Outside of enterprise hardware (which are either going live with patches today, or ninja patched their firmware weeks ago and are just updating patch notes this morning) they're generally worse.
For what its worth, my consumer grade Netgear WiFi router, which is a couple years old now and hasn't seen any firmware updates in a long time, has a new update posted.
Netgear is usually better than any other off the shelf router company, but still lacking in fixing security issues. All of the off the shelf router makers are pretty bad at security fixes, though. Most simply ignore the issues reported to them, and it is like pulling teeth to even get bug fixes.
Corporate and small business class wifi AP makers are usually pretty good about things like this, though. As noted in the article above, Aruba, Mikrotik, and Ubiquiti have already patched it.
I have several pieces of equipment including one access point all made by Ubiquiti. Ubiquiti has already pushed a firmware patch for this. Other major enterprise equipment manufacturers have probably pushed patches or in the process of. As for consumer grade wireless, no idea. There's a reason I jumped ship to Enterprise Lite.
Many of consumer routers' admin pass is the product model default. And even for those that don't, a surprising amount of passwords can be guessed within 5 tries.
I also doubt much of the most widely spread routers will even see a security patch related to this.
I saw a line of consumer routers that had randomly generated passwords that were included in an internal sticker. It was still advised to change the password, but with passwords like "melodiconion2783", it wasn't as easy to crack the default. However, since they got so many support calls about the default passwords, they reverted to their old ways of setting a single default password for all their models the next year. Stupid people will always be our bane.
How do you figure? Most non-technically-inclined people use an ISP-supplied router. All the big ISPs supply self-updating routers. FiOS, Comcast, etc. Heck, I now use FiOS' Quantum router for the simplicity (especially since I also use them for TV). Back in the Actiontec days I used a second router... not really worth the hassle now since the Quantum is good enough.
In this case that doesn't matter because the client (android) is the real problem. It is the client that reused the wrong key or uses a default all zero key (android). It's the clients that need to be updated.
Asus does have good router support. Netgear is pretty good too. TP-Link, while they make great routers, as abysmal support. Belkin, Linksys, and mostly D-Link, seem to be pretty lazy with firmware updates for older devices. I had a number of D-Link cameras fail after a botched firmware release a few years ago, requiring them to be sent in for warranty. Completely unacceptable.
What's interesting about this exploit though is we don't technically need new firmware for the router. imec claims it can be patched on the client. So essentially, Microsoft could issue an update for the network stack in Windows to patch WPA2. But it's growing pretty obvious though that WPA2 has had its run and we need another security model.
I agree on ASUS but Netgear is horrible. Maybe they used to be good but there is a major security flaw that exists in their 6xxx series routers that last I checked hadn't been fixed despite them knowing about it for well over a year. TP-Link does make above average hardware at below average prices but again their firmware updates seem to bit hit or miss in frequency. I agree with the rest being lazy. D-Link is beyond lazy. I had a router that was Xbox incompatible due to a firmware bug they never fixed! Not even one fix, I inherited another D-Link router, it needed to be rebooted every two hours because of a DHCP bug, again never fixed.
One thing to note is that most of the vulnerabilities listed here are attacks against the *client*, not the AP. I don't know if there's much mitigation that can be done on the AP side, but the main reason to update router firmware is to fix the vuln when using wireless repeater mode or wireless backhaul.
Of course, this does mean that all those un-updated android clients are problematic...
There is no update. The whole model is flawed. They will need to replace it, and "WPA3" will likely require new hardware as I suspect the forward approach will be to radically reconsider how security is implemented in wireless devices, possibly a dedicated security ASIC.
This is a mic drop from imec-Distrinet, because odds are this exploit has been used by the CIA and other governments for some time.
Before someone trolls me, I want to clarify that while this exploit can be patched according to imec, the security model needs to be updated. They point out in their Q&A that either the client or host (router) can be patched to fix the flaw, but none the less leave the door open to a next generation standard being needed in the near future.
I always was annoyed there was no WPA3 by now. WPA2 wasn't bulletproof before this, especially if the router and/or client uses a problematic/flawed implementation. My personal favorite line from the article:
"Unfortunately, in the KRACK scenario this technique backfires and results in a known, fixed key, making decrypting future transmissions too easy."
Does this affect routers? Or primarily our client devices? Fortunately I've yet to get any internet enabled appliances (to my knowledge anyways), so it's mostly just my computers and mobile devices. Hopefully Windows and Google (Pixel) will be relatively forthcoming with fixes on this.
A lot of this depends on where in world you are talking about - I personally don't believe in StatCounter assessment as accurate counter for usages - since most mobile devices ( phones and also tablets ) are connected to Internet all the time.
Also Android should not be count as Linux - if so you should also include iOS and all iPhone/iPads with OSX.
