Latest Merlin RT-N66U Range

[marnold]

Hi all,

I wondered if anyone had any experience with the range of the RT-N66U on Merlin's most recent firmware vs. John's fork. The reason I ask is because I want the Krack vulnerability fixed without having to wait for all my clients to be patched (if they ever will be). If the range drop is still significant then it seems I will be looking at buying an RT-AC86U.

 

[MichaelCG]

If your device is being used as a router or AP, you shouldn't need a patch.....in theory. Only if you use it as a Repeater or a Media Bridge should it be impacted....which is why I went back to Asus firmware on my N66 and AC66 since they are deployed as Media Bridges.

 

[ColinTaylor]

Range (if you're equating power output to range) will vary depending on the country you're in, the band and the channel. So unless all three of those are the same any comparisons would be invalid.

Also, as said above, you can't mitigate your clients vulnerability to KRACK by patching the router.

 

[marnold]

Range (if you're equating power output to range) will vary depending on the country you're in, the band and the channel. So unless all three of those are the same any comparisons would be invalid.

True enough, but basically I was just looking for some anecdotal evidence to see if anyone had switched lately and what impact they saw.

Also, as said above, you can't mitigate your clients vulnerability to KRACK by patching the router.

I know I can't entirely, but I can on my network. Some of those devices never go anywhere but my home, so the problem would be solved.

 

[marnold]

If your device is being used as a router or AP, you shouldn't need a patch.....in theory. Only if you use it as a Repeater or a Media Bridge should it be impacted....which is why I went back to Asus firmware on my N66 and AC66 since they are deployed as Media Bridges.

If I understand correctly from what I've read, the router doesn't need to be updated if the client has been. Some clients I have no/little control over, but I do have control over the router. If I would upgrade my router, the N66 might be pressed back into service as a media bridge or repeater. In which case, going back to Merlin wouldn't be an issue because range wouldn't be as much of an issue (in my particular circumstances).

 

[ColinTaylor]

If I understand correctly from what I've read, the router doesn't need to be updated if the client has been.

It's nothing to do with the router (in Router or AP mode). It's a client vulnerability which is why the client needs to be patched. The reason why the router needs patching in Media Bridge or Repeater mode is because in both of those cases the router is acting as a client to some other access point. Of course that assumes that there's a hacker sitting within range of your home Wi-Fi with the time and inclination to actually bother to do this, which is probably unlikely.

 

[marnold]

It's nothing to do with the router (in Router or AP mode). It's a client vulnerability which is why the client needs to be patched. The reason why the router needs patching in Media Bridge or Repeater mode is because in both of those cases the router is acting as a client to some other access point. Of course that assumes that there's a hacker sitting within range of your home Wi-Fi with the time and inclination to actually bother to do this, which is probably unlikely.

Hmm. After further research, it appears that you are exactly right and my previous understanding of the problem was incorrect. I just wonder if devices like Roku, smart TVs, etc. are going to be patched. It is hard, if not impossible, to find if manufacturers have even acknowledged the issue much less issued a patch.

So, I may save myself some money on a router, but the existing problem remains. 50% success anyway.

 

[Observation2017]

yeah for most practical purposes.

But if the router is patched (non-client) it will not replay the key for the man-in-the-middle to decode. It will force new keys to be sent only once until connection without possible reinstallation on client. At least according to CERT and several vendors.

Only a few vendors jumped on that boat and only for prime products. Of course once vendor has firmware patch, every router firmware update by owners is an opportunity to brick or at least dig out less friendly recovery procedures (especially in smaller business that rarely does firmware). Also whole network segments go down often during peak usage hours too -- rather than selected client when desired. Best avoid that if possible.

However, its a LOT easier to produce code to patch clients - plus client side patches reduce potential DOS effects (endless new keys) for reasons I could not quite understand. Software written for tiny FLASH and all its address location dependencies tends to be tedious and require endless meticulous care. Plus client side software teams are HUGE and WEALTHY compared to most router software teams (though Cisco and a couple other business side giants are a bit closer).

Plus attacking a router does not gain black hats much except DOS which is immediately obvious and can be reset easily. Sustained DOS can get them caught (short LOS). But clients are potentially juicy and easier to hook invisibly on a long term basis. So fixing router is pendantic - just for technical correctness without much practical impact over simpler client side fix.

