Krack Vulnerability!

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Goto page 1, 2, 3  Next
Author Message
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Mon Oct 16, 2017 16:22    Post subject: Krack Vulnerability! Reply with quote
https://www.xda-developers.com/wpa2-wifi-protocol-vulnerability-krack/#disqus_thread


So I guess now we wait for a patch for ddwrt...
Sponsor
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Mon Oct 16, 2017 17:58    Post subject: Reply with quote
So what changes on our end with respect to wifi security need to be made to ensure were using AES-CCMP and not GCMP, im confused about this... Or is there nothing that can be done on ac routers to implement this?

Last edited by Cantenna on Mon Oct 16, 2017 18:03; edited 1 time in total
cybrnook
DD-WRT User


Joined: 08 Jan 2014
Posts: 279

PostPosted: Mon Oct 16, 2017 17:58    Post subject: Reply with quote
Looking at the time line, I think BS already took care of it today. Just labeled as "fixes". Will be in any build 33525 or higher:

http://svn.dd-wrt.com/changeset/33525
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Mon Oct 16, 2017 18:26    Post subject: Reply with quote
He is a pretty remarkable guy if thats the case!!! Thank you!!

Just checked, hasn't been released yet.... eagerly waiting:)
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Mon Oct 16, 2017 19:01    Post subject: Reply with quote
d0ug wrote:
My initial understanding of this flaw (i haven't fully digested everything about it) this is more of a client issue than an AP issue.

It sounds like one of the methods of attack is setting up a rogue AP of the same SSID and convincing the client to attempt to connect then to attack it. No fix in the legitimate AP is going to fix the client wandering to a more tempting rogue AP.

Once the client is attacked and key gained it doesn't matter if your legitimate AP is patched or not. The attacker still has the valid key to connect to the legitimate AP.

In the meantime this is even more reason to keep wifi on your device turned off when out in public. Since some of these clients may still have the flaw where they broadcast out the most recent APs they have been associated with while trying to find the APs to reconnect. An attacker could pick up these broadcasts, setup a rogue AP matching one of those broadcasted SSIDs and attack.



Been reading various articles to digest as well, my read; fix needs to be implemented at router level and that is incoming curtsey of BryanSlayer and once you got that fix, deploy openvpn setup and make sure from herin to always connect to your home router via openvpn whenever, or wherever you go and youll be protected from eavesdropping.

looking forward to experimenting with tasker to auto vpn when wifi is up and im not at home Smile
shmerl
DD-WRT User


Joined: 08 Dec 2014
Posts: 129

PostPosted: Mon Oct 16, 2017 19:08    Post subject: Reply with quote
Cantenna wrote:
Been reading various articles to digest as well, my read; fix needs to be implemented at router level


What happens in case of patched router, and unpatched client? Is it still vulnerable?
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Mon Oct 16, 2017 19:28    Post subject: Reply with quote
shmerl wrote:
Cantenna wrote:
Been reading various articles to digest as well, my read; fix needs to be implemented at router level


What happens in case of patched router, and unpatched client? Is it still vulnerable?


Based on what I read, in this usage scenario, you should be protected.

"Depending on the type of handshake being used between the nodes on the Wi-Fi network, the attack can do varying levels of damage"

So it seems the vulnerability is compromised of multiple vulnerabilities but the vulnerability exposure is determined by the above quote.

So while the vulnerability may still be present on client side, you can protect yourself away from home by openvpn to patched router.
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Mon Oct 16, 2017 20:40    Post subject: Reply with quote
d0ug wrote:
Cantenna wrote:
shmerl wrote:
Cantenna wrote:
Been reading various articles to digest as well, my read; fix needs to be implemented at router level


What happens in case of patched router, and unpatched client? Is it still vulnerable?


Based on what I read, in this usage scenario, you should be protected.

"Depending on the type of handshake being used between the nodes on the Wi-Fi network, the attack can do varying levels of damage"

So it seems the vulnerability is compromised of multiple vulnerabilities but the vulnerability exposure is determined by the above quote.

So while the vulnerability may still be present on client side, you can protect yourself away from home by openvpn to patched router.


Id think the client is still the big part here. Because even if the AP is patched, if your device is still vulnerable when you're out in public your key could still be obtained. Even if you were VPNed, your device still has to setup the wifi connection before VPN can run over it. If the attacker knew you, then you could be targeted. Wait till you are out somewhere away from your home AP. Wait for your device to try connecting to your home AP. Setup a rouge AP to look like your home AP then get your key. They now have full access to your home network once they are in range of it. You could also replace home with corporate network in the above. Hopefully a corp network is using radius, but some small companies may not.

The problem with the above is slightly older devices that aren't patched from a previous wifi vulnerability. Basically as long as your wifi is turned on, your phone is going though its list of preferred APs that you have saved the keys for, essentially shouting out "hey AP so and so and you out there? I want to connect."

This is why it has been best practices for some time to keep your wifi off when not using it. Evil ad companies/stores could use the APs you've previously been on as a type of signature for their wifi beacon tracking BS, evildoer looking to target employees of a specific company could look for devices that are trying to connect to known company AP names, and now we have this new vulnerability.



For the most part I agree, but the exposure you stated above exists regardless of client being Krack patched or not and someone trying hard enough will still get through.

Ultimately clients do need to be updated, but this is an unrealistic and possibly costly solution... its likely, to properly fix this issue, consumers will have to purchase new devices...