I am curious if fixing Routers means that even if device does not have that even if device is not patch then your wireless network is safe. I really concern that an unpatched Android device with all 0000's can snoop on ones personal network. I not worry about my own Androids - but others
The smart thing is to release patches before telling people about it before telling others there is an issue - at least Microsoft did that.
Full protection requires patching both ends of the connection. Form the researchers site:
"Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!"
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
Facebook
Twitter
RSS
38 Comments
Back to Article
shabby - Monday, October 16, 2017 - link
How timely are router manufacturers with updates, better than android oem's?DanNeely - Monday, October 16, 2017 - link
Outside of enterprise hardware (which are either going live with patches today, or ninja patched their firmware weeks ago and are just updating patch notes this morning) they're generally worse.Bateluer - Tuesday, October 17, 2017 - link
For what its worth, my consumer grade Netgear WiFi router, which is a couple years old now and hasn't seen any firmware updates in a long time, has a new update posted.dgingeri - Tuesday, October 17, 2017 - link
Netgear is usually better than any other off the shelf router company, but still lacking in fixing security issues. All of the off the shelf router makers are pretty bad at security fixes, though. Most simply ignore the issues reported to them, and it is like pulling teeth to even get bug fixes.Corporate and small business class wifi AP makers are usually pretty good about things like this, though. As noted in the article above, Aruba, Mikrotik, and Ubiquiti have already patched it.
Ninhalem - Monday, October 16, 2017 - link
I have several pieces of equipment including one access point all made by Ubiquiti. Ubiquiti has already pushed a firmware patch for this. Other major enterprise equipment manufacturers have probably pushed patches or in the process of. As for consumer grade wireless, no idea. There's a reason I jumped ship to Enterprise Lite.crimson117 - Monday, October 16, 2017 - link
I'm worried most people will never flash update their home of small business router, assuming a software fix is even possible.crimson117 - Monday, October 16, 2017 - link
*home OR small business routerddriver - Monday, October 16, 2017 - link
Many of consumer routers' admin pass is the product model default. And even for those that don't, a surprising amount of passwords can be guessed within 5 tries.I also doubt much of the most widely spread routers will even see a security patch related to this.
dgingeri - Tuesday, October 17, 2017 - link
I saw a line of consumer routers that had randomly generated passwords that were included in an internal sticker. It was still advised to change the password, but with passwords like "melodiconion2783", it wasn't as easy to crack the default. However, since they got so many support calls about the default passwords, they reverted to their old ways of setting a single default password for all their models the next year. Stupid people will always be our bane.flyingpants1 - Monday, October 16, 2017 - link
Well, you're right. Most (almost all) routers and wi-fi devices will simply NEVER BE UPDATED.Wi-fi was never secure. That's why we used to have hardware wi-fi switches on laptops. Turn off your wi-fi.
Alexvrb - Monday, October 16, 2017 - link
How do you figure? Most non-technically-inclined people use an ISP-supplied router. All the big ISPs supply self-updating routers. FiOS, Comcast, etc. Heck, I now use FiOS' Quantum router for the simplicity (especially since I also use them for TV). Back in the Actiontec days I used a second router... not really worth the hassle now since the Quantum is good enough.beginner99 - Tuesday, October 17, 2017 - link
In this case that doesn't matter because the client (android) is the real problem. It is the client that reused the wrong key or uses a default all zero key (android). It's the clients that need to be updated.Despoiler - Monday, October 16, 2017 - link
Asus is on point with their vulnerability updates. They patch all the time and mostly they contain updates for vulns.DanNeely - Monday, October 16, 2017 - link
Do Asus routers automatically patch themselves?If not, 99.9% of them are going to be as badly off as the collection of routers that will never get a patch.
Samus - Monday, October 16, 2017 - link
Asus does have good router support. Netgear is pretty good too. TP-Link, while they make great routers, as abysmal support. Belkin, Linksys, and mostly D-Link, seem to be pretty lazy with firmware updates for older devices. I had a number of D-Link cameras fail after a botched firmware release a few years ago, requiring them to be sent in for warranty. Completely unacceptable.What's interesting about this exploit though is we don't technically need new firmware for the router. imec claims it can be patched on the client. So essentially, Microsoft could issue an update for the network stack in Windows to patch WPA2. But it's growing pretty obvious though that WPA2 has had its run and we need another security model.
