ASUS Krackattack patch?

[sfx2000]

I hope that something good will come out of this, and manufacturers will become legally forced to provide a required minimum of support for products that are still fully usable. A three years old phone is NOT an unusable product, it should still be covered by security updates.

Wholeheartedly agree here - in many areas (incl here in Cali) - HW is required to be supported for a period of time, but that doesn't apply to software/firmware - and it should.

Apple is a good example of this with iPad/iPhone - once SW is deprecated (e.g. moving to 64 bit only, which stopped support for the A5/A6 chips), they stopped rolling any patches - the one exception that I recall is they did an update for the A4 based devices that supported facetime, but that was a one-off...

an iPhone 4s or iPhone 5 is still a very useful device, but from SW perspective, they're no longer supported... same would go for iPad 2/3/4 and iPad Mini - not asking for new features, but security updates would be very much appreciated.

Android isn't much better at this for factory supported firmware - Cyanogen/Lineage helps a bit here, but only for devices that they support directly.

 

[RMerlin]

Android isn't much better at this for factory supported firmware - Cyanogen/Lineage helps a bit here, but only for devices that they support directly.

Cyanogenmod extended the useful life of my Nexus 7 by nearly two years, as Google's last official release for it turned it into a unusable snail. About a year later, I took it out of the drawer, installed CyanogenMOD on it, and it served me as a daily ebook reader while doing my daily commuting for another year or two.

Turning phones into computers was a stroke of genius by manufacturers. A phone can be perfectly usable for 5-10 years, no need to buy new ones. Miniature computers with non-removable batteries? Obsolete after three years. Same with Smart TVs: Youtube stops working after a few years due to API changes, and manufacturers won't fix the software - buy a new TV instead. One of the reasons why I hate smart TVs.

My Samsung is a "dumb" TV. Since I've had it, media streaming duties went from a PS3 (originally purchased as a BD-ROM player and a media streamer), to a WDTV, to a Zotac HTPC, to a NAS with Kodi. The PS3 was recently given to a friend who needed a BD-ROM player, the WDTV is in a drawer, the HTPC was sold to my ex-boss who wanted a media streamer, and the NAS is currently serving both duties. The Samsung TV? It's still running good as new.

How many wifi-enabled TVs, BD-ROM players will be left unpatched? Quite a lot - probably the majority of them. Thankfully, most (if not all) of the smart services are over https, so there's no risk of having your Netflix credentials stolen by it. But it's still disturbing. Who knows if, at some point, someone won't devise an attack that leverage those new vulnerabilities, to perform a more intricate MITM attack where they'd be able to also hijack the TLS session and access the encrypted data? Hundreds of thousands of Netflix logins would suddenly become compromised.

 

[Jack Yaz]

Cyanogenmod extended the useful life of my Nexus 7 by nearly two years, as Google's last official release for it turned it into a unusable snail. About a year later, I took it out of the drawer, installed CyanogenMOD on it, and it served me as a daily ebook reader while doing my daily commuting for another year or two.

Turning phones into computers was a stroke of genius by manufacturers. A phone can be perfectly usable for 5-10 years, no need to buy new ones. Miniature computers with non-removable batteries? Obsolete after three years. Same with Smart TVs: Youtube stops working after a few years due to API changes, and manufacturers won't fix the software - buy a new TV instead. One of the reasons why I hate smart TVs.

My Samsung is a "dumb" TV. Since I've had it, media streaming duties went from a PS3 (originally purchased as a BD-ROM player and a media streamer), to a WDTV, to a Zotac HTPC, to a NAS with Kodi. The PS3 was recently given to a friend who needed a BD-ROM player, the WDTV is in a drawer, the HTPC was sold to my ex-boss who wanted a media streamer, and the NAS is currently serving both duties. The Samsung TV? It's still running good as new.

How many wifi-enabled TVs, BD-ROM players will be left unpatched? Quite a lot - probably the majority of them. Thankfully, most (if not all) of the smart services are over https, so there's no risk of having your Netflix credentials stolen by it. But it's still disturbing. Who knows if, at some point, someone won't devise an attack that leverage those new vulnerabilities, to perform a more intricate MITM attack where they'd be able to also hijack the TLS session and access the encrypted data? Hundreds of thousands of Netflix logins would suddenly become compromised.

