[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
1101112...

[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
149 Reply
Mitigation?
2017-10-23 19:04:03

tplink wrote

1. So maybe you should check if your router/AP is accepting older replay counter.
According to the 802.11 Wi-Fi standard, an AP (authenticator) will check and accept Replay Counter value that already used in message to the client during the 4-way handshark, which is one of its vulnerabilities. Maybe some APs, as the author mentioned, will work fully in accordance with the 802.11 standard, but we can confirm that TP-Link isn't involved with this vulnerability from the code level. TP-Link APs/Routers will check the replay counter value in message 4, and if it's a value already used, will reject the packet.
Thus we clarify that routers/gateways working in default router mode or access point mode (as an Authenticator) will not be affected by the vulnerabilities.

2. and in addition it seems also below technique can be used against AP as per the research paper:
" it is still possible to indirectly attack them by performing a key reinstallation attack against the AP during an FT handshake" (see Section 5 - A Key Reinstallation Attack against the AP):
TP-Link APs don't make use of the 802.11r roaming protocol (some APs apply 802.11k/v instead). Thus can get rid of the vulnerabilities of an FT handshake implemented by 802.11r.

3. So maybe you should check if your AP/Router are affected about " not verify the authenticity (MIC) of this frame"
From the code level, we can confirm that TP-Link APs will check the MIC (Message Integrality Check) value during the 4-way handshake, thus can get rid of this vulnerability as well.

Thus if you use your W8970 in the default DSL modem router rode, it won't be affected by the vulnerabilities at all. Just update your Wi-Fi clients to avoid any attacks.




It isn't quite clear from the above whether TP-Link wireless routers, such as the TL-WDR4300, in not fully complying with the WPA standard, provide protection against unpatched Android clients being attacked whilst connected to their wifi networks.

Could you comment on that, please?

Obviously, an unpatched client is vulnerable when connected to other networks, but it would be helpful to know that there is zero risk when connected at home, if that is indeed the case.

The Q&A section at krackattacks.com states:


Can we modify an access point to prevent attacks against the client?

Yes, it is possible to modify the access point such that connected clients cannot be attacked. These modifications only prevent attacks when a vulnerable client is connected to such a modified access point. When a vulnerable client connects to a different access point, it can still be attacked.

Technically, this is accomplished by modifying the access point such that it does not retransmit message 3 of the 4-way handshake. Additionally, the access point is modified to not retransmit message 1 of the group key handshake. The hostapd project has such a modification available. They are currently evaluating to which extend this impacts the reliability of these handshakes. We remark that it's also possible to prevent attacks against clients by retransmitting the above handshake messages using the same (previous) EAPOL-Key replay counter. The attack against the group key handshake can also be prevented by letting the access point install the group key in a delayed fashion, and by assuring the access only accepts the latest replay counter (see section 4.3 of the paper for details).




In what way, if at all, do TP-Link wireless routers mitigate attacks against still-vulnerable clients?

Thanks in advance.
  0  
  0  
#102
Options
Re:[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol
2017-10-23 23:09:11
The consumer market for routers is full of choices. Most if not all suffer from the same vulnerability - they are consumer targeted devices intended to be sold en-mass and somewhat quickly retired or replaced by new hardware offerings. TP-Link, D-Link, Cisco etc make their money selling the router not from keeping the firmware patched and updated. Many of the nice to have reporting, logging and analysis tools present in firmware for commercial routers is intentionally left out of the public variant even though the hardware is perfectly capable of providing these features. Firmware updates are intentionally few and far between for consumer equipment. Less features means less consumer questions for support to answer.

DD-WRT is one's best bet to harness the full potential of your consumer router if installing that is a possibility for you. Don't let tp-link decide for you what features you are permitted to use with hardware you own. Do not allow yourself to be held hostage waiting for firmware updates that are never coming or have been deemed to be of low priority by the company.

Purchasing a commercial grade router usually provides frequent firmware updates with a focus on security and network functionality rather than flashy cases, crippled firmware and quick obsolescence. I have had good success with tp-link unmanaged switches but will never buy another tp-link router that isn't dd-wrt compatible and even then, I would probably pick a commercial router. Many routers in every company's consumer offerings have serious issues that never seem to get fixed.

