Asus protected management frames

[DPUK01]

Hello. I have an Asus RT68U router which I use for my home network. I have set the Protected Management Frames (PMF) to 'required' for all client devices (https://www.asus.com/uk/support/faq/1042472/). None have disconnected when this was set, which I think means that these are encrypted now. However, does anyone know if this management frame encryption will protect against the Krak vulnerability in the WPA2 authentication process. I have read that disabling EAPOL retries offers some protection against this but it isn't an option via the router Web GUI (perhaps via Telnet though?).

Although declared end of life, Asus are still releasing new firmware for this router (https://www.asus.com/supportonly/rt-ac68u/helpdesk_bios/). Once they stop doing so, I may go down the 802.11ax route and choose WPA3 authentication where possible, although some IoT devices will still only support WPA2

Any advice welcome.... thanks in advance.

 

[OzarkEdge]

Hello. I have an Asus RT68U router which I use for my home network. I have set the Protected Management Frames (PMF) to 'required' for all client devices (https://www.asus.com/uk/support/faq/1042472/). None have disconnected when this was set, which I think means that these are encrypted now. However, does anyone know if this management frame encryption will protect against the Krak vulnerability in the WPA2 authentication process. I have read that disabling EAPOL retries offers some protection against this but it isn't an option via the router Web GUI (perhaps via Telnet though?).

Although declared end of life, Asus are still releasing new firmware for this router (https://www.asus.com/supportonly/rt-ac68u/helpdesk_bios/). Once they stop doing so, I may go down the 802.11ax route and choose WPA3 authentication where possible, although some IoT devices will still only support WPA2

Any advice welcome.... thanks in advance.

ASUS has only reached back to patch the AC68U firmware to protect its exceptional/large user base from an extreme vulnerability. For all practical purposes, the AC68U is EoL and no longer supported.

I would retire the AC68U and consider the AX86U Pro (dual-band WiFi6) or better that supports next gen ASUSWRT 5.0 (3.0.0.6.*) firmware with option for combined WPA2/WPA3 support with PMF default to 'capable'. Mixed wireless clients will authenticate as best they know how.

OE

 

[DPUK01]

Thanks for your advice, OzarkEdge. I'll have a look at the AX68U - especially the security settings

 

[ColinTaylor]

However, does anyone know if this management frame encryption will protect against the Krak vulnerability in the WPA2 authentication process.

The Krack vulnerability was patched in 2018.

 

[OzarkEdge]

I'll have a look at the AX68U

AX68U is not my recommendation.

OE

 

[DPUK01]

The Krack vulnerability was patched in 2018.

Thanks Colin. Do you know where I could any further information about the patch?

 

[DPUK01]

AX68U is not my recommendation.

OE

Apologies OE. I made a typo - it should read RT-AX86U Pro

 

[ColinTaylor]

Thanks Colin. Do you know where I could any further information about the patch?

You'd have to search though all the forum discussions about it from six or seven years ago. From memory the Asus release notes at the time just had a single line saying it was fixed (see this link). Unfortunately all the 3.0.0.4.382.x firmware from that era have long since been removed from the Asus website.

What is your interest in this particular vulnerability (as apposed to any of the subsequent ones, e.g. kr00k)? Bear in mind that Krack is a client side vulnerability. So it's not an issue unless you're running your router as a repeater or media bridge.

EDIT: I did find this entry on the ASUS Product Security Advisory page:

10/31/2017 Update on security advisory for the vulnerability of WPA2 protocol ∇
ASUS is working closely with chipset suppliers to resolve the vulnerability in the WPA2 security protocol, which affects some but not all ASUS products (check the list below). KRACK can exploit the vulnerability only under certain conditions highlighted in the previous update. Your network configuration is more secure when under these conditions:

(1) Routers and gateways working in their default mode (Router Mode) and AP Mode.
(2) Range extenders working in AP Mode.
(3) When Powerline adapters and switch products are used.

ASUS is working actively towards a solution, and will continue to post software updates. Find out more: https://www.asus.com/support/

Full list of routers unaffected by KRACK while in default mode:
GT-AC5300
RT-AC1200
RT-AC1200G
RT-AC1200G Plus
RT-AC1200HP
RT-AC1300HP
RT-AC1900
RT-AC1900P
RT-AC3100
RT-AC3200
RT-AC51U
RT-AC52U
RT-AC53
RT-AC5300
RT-AC53U
RT-AC54U
RT-AC55U
RT-AC55UHP
RT-AC56S
RT-AC56U
RT-AC58U
RT-AC66U
RT-AC66U B1
RT-AC66W
RT-AC68P
RT-AC68UF
RT-AC68W
RT-AC86U
RT-AC87U
RT-AC88U
RT-ACRH17
RT-ACRH13
RT-N10P V3
RT-N11P B1
RT-N12 D1
RT-N12 VP B1
RT-N12+
RT-N12+ B1
RT-N12E C1
RT-N12E_B1
RT-N12HP B1
RT-N14U
RT-N14UHP
RT-N16
RT-N18U
RT-N300 B1
RT-N56U
RT-N56U B1
RT-N65U
RT-N66U
RT-N66W
BRT-AC828
DSL-AC87VG
DSL-AC52U
DSL-AC55U
DSL-AC56U
DSL-AC68R
DSL-AC68U
DSL-N10_C1
DSL-N12E_C1
DSL-N12HP
DSL-N12U
DSL-N12U B1
DSL-N12U D1
DSL-N12U_C1
DSL-N14U
DSL-N14U B1
DSL-N16
DSL-N16U
DSL-N17U
DSL-N55U D1
DSL-N55U_C1
4G-AC68U
RT-AC65U
RT-AC85U