NAS here serves up files to RPis running OSMC (custom distro for Kodi), all "smart" functions of TVs ignored. I prefer a good quality panel, and then I can connect a device (Pi, Chromecast etc.) to make it "smart". As you say, APIs etc. change and break "smart" TVs. I think Sony Bravia did this recently and they weren't that old, something to do with Youtube's encryption I think.

 

[sfx2000]

How many wifi-enabled TVs, BD-ROM players will be left unpatched? Quite a lot - probably the majority of them. Thankfully, most (if not all) of the smart services are over https, so there's no risk of having your Netflix credentials stolen by it. But it's still disturbing. Who knows if, at some point, someone won't devise an attack that leverage those new vulnerabilities, to perform a more intricate MITM attack where they'd be able to also hijack the TLS session and access the encrypted data? Hundreds of thousands of Netflix logins would suddenly become compromised.

https://github.com/moxie0/sslstrip

easier done than said

Of course one does need a couple of things - first being motivation, and second, a fair sense of the technical challenge and the skills to pull it off..

 

[joegreat]

I agree, but what I read so far nothing happens. Even new phones aren't updated regularly... Shame..

There is a simple solution for this problem: Do not buy devices where the vendor is not providing updates!
And/or check upfront if there is a alternative Firmware for the phone or router!

I do this since my first smartphone and routers since 2013 with good success:
- Smartphone with CyangenMod/LineageOS have a very long lifespan with updates!
- Router only with OpenSource/AsusWRT alternatives to avoid being dependent on the vendor only!

From my perspective: Shame on the customers who buy devices with vendor lock-in and no updates! Remember: You as the customer has the power by selecting the right vendor!

 

[Steffe]

There is a simple solution for this problem: Do not buy devices where the vendor is not providing updates!
And/or check upfront if there is a alternative Firmware for the phone or router!

I do this since my first smartphone and routers since 2013 with good success:
- Smartphone with CyangenMod/LineageOS have a very long lifespan with updates!
- Router only with OpenSource/AsusWRT alternatives to avoid being dependent on the vendor only!

From my perspective: Shame on the customers who buy devices with vendor lock-in and no updates! Remember: You as the customer has the power by selecting the right vendor!

You're somewhat right, but I do not agree. All you mention only works because there a willing people for adding support and maintaining the hardware - all for free (donation). That should be the responsibility of the vendors. Customers should not choose products because there's a great user-base. Vendors should have some obligation to make sure that our personal information is safe, which also means security updates. 90% of the phones sold today are at risk (yes shame all the customers ), likewise is smart tvs, consoles, home automation etc..

 

[dabears]

Not yet, but here's what you can do:

• Until further notice, treat all Wi-Fi networks like coffee shops with open, unencrypted, wireless.
• Stick to HTTPS websites so your web browsing is encrypted even if it travels over an unencrypted connection.
• Consider using a VPN, which means that all your network traffic (not just your web browsing) is encrypted, from your laptop or mobile device to your home or work network, even if it travels over an unencrypted connection along the way.
• Apply KRACK patches for your clients (and access points) as soon as they are available.

Taken from: https://nakedsecurity.sophos.com/2017/10/16/wi-fi-at-risk-from-krack-attacks-heres-what-to-do/

I am wondering if KRACK works against 802.11ac clients I have tried in the past to find an 802.11ac card or adapter that works in monitor mode but couldn't . Maybe someone with recent experience and testing KRACK attack on 802.11ac clients can please chime in because if we can verify you cant this would be a solution in the meantime for those that use mostly 802.11ac wifi.

 

[jim769]

I am wondering if KRACK works against 802.11ac clients

Yes it affects AC clients as well. On the Netgear site of affected devices there are AC wifi adapters in the affected list.

