So what changes on our end with respect to wifi security need to be made to ensure were using AES-CCMP and not GCMP, im confused about this... Or is there nothing that can be done on ac routers to implement this?
Last edited by Cantenna on Mon Oct 16, 2017 18:03; edited 1 time in total
My initial understanding of this flaw (i haven't fully digested everything about it) this is more of a client issue than an AP issue.
It sounds like one of the methods of attack is setting up a rogue AP of the same SSID and convincing the client to attempt to connect then to attack it. No fix in the legitimate AP is going to fix the client wandering to a more tempting rogue AP.
Once the client is attacked and key gained it doesn't matter if your legitimate AP is patched or not. The attacker still has the valid key to connect to the legitimate AP.
In the meantime this is even more reason to keep wifi on your device turned off when out in public. Since some of these clients may still have the flaw where they broadcast out the most recent APs they have been associated with while trying to find the APs to reconnect. An attacker could pick up these broadcasts, setup a rogue AP matching one of those broadcasted SSIDs and attack.
Been reading various articles to digest as well, my read; fix needs to be implemented at router level and that is incoming curtsey of BryanSlayer and once you got that fix, deploy openvpn setup and make sure from herin to always connect to your home router via openvpn whenever, or wherever you go and youll be protected from eavesdropping.
looking forward to experimenting with tasker to auto vpn when wifi is up and im not at home
Been reading various articles to digest as well, my read; fix needs to be implemented at router level
What happens in case of patched router, and unpatched client? Is it still vulnerable?
Based on what I read, in this usage scenario, you should be protected.
"Depending on the type of handshake being used between the nodes on the Wi-Fi network, the attack can do varying levels of damage"
So it seems the vulnerability is compromised of multiple vulnerabilities but the vulnerability exposure is determined by the above quote.
So while the vulnerability may still be present on client side, you can protect yourself away from home by openvpn to patched router.
Id think the client is still the big part here. Because even if the AP is patched, if your device is still vulnerable when you're out in public your key could still be obtained. Even if you were VPNed, your device still has to setup the wifi connection before VPN can run over it. If the attacker knew you, then you could be targeted. Wait till you are out somewhere away from your home AP. Wait for your device to try connecting to your home AP. Setup a rouge AP to look like your home AP then get your key. They now have full access to your home network once they are in range of it. You could also replace home with corporate network in the above. Hopefully a corp network is using radius, but some small companies may not.
The problem with the above is slightly older devices that aren't patched from a previous wifi vulnerability. Basically as long as your wifi is turned on, your phone is going though its list of preferred APs that you have saved the keys for, essentially shouting out "hey AP so and so and you out there? I want to connect."
This is why it has been best practices for some time to keep your wifi off when not using it. Evil ad companies/stores could use the APs you've previously been on as a type of signature for their wifi beacon tracking BS, evildoer looking to target employees of a specific company could look for devices that are trying to connect to known company AP names, and now we have this new vulnerability.
For the most part I agree, but the exposure you stated above exists regardless of client being Krack patched or not and someone trying hard enough will still get through.
Ultimately clients do need to be updated, but this is an unrealistic and possibly costly solution... its likely, to properly fix this issue, consumers will have to purchase new devices...
Nothing is perfect, its all vulnerable to some degree if you poke the bear long enough, openvpn is a prettty damn good solution though and I trust it.
This is why third party software are awesome.
My galaxy 7 is already patched with Lineage OS ( well, AOKP )
I don't need to wait for an official patch from my service provider which can be only available in several weeks, as Google only plan to start deploying it on Pixel only at first, and only by November 6. So it can take a very long time to see service provider pushing an update on all their phones
This is why third party software are awesome.
My galaxy 7 is already patched with Lineage OS ( well, AOKP )
I don't need to wait for an official patch from my service provider which can be only available in several weeks, as Google only plan to start deploying it on Pixel only at first, and only by November 6. So it can take a very long time to see service provider pushing an update on all their phones
agreed! Always buy unlock-able boot-loader and move to lineage os/xda community for security support
Last edited by Cantenna on Tue Oct 17, 2017 3:51; edited 1 time in total
Reading some more into this around various forums. It sounds like this issue is totally a client issue. Patching the AP is NOT going to fix unpatched clients.
The patches that are being put into DDWRT have to do with the wifi client portion where DDWRT can be a client on a wifi network either in a repeater mode or ethernet to wifi bridge mode.
Reading some more into this around various forums. It sounds like this issue is totally a client issue. Patching the AP is NOT going to fix unpatched clients.
The patches that are being put into DDWRT have to do with the wifi client portion where DDWRT can be a client on a wifi network either in a repeater mode or ethernet to wifi bridge mode.
"Depending on the type of handshake being used between the nodes on the Wi-Fi network, the attack can do varying levels of damage"
So ultimately it does seem that the router sets the stage...
Be nice if BS or Kong would post something in regards to what exactly is affected and what they are patching in DDWRT
Agreed, especially because this is news is being discussed now on most news broadcast stations.
Also some confusion regarding GCMP and CCMP; I've read, it's recommend to use old CCMP AES WPA2 encryption for the time being, not TKIP or new GCMP (which is what I've been doing for ages anyways, well, haven't been using TKIP but GCMP im unsure...)
I 'm not aware that I have ever used GCMP encryption that I know of at least, and recent Bryan Slayer logs seem to suggest that it GCMP was only introduced in September, so pre-Sept ddwrt builds had no GCMP support?
Or (and what I am confused about) do all newer AC capable routers such as the wrt1900ACS utilize GCMP on a hardware level as it's what make faster wifi speeds possible and can we degrade the wifi settings in any way through the gui to disable the use of GCMP and use CCMP AES?
Would like to get some confirmation here as well. Google DDWRT+GCMP = not a lot of info...
Welp, just setup my S8+ to auto-connect to rout via openvpn whenever wifi is up and drop when down...
This is why third party software are awesome.
My galaxy 7 is already patched with Lineage OS ( well, AOKP )
I don't need to wait for an official patch from my service provider which can be only available in several weeks, as Google only plan to start deploying it on Pixel only at first, and only by November 6. So it can take a very long time to see service provider pushing an update on all their phones
I run lineage OS as well. Is Lineage OS already patched? My understanding is Google is still working on patches to be released in the November security release. So those patches likely aren't going to make is to AOSP and Lineage OS until after google makes that November release. Unless the Lineage OS guys have rolled their own patch. I honestly haven't gotten to reading up on whats going on with Lineage OS much yet.
I haven't check for Lineage OS specifically, but AOKP sure did.
I'm a little confused on this after reading several other sites about KRACK...Windows updates patched this on the 10th (At least Windows 10 and 7)...Android and Linux are not patched yet. Most routers are not patched and it appears DD-WRT will be patched with the release of 33525 (hopefully tomorrow)...My confusion is if either the Router OR the Client is patched then does that eliminate the vulnerability or do BOTH Client and Router need to be patched?
Joined: 08 Jul 2016 Posts: 13 Location: St Albans, UK
Posted: Tue Oct 17, 2017 9:02 Post subject:
So - with KRACK patched in r33525, but with DD-WRT reportedly not stable on the WRT-1900ACv1 beyond r31924 (thanks to the newer Kernel) what are people's thoughts? Time to upgrade my hardware?