Einy0 - Monday, October 16, 2017 - link
I agree on ASUS but Netgear is horrible. Maybe they used to be good but there is a major security flaw that exists in their 6xxx series routers that last I checked hadn't been fixed despite them knowing about it for well over a year. TP-Link does make above average hardware at below average prices but again their firmware updates seem to bit hit or miss in frequency. I agree with the rest being lazy. D-Link is beyond lazy. I had a router that was Xbox incompatible due to a firmware bug they never fixed! Not even one fix, I inherited another D-Link router, it needed to be rebooted every two hours because of a DHCP bug, again never fixed.rtho782 - Monday, October 16, 2017 - link
The issue is that this doesn't really attack the AP, vulnerable client devices are the problem.Your router might get an update, but will the wifi module on your aircon unit? Or some other random device on your LAN...
kepstin - Monday, October 16, 2017 - link
One thing to note is that most of the vulnerabilities listed here are attacks against the *client*, not the AP. I don't know if there's much mitigation that can be done on the AP side, but the main reason to update router firmware is to fix the vuln when using wireless repeater mode or wireless backhaul.Of course, this does mean that all those un-updated android clients are problematic...
Samus - Monday, October 16, 2017 - link
There is no update. The whole model is flawed. They will need to replace it, and "WPA3" will likely require new hardware as I suspect the forward approach will be to radically reconsider how security is implemented in wireless devices, possibly a dedicated security ASIC.This is a mic drop from imec-Distrinet, because odds are this exploit has been used by the CIA and other governments for some time.
Samus - Monday, October 16, 2017 - link
Before someone trolls me, I want to clarify that while this exploit can be patched according to imec, the security model needs to be updated. They point out in their Q&A that either the client or host (router) can be patched to fix the flaw, but none the less leave the door open to a next generation standard being needed in the near future.FunBunny2 - Monday, October 16, 2017 - link
"odds are this exploit has been used by the CIA and other governments for some time."to quote the former AG, "Lordy, I hope there are tapes."
ikjadoon - Monday, October 16, 2017 - link
Former FBI Director, though he was DAG for a short while.Alexvrb - Monday, October 16, 2017 - link
I always was annoyed there was no WPA3 by now. WPA2 wasn't bulletproof before this, especially if the router and/or client uses a problematic/flawed implementation. My personal favorite line from the article:"Unfortunately, in the KRACK scenario this technique backfires and results in a known, fixed key, making decrypting future transmissions too easy."
Ouch.
fred666 - Monday, October 16, 2017 - link
They are much worse. They generally do not patch a device they no longer sell.chuckh1958 - Monday, October 23, 2017 - link
Not at all. My actiontec mi242wr's firmware gets scheduled updates daily but has not received one for over a year.ddriver - Monday, October 16, 2017 - link
Oh wow, who would have thought. The industry is, after all, so great and competent.Drumsticks - Monday, October 16, 2017 - link
Does this affect routers? Or primarily our client devices? Fortunately I've yet to get any internet enabled appliances (to my knowledge anyways), so it's mostly just my computers and mobile devices. Hopefully Windows and Google (Pixel) will be relatively forthcoming with fixes on this.negusp - Monday, October 16, 2017 - link
APs and clients both need to be patched.Though, HTTPS mitigates most of the threats associated with this issue as long as an adherence to visiting HTTPS-only sites is kept.
ikjadoon - Monday, October 16, 2017 - link
Out of the blue: what sites aren't using HTTPS? I'm looking through my history to see who's not, but it's not finding any. Is there any easy way?Now I gotta found out why sites like Feedly show "https", but do not have the "Secure" logo.
Ian Cutress - Monday, October 16, 2017 - link
CNNOld_Fogie_Late_Bloomer - Monday, October 16, 2017 - link
CNN: News so Fake, We Don't Bother Delivering It to You SecurelySttm - Monday, October 16, 2017 - link
Microsoft, patched a week ago.Apple, in beta, weeks until formally out.
Linux, patched today.
So much for the security superiority of OSX.
shabby - Monday, October 16, 2017 - link
OSX's security superiority lies in its install base... since barely anyone uses it the amount of affected will be tiny.HStewart - Tuesday, October 17, 2017 - link
A lot of this depends on where in world you are talking about - I personally don't believe in StatCounter assessment as accurate counter for usages - since most mobile devices ( phones and also tablets ) are connected to Internet all the time.Also Android should not be count as Linux - if so you should also include iOS and all iPhone/iPads with OSX.
HStewart - Tuesday, October 17, 2017 - link
I am curious if fixing Routers means that even if device does not have that even if device is not patch then your wireless network is safe. I really concern that an unpatched Android device with all 0000's can snoop on ones personal network. I not worry about my own Androids - but othersThe smart thing is to release patches before telling people about it before telling others there is an issue - at least Microsoft did that.
DanNeely - Tuesday, October 17, 2017 - link
Full protection requires patching both ends of the connection. Form the researchers site:"Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!"
https://www.krackattacks.com/#faq
I believe that patching one end will mitigate some of the attacks; but this hasn't been made abundantly clear anywhere I've seen yet.
HStewart - Tuesday, October 17, 2017 - link
Sounds like to me that AP is probably most important - since unless a virus uses it - then why care especially in local house.phuyenxanh - Saturday, April 24, 2021 - link
Thanks, https://phuyenxanh.vn/