Nothing is perfect, its all vulnerable to some degree if you poke the bear long enough, openvpn is a prettty damn good solution though and I trust it.
armkreuz
DD-WRT Novice


Joined: 24 Mar 2016
Posts: 40

PostPosted: Tue Oct 17, 2017 2:03    Post subject: Reply with quote
This is why third party software are awesome.
My galaxy 7 is already patched with Lineage OS ( well, AOKP ) Smile

I don't need to wait for an official patch from my service provider which can be only available in several weeks, as Google only plan to start deploying it on Pixel only at first, and only by November 6. So it can take a very long time to see service provider pushing an update on all their phones
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Tue Oct 17, 2017 2:08    Post subject: Reply with quote
armkreuz wrote:
This is why third party software are awesome.
My galaxy 7 is already patched with Lineage OS ( well, AOKP ) Smile

I don't need to wait for an official patch from my service provider which can be only available in several weeks, as Google only plan to start deploying it on Pixel only at first, and only by November 6. So it can take a very long time to see service provider pushing an update on all their phones


agreed! Always buy unlock-able boot-loader and move to lineage os/xda community for security support


Last edited by Cantenna on Tue Oct 17, 2017 3:51; edited 1 time in total
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Tue Oct 17, 2017 2:11    Post subject: Reply with quote
d0ug wrote:
Reading some more into this around various forums. It sounds like this issue is totally a client issue. Patching the AP is NOT going to fix unpatched clients.

The patches that are being put into DDWRT have to do with the wifi client portion where DDWRT can be a client on a wifi network either in a repeater mode or ethernet to wifi bridge mode.


Regarding the patches; hope more are coming.

Based on what I read here;
https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/

"Depending on the type of handshake being used between the nodes on the Wi-Fi network, the attack can do varying levels of damage"

So ultimately it does seem that the router sets the stage...
Cantenna
DD-WRT User


Joined: 28 Feb 2011
Posts: 125

PostPosted: Tue Oct 17, 2017 2:58    Post subject: Reply with quote
d0ug wrote:
Cantenna wrote:
d0ug wrote:
Reading some more into this around various forums. It sounds like this issue is totally a client issue. Patching the AP is NOT going to fix unpatched clients.

The patches that are being put into DDWRT have to do with the wifi client portion where DDWRT can be a client on a wifi network either in a repeater mode or ethernet to wifi bridge mode.


Regarding the patches; hope more are coming.

Based on what I read here;
https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/

"Depending on the type of handshake being used between the nodes on the Wi-Fi network, the attack can do varying levels of damage"

So ultimately it does seem that the router sets the stage...


Be nice if BS or Kong would post something in regards to what exactly is affected and what they are patching in DDWRT


Agreed, especially because this is news is being discussed now on most news broadcast stations.

Also some confusion regarding GCMP and CCMP; I've read, it's recommend to use old CCMP AES WPA2 encryption for the time being, not TKIP or new GCMP (which is what I've been doing for ages anyways, well, haven't been using TKIP but GCMP im unsure...)

I 'm not aware that I have ever used GCMP encryption that I know of at least, and recent Bryan Slayer logs seem to suggest that it GCMP was only introduced in September, so pre-Sept ddwrt builds had no GCMP support?

Or (and what I am confused about) do all newer AC capable routers such as the wrt1900ACS utilize GCMP on a hardware level as it's what make faster wifi speeds possible and can we degrade the wifi settings in any way through the gui to disable the use of GCMP and use CCMP AES?

Would like to get some confirmation here as well. Google DDWRT+GCMP = not a lot of info...

Welp, just setup my S8+ to auto-connect to rout via openvpn whenever wifi is up and drop when down...
armkreuz
DD-WRT Novice


Joined: 24 Mar 2016
Posts: 40

PostPosted: Tue Oct 17, 2017 3:56    Post subject: Reply with quote
d0ug wrote:
armkreuz wrote:
This is why third party software are awesome.
My galaxy 7 is already patched with Lineage OS ( well, AOKP ) Smile

I don't need to wait for an official patch from my service provider which can be only available in several weeks, as Google only plan to start deploying it on Pixel only at first, and only by November 6. So it can take a very long time to see service provider pushing an update on all their phones


I run lineage OS as well. Is Lineage OS already patched? My understanding is Google is still working on patches to be released in the November security release. So those patches likely aren't going to make is to AOSP and Lineage OS until after google makes that November release. Unless the Lineage OS guys have rolled their own patch. I honestly haven't gotten to reading up on whats going on with Lineage OS much yet.


I haven't check for Lineage OS specifically, but AOKP sure did.

http://xfer.aokp.co/AOKP/herolte/aokp_herolte_nougat_nightly_2017-10-16_changelog.html
DaveI
DD-WRT User


Joined: 06 Jul 2009
Posts: 333

PostPosted: Tue Oct 17, 2017 4:28    Post subject: Reply with quote
I'm a little confused on this after reading several other sites about KRACK...Windows updates patched this on the 10th (At least Windows 10 and 7)...Android and Linux are not patched yet. Most routers are not patched and it appears DD-WRT will be patched with the release of 33525 (hopefully tomorrow)...My confusion is if either the Router OR the Client is patched then does that eliminate the vulnerability or do BOTH Client and Router need to be patched?
jackspratUK
DD-WRT Novice


Joined: 08 Jul 2016
Posts: 13
Location: St Albans, UK

PostPosted: Tue Oct 17, 2017 9:02    Post subject: Reply with quote
So - with KRACK patched in r33525, but with DD-WRT reportedly not stable on the WRT-1900ACv1 beyond r31924 (thanks to the newer Kernel) what are people's thoughts? Time to upgrade my hardware?
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum