KRACK Vulnerability and DD-WRT

From DD-WRT Wiki

Revision as of 09:35, 22 October 2017 by Tmittelstaedt (Talk | contribs)
Jump to: navigation, search

Contents

Overview

The KRACK vulnerability was announced on 10/17/2017 and it is the most significant networking vulnerability since Heartbleed. It is documented here [1] by it's finder. The vulnerability allows an attacker that is within wifi range of the Access Point and the wifi client to tap into a connection made with WPA2 and see the unencrypted data going over it.

Extent of vulnerability

Some of the locations that are affected:

  • Inner city housing with residential homes close together. In many cities the average home can see dozens of SSID advertisements from neighbor's wifi routers.
  • Apartment buildings, multiplexes, duplexes and other shared housing situations
  • Multi-tenant commercial buildings
  • Coffee shops, airport waiting rooms, hotels
  • Hospitals and medical wifi networks

Types of WiFi access points and routers potentially affected:

  • Any dd-wrt router running Brainslayer builds older than build 33525 (10/17/2017) or any obsolete builds (old Kong builds, Eko builds, and one-off builds such as the CrushedHat IPv6-in-4MB build as well as personal builds created by users from source before 10/17/2017
  • Any AP or router running any firmware released before 10/17/2017
  • ISP-supplied cable modems, DSL modems, and routers that have not been patched
  • Devices running OpenWRT released before the vulnerability announced
  • Wireless cellular "hotspot" devices such as the Verizon MiFi
  • Cellular phones configured for tethering.
  • Vehicle cellular devices that provide WiFi for vehicle occupants (some new cars do this)

Types of WiFi clients affected:

  • All cellular phones running Android or iOS or Windows Phone that have not been patched. As of 10/22/2017 neither Apple or Google has released patches.
  • Industrial scanning guns that use WiFi (handheld barcode scanners, etc.)
  • Mobile medical scanners and other medical systems that use WiFi networks
  • Unpatched operating systems that the users have disabled automatic patching
  • Obsolete operating systems (Windows XP, older MacOS X)

Impact to DD-WRT

There are dozens if not hundreds of models of WiFi routers that will NEVER be patched by their manufacturers, either due to the manufacturer no longer existing, or the manufacturer refusing to release updates. For example the purchase of Linksys by Cisco then the selling of Linksys to Belkin created tens of orphaned models. There are MANY wifi vendors who refuse to devote programmer time to rebuild firmware for models that they have stopped selling. Some, such as Cisco, have formal End Of Life processes where the company unequivocally states that after EoL date, NO further firmware updates will be provided.

While it is probably a truism that the majority of residential users probably think a firmware file is a manila folder, there is a serious issue with businesses. Many businesses have a "patch or toss" approach and if a device is considered obsolete by it's manufacturer with no firmware forthcoming, the business has no choice but to retire the gear.

It may be that this will see increased use of dd-wrt in businesses. It may also be that there will be a flood of used WiFi gear that comes on to the market as a result of accelerated gear retirement. Certainly there will be increased interest in dd-wrt as a way of prolonging gear service life.

Mitigation steps other than patching clients and routers

Encrypting the data from the application to the server by the PC or phone operating system before transfer over the wifi network is one other way to protect against a KRACK attack. https, SSL IMAP and POP3, and VPN clients running in the client operating system are some examples of how this can be done.

Atheros-based dd-wrt routers can disable EAPOL Key Retries to block these attack as discussed here [2]