to stay safe:
(1) Only visit HTTPS websites.
(2) Keep your operating system and antivirus software up-to-date.
(3) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet.
I translate this marketing message like this:
Bloody hell this issue is serious and we had no idea that it's coming our way. Now we are confused, have no solution and we ask others to solve the problem for us - then we might pass the solution over to our customers or there will be no solution.
But until then (or if we do not get a solution from somebody else) good luck with this issue - we cannot help! :oops:
 
Hello,
I hope I raise my question in the proper place, as I not found any answer on the https://asuswrt.lostrealm.ca/ homepage, what is: Does the Merlin firmware already patched against KRACK (Key Reinstallation Attacks) what is a recently discovered serious weaknesses in WPA2 protocol?
Why you do not start reading this thread titled with "ASUS Krackattack patch?" from the beginning??? Then you would find posing #32 which answers your question! :eek:
 
Last edited:
Why you do not start reading this thread titled with "ASUS Krackattack patch?" from the beginning??? Then you would find posing #32 which answers your question! :eek:

You are right, I was confused by the sticky threads on the top of the forum, and not noticed that there is 'normal' thread below. So I started a new one, but as there was an existing thread about KRACK, one of the forum administrator moved my forum entry from a separate thread into this one as a normal reply. That was a time when I realized there is already a discussion about it.
I'm new in this forum, and new in Merlin firmware. But maybe not I'm the only one who is confused about the actual status of this firmware and KRACK and who should fix this (thank you for point me to the correct entry!), so wouldn't be useful to post a statement to the https://asuswrt.lostrealm.ca/ homepage?
 
I translate this marketing message like this:
Bloody hell this issue is serious and we had no idea that it's coming our way. Now we are confused, have no solution and we ask others to solve the problem for us - then we might pass the solution over to our customers or there will be no solution.
But until then (or if we do not get a solution from somebody else) good luck with this issue - we cannot help! :oops:

Asus told me they are waiting for patches from Broadcom, so they're not confused - they're just waiting for their upstream providers.

I don't know what's the situation for their Qualcomm products, I assume it's the same.

Why upstream haven't been notified ahead of disclosure is beyond me however. Broadcom/Qualcomm could have fixed this ahead of time, just like Intel has done - Intel had a driver update available the same day of the disclosure.

The whole security disclosure ecosystem is suspicious at times. Like how Google recently disclosed Windows vulnerabilities ahead of a Microsoft fix on the basis that Microsoft "took too long" to fix it. In the end, it leaves end users caught in the crossfire.
 
I have a number of legacy devices that I bet won't be updated any time soon (if at all) by the respective manufacturers. Fortunately they don't carry any sensitive data.

If I have them connected to a guest network on the same router (RT-N66U running 3.80 firmware) does connecting those unpatched devices compromise the security on my main network?
 
If I have them connected to a guest network on the same router (RT-N66U running 3.80 firmware) does connecting those unpatched devices compromise the security on my main network?
No, only the clients' information is at risk in that scenario.
 
I have a number of legacy devices that I bet won't be updated any time soon (if at all) by the respective manufacturers.

Yes and this is unfortunate. I guess the wifi industry is about to get a much larger market soon. LOL I bet you will see marketing terms all over them like. This product is Krack patched. O shirt i better buy it. :eek:
 
I have a number of legacy devices that I bet won't be updated any time soon (if at all) by the respective manufacturers.

I hope that something good will come out of this, and manufacturers will become legally forced to provide a required minimum of support for products that are still fully usable. A three years old phone is NOT an unusable product, it should still be covered by security updates.

I hope organizations and customers will start applying pressure on those abandonware manufacturers.
 
Hello,
I hope I raise my question in the proper place, as I not found any answer on the https://asuswrt.lostrealm.ca/ homepage, what is: Does the Merlin firmware already patched against KRACK (Key Reinstallation Attacks) what is a recently discovered serious weaknesses in WPA2 protocol?
Details of KRACK can be found on https://www.krackattacks.com/ webpage.
Also I would like to know, if Merlin firmware patched already, what release include the fix? If not yet, what is the expected date for it?
Is it depend on ASUS released firmware, or can it be fixed within Merlin firmware separately?
Thank you in advance!

Hi domjant. I've just finished reading through this thread, and here are the conclusions I came to after that:
  1. The primary security vulnerability of the KRACK exploit is a client-side issue. In other words, it impact clients that connect to routers. This includes laptops and other computers, phones, tablets, etc. - any device that connects via WiFi to some router or access point and which uses WPA2 to secure the connection. Note that if you have a router configured in "Repeater mode", than this device qualifies as a WiFi client, and will need a patch. Otherwise, there is no urgent need to patch the router firmware, and you should be focused on making sure that all your client devices (phones, computers, tablets, etc.) are patched.
  2. A patch to the Asus-Merlin router firmware is not yet available. The patch is dependent on a change from Broadcom, which I assume will be made and passed on to Asus, and then RMerlin will add it to the Asus-Merlin firmware. I have not seen any time estimate on the availability of that.
 
Greetings:
I'm new here. I installed Merlin firmware on my RT-AC66U about a month ago for the OpenVPN capabilities... LOVE IT.
My question: I have always used Wifi Mac address (permit-only) filtering on my routers, would this not prevent the KRACK exploit from being successful? If not, could someone explain why not?
 
... I have always used Wifi Mac address (permit-only) filtering on my routers, would this not prevent the KRACK exploit from being successful?
This exploit allows you to spy on authenticated clients via MITM attack. You cannot steal your neighbor's Wi-Fi with this.
 
This exploit allows you to spy on authenticated clients via MITM attack. You cannot steal your neighbor's Wi-Fi with this.
"Man-In-The Middle" attack, GOT-IT, thanks. Actually, I'm worried about what my neighbors are doing to ME. Not the other way around...
 
"Man-In-The Middle" attack, GOT-IT, thanks. Actually, I'm worried about what my neighbors are doing to ME. Not the other way around...

Yeah - and it's relatively non-trivial to actually do the attack. And the target must be really interesting for someone to spend time to attack the edge inside the WiFi handshake - there are easier ways to get info without having to do this.

Like many of the name exploits (Shellshock, Ghost, Heartbleed), it gets a lot of attention - KRACKattack is notable as it is one of the first public disclosure of an exploit that can impact WPA2 - it's not the only one... and it exploits an weak implementation of WPA2, not the actual concept of WPA2 itself - so easy to fix at a code level - the hard part is getting fixes deployed...

Yes, KRACKattack needs a client fix - and vendors are pushing them out at the mobile and desktop level - my concern is more the embedded space where older devices might no longer be under development - and many were contract/white label in the first place.
 
I hope that something good will come out of this, and manufacturers will become legally forced to provide a required minimum of support for products that are still fully usable. A three years old phone is NOT an unusable product, it should still be covered by security updates.

I hope organizations and customers will start applying pressure on those abandonware manufacturers.

I agree, but what I read so far nothing happens. Even new phones aren't updated regularly... Shame..
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top