FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
"KRACK" targets three key exchanges - the PTK exchange, the GTK exchange, and the FT handoff.
The PTK and GTK attacks are aimed at clients.
The FT attack is aimed at the router, and happens when you roam under 802.11r. If you don't have 802.11r, you're good. If you do, update it. If you can't, disable it. Otherwise, you're vulnerable - probably. Remember - you don't have to run a BSS to be vulnerable, the attacker can (and likely will) bring their own device and force a roam on your Client(s), and this particular key reinstallation, as opposed to the others, can be repeated indefinitely. So yes, in specific scenarios the router needs an update.
As to whether you're safe if you update one or the other (but not both): you're safe from the attacks that targeted that side. The other side, if it was vulnerable, still is.
Particularly so if you use GCMP, because attacking GCMP on either side allows forging bidirectional messages, essentially giving the attacker exactly the same privileges as the Client (otherwise you can only forge unidirectional messages (TKIP) or can only hijack streams (CCMP)).
"KRACK" targets three key exchanges - the PTK exchange, the GTK exchange, and the FT handoff.
The PTK and GTK attacks are aimed at clients.
The FT attack is aimed at the router, and happens when you roam under 802.11r. If you don't have 802.11r, you're good. If you do, update it. If you can't, disable it. Otherwise, you're vulnerable - probably. Remember - you don't have to run a BSS to be vulnerable, the attacker can (and likely will) bring their own device and force a roam on your Client(s), and this particular key reinstallation, as opposed to the others, can be repeated indefinitely. So yes, in specific scenarios the router needs an update.
As to whether you're safe if you update one or the other (but not both): you're safe from the attacks that targeted that side. The other side, if it was vulnerable, still is.
Particularly so if you use GCMP, because attacking GCMP on either side allows forging bidirectional messages, essentially giving the attacker exactly the same privileges as the Client (otherwise you can only forge unidirectional messages (TKIP) or can only hijack streams (CCMP)).
Hope this clears any remaining doubts.
Cheers
Thanks for this.
I see sites recommending to use vpn until a fix is available; are they recommending the use of external vpn provider? Or is it enough to have clients in a home network connect to the ddwrt router that is running an openvpn server,
does that offer any additional protection or no extra protection because the server would be on the same network as a an intruder who used Crack to get access!
Joined: 05 Apr 2017 Posts: 981 Location: Louisiana, USA
Posted: Wed Oct 18, 2017 3:48 Post subject:
Someone may have already posted this link (didn’t check), but this article is by the person(s) who actually discovered the vulnerability. Much easier read.
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
i see no significant report or log in this thread. thats the problem
r31924 was the last stable release of DD-WRT for the WRT1900AC v1. All later versions result in unexpected reboots after a random period of running. Sometimes hours, sometimes days.
This has been discussed here in numerous threads and by many users.
r31924 is solid on this router and never reboots spontaneously.
Those of us who still have a WRT1900AC v1, either run this version of DD-WRT, or have switched to LEDE.
The assumption, for some time now, is that this reboot issue will never get fixed.
I'm running version 1 with firmware 33772 and I haven't encountered any problems so far (up 5 days so far). It's configured as a client bridge, 5 GHz, VHT80, stats show connection rate with the wrt3200acm AP as 1170 Mb). kernel 4.9.62
As for protection against KRACK for any of my Marvell based routers go (wrt1900acs, wrt3200acm), I don't know if it has been done and I'm not aware of any tools to check to see if the routers are patched.