Bottomline: That is why routers tend to have so many old vulnerabilities. If it can be worked around in the clients there is no need to fix router and potentially break something else in router worse or not fit into Flash. On a client add/change a few MBs when compiling high level source code fix and its lost in multiple GB OS installs. And client OS patches seldom actually brick clients

 

[Observation2017]

Just saying do not expect a general protocol fix for Krack in Merlin. It would be a frivolous waste of scarce time and resources when Windows and every major distribution of Linux fixed the client side weeks ago.

Sounds like you might be in a "small" business environment. You might want to investigate a better way to roll out simple patches for clients. Or some old Cisco routers (cheap if slow) that still are getting all the router side fixes for Krack then back to Merlin routers later. Asus told CERT they had a router side fix a couple weeks after Krack announced. Several weeks later they still had not deployed to any router or announced plans to do so. But maybe that changed in the last 4-5 weeks.

Fortunately the client side fixes for Linux should give a major leg up (minor bit of porting) on fixing the router in client modes...whenever Team Merlin (still 1 guy?) get to it. Not sure how high repeater or media bridge services rank within Merlin (medium?) but its certainly not the bottom and likely to just be dropped. Very inconvenient for some. Still I can see the Team waiting for any possibility of related vulnerabilities to settle out before rolling their own fix for Merlin across all supported routers. Too often early patches don't have the whole story (some hackers are like a chessmaster looking 5-6 moves ahead) and need to be revisited.

 

[ColinTaylor]

But if the router is patched (non-client) it will not replay the key for the man-in-the-middle to decode. It will force new keys to be sent only once until connection without possible reinstallation on client. At least according to CERT and several vendors.

But that doesn't fix the vulnerability it just makes it more difficult to exploit, according to the original paper. Also, according to the original paper and Broadcom themselves their implementation already works in this "more secure" (for want of a better term) manner. So in short, it's still a client issue not an AP one.

Several weeks later they still had not deployed to any router or announced plans to do so. But maybe that changed in the last 4-5 weeks.

I haven't looked at any other models but the RT-AC68U had a patched firmware on 11th November and the RT-N66U & RT-AC66U had it on 1st November.

 

[Observation2017]

Reread. Its a case of mitigating circumstances according to CERT. Routers are BORING! Not that something cannot be done to routers, but that it WON'T be done in their opinion. Too much work/risk for very little return and fast recovery for owners. So far they are right. But I have seen that turn and bite them in the past when compound exploits got together to go some place CERT experts failed to imagine.

But its obviously primarily a client issue because that is where most the honey is for attackers. Where the data is. Where potential exists for long term control exists. Where repair is costly in time or $$$.


Really just semantics... unless somebody gets creative.

 

[RMerlin]

But if the router is patched (non-client) it will not replay the key for the man-in-the-middle to decode. It will force new keys to be sent only once until connection without possible reinstallation on client. At least according to CERT and several vendors.

That "fix" carries a risk of creating compatibility issues, and is currently only available for hostpad AFAIK. Broadcom does not use hostpad, they use their own software stack.

 

[MichaelCG]

So this thread has me thinking....yes my Windows systems should be updated by now (I haven't actually confirmed this yet), my modern iOS devices and modern Android devices "should" be getting an update....but what about my webcams and older tablets? You know...all of those other misc devices sitting on the network that may not be getting maintenance updates anymore?

I know sitting on my WiFi network I have an original iPad, an iPad2, a Galaxy S3, a Nook HD+, a couple of Kindles (2nd gen), a couple of 2nd/3rd gen Apple TVs, two Brother printers, and a couple of IP Cameras.....all of which I do not believe have any type of vendor support anymore. In theory, the rest of my WiFi devices are slightly more modern and should be getting updates from the vendors at some point.

 

[marnold]

Actually, this is my personal home network. Like Michael, I have a Brother printer, a couple of Roku, a "smart" Vizio TV, a PS3 and PS4, and some older Android devices. With the printer, about the worst thing that would happen would be someone griefing me by sending a bunch of garbage data to it. If I understand correctly, someone needs to be in wifi range of both the printer and router. They'd have to be quite close since the printer is in the middle of the basement.

My current plan is to try John's new alpha firmware which includes a krack fix. Then I'll probably delete all the streaming stuff from the TV, since that is likely never to be patched. The older Android phones are the biggest problem since they won't just be used on my network.