 

[tsunami2311]

i am assuimg 380.67 isnt patched for this? if I use mac address allow for all my wifi clients does it even matter

 

[joegreat]

i am assuimg 380.67 isnt patched for this? if I use mac address allow for all my wifi clients does it even matter

Regardless of your MAC address filtering: The attacker can read all your wireless traffic (passwords, bank account information, health status, etc.)!

So MAC address filtering is not the solution - no firmware from Asus is patched yet - read the official wording from Asus (just a few postings above your one): an update need come from the vendor of the router chipset/hardware...

 

[dabears]

Yes it affects AC clients as well. On the Netgear site of affected devices there are AC wifi adapters in the affected list.

I see the ac clients as being on that list of being affected but is that because the clients are backwards compatible which when connected to 2.4 band they can be "kracked" since there are plenty of 2.4 cards that can be put into monitor mode and do packet injection making these clients vulnerable. I guess I should have asked if the ac client is connected to ac band is there a known card that can do the injection to make krack work on AC connected clients?

 

[jim769]

i am assuimg 380.67 isnt patched for this?

As of now there is no patch for Asus routers stock or Merlin builds. The clients are really what needs the patch.

 

[Jack Yaz]

I see the ac clients as being on that list of being affected but is that because the clients are backwards compatible which when connected to 2.4 band they can be "kracked" since there are plenty of 2.4 cards that can be put into monitor mode and do packet injection making these clients vulnerable. I guess I should have asked if the ac client is connected to ac band is there a known card that can do the injection to make krack work on AC connected clients?

Isn't the exploit in the WPA2 encryption protocol rather than N AC B G or whatever?

 

[dabears]

Isn't the exploit in the WPA2 encryption protocol rather than N AC B G or whatever?

I am assuming you need an ac card that can do packet injection in monitor mode on the same channel as the AC client to exploit the handshake correct me if I am wrong.

 

[ColinTaylor]

I am assuming you need an ac card that can do packet injection in monitor mode on the same channel as the AC client to exploit the handshake correct me if I am wrong.

We thought you were trying to stop your client being hacked, but it sounds like you're the one doing the hacking. If you don't want to hack another device... just don't do it.

 

[jim769]

 

[dabears]

We thought you were trying to stop your client being hacked, but it sounds like you're the one doing the hacking. If you don't want to hack another device... just don't do it.

I was just responding to the responses to my initial question which didn't provide answers to what I asked for. I don't see how that what you are claiming was my intent. I am just trying to get a yes or no answer with some proof that an ac card would be needed to exploit the ac client connected to an ac band and if they are even available which I do not believe there are any for the general public so my point was if it cant be done then connecting to an ac band with an ac client might be safer against krack until patches go out. If i had any intention to be doing what you are claiming I would be doing it not here asking questions to help others.

 

[ColinTaylor]

@dabears OK I understand what you were asking now. Yes you may be correct, there seems to be very few consumer AC cards that support packet injection. It looks like some Broadcom based devices are the most likely. The Asus USB-AC53 perhaps.

 

[sfx2000]

@dabears OK I understand what you were asking now. Yes you may be correct, there seems to be very few consumer AC cards that support packet injection. It looks like some Broadcom based devices are the most likely. The Asus USB-AC53 perhaps.

Again - this is mostly a client side issue. And it includes all adapters that support WPA2 independent of it being 11g/11a/11n/11ac - it's an OS supplicant item.

Folks skilled in the arts have the appropriate adapters that can facilitate attacks like this... I have a purpose built box that can facilitate this directly.

KRACKAttack is easily understood - and yes, it can be fixed - my primary concern is not there - but the vulns in the chipset RTOS - aka BroadPWN and similar, which are not easily fixed, as that is below the OS driver layer in the WiFi stack of things. This isn't really that much different than the WPS reaver attack, and there's the well known hole 109 attack against the WPA/TKIP group keys.

WPA/WPA2 is mostly vulnerable to implementation details, not how 802.11 is in general... these days however, folks are looking hard at this, as OS level stuff is getting better...

 

[tsunami2311]

then i guess i not really in much of rush to change fw seeing this 380.67 is working and i dont have time to deal with flash and reseting my settings. windows was already patched which rules out my system and dads stuff, as mean as it sounds i dont give damn about my sisters stuff