Caveat emptor.
  0  
  0  
#103
Options
Re:[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol
2017-10-24 04:25:14
I will sell my 3 Archer Routers ASAP!!!
C20, C25, C7.
The importance that TP-Link has given this problem looks like a joke.
7 months, and they neither released a list of the affected models.
We have to laugh, because if we take it seriously, we will cry.
  0  
  0  
#104
Options
Access Points not mentioned
2017-10-24 09:14:51

tplink wrote

Hi All,

Please pay attention to the latest updates. If you're using a TP-Link router working in the default router mode or access point mode, please don't be worry as it actually won't be affected by the vulnerabilities. However, we will still release updates to fix the vulnerabilities in weeks when the router is working in the WDS bridging mode, which is disabled by default and rarely used in most user cases. As for range extenders that working in the RE mode, we will release fixes as soon as possible. Thanks.


I've been paying attention to the update this post since it was first made, I also logged a support request on the first day. I've yet to get a clear answer - is the TP-Link AP500 AC1900 affected? If so when will a patch be available. I purchased this only a 10 days from Amazon. Its eligible for return for another ~20days

A careful reading of the https://www.krackattacks.com page suggests that the primary problem lies with the clients. However this quote on the site stands out:

Will the Wi-Fi standard be updated to address this? There seems to be an agreement that the Wi-Fi standard should be updated to explicitly prevent our attacks. These updates likely will be backwards-compatible with older implementations of WPA2. Time will tell whether and how the standard will be updated.


Can we get a clear commitment from TP-Link that Access Points and Routers will upgraded to the new standard when hammered out? Again I ask because I need to decide if I'm keeping this or buying from a vendor who upgraded quickly.

Thanks
Mark Levison
  0  
  0  
#105
Options
Re:[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol
2017-10-25 00:51:00

mlevison wrote



Can we get a clear commitment from TP-Link that Access Points and Routers will upgraded to the new standard when hammered out? Again I ask because I need to decide if I'm keeping this or buying from a vendor who upgraded quickly.


Clearly, tp-Link is not a company to rely on for stellar customer issue support and firmware upgrades for their devices. My past technical support experience with this company has been awful. Farmed out customer support services rarely are of much use if one is not interested in endless requests to reboot or reinstall this or that by people who know less than you and are reading from a script. .

This is an article from Oct. 17. You may note with interest that tp-link is missing from the companies who have reported what they have done or plan to do with respect to KRACK. When it comes time to buy a new router, you may be well advised to select one from a company other than tp-link.

http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
  0  
  0  
#106
Options
For your next router, choose wisely (hint: Not TP-LINK)
2017-10-26 03:47:13
Based on what I have read, when using devices in AP mode, it is important to update the clients. I don't use WDS/Wireless bridge so updating the router may not be urgent. I have my doubts about seeing firmware updates from TP-LINK any time soon.


I have two TP-LINK devices:


TL-WR700N v1.1 --> No TP-LINK firmware updates since 2014.
DD-WRT: Not compatible. :-(
Verdict: No firmware update expected. Possibly junk, but I rarely use this device.


C7 Archer v2 --> No TP-LINK firmware since 2016 (Canada version).
DD-WRT: Compatible. From what I understand DD-WRT cannot take advantage of hardware NAT acceleration so not sure if I will install right away.
Verdict: Waiting a little while, but likely switching to DD-WRT as I don't see TP-LINK updating.




As an aside I have an ancient Linksys WRT54GL v1.1 that I just updated with a newer version of DD-WRT to patch [dd-wrt.v24_vpn_generic.bin v3.0-r33525 10/17/17]
Verdict: When shopping for routers, make sure they are DD-WRT compatible!
  0  
  0  
#107
Options
Clarifying "Unaffected Product" List
2017-10-27 04:29:54
I have an Archer 3150 v1 router and an RE650 range extender. Latest firmware is over a year old for 3150. The list of "unaffected products" is unclear. It says:

Routers and gateways working in their default mode (Router Mode) and AP Mode


I searched manual and config screens for Router Mode or AP Mode and found no reference. But I am using it as a WiFi Router and not a bridge or repeater. So perhaps I am safe.

Then for Range Extenders it says:

Range extenders working in AP Mode


The RE650 is in a repeater mode rebroadcasting the same SSIDs to a very remote area of my house. So I believe this device IS affected. The last firmware release was 2017-05-24. I generally shy away from RE but this solved a problem for me quickly and I'd like to keep it operational.

I live in a very remote area so I can tolerate a few days wait for fixes, maybe even weeks. BUT...

I work on a shipping product in the IoT (robotics). The fact is we have already provided a fix to our product and the patch took us just a couple of hours to make and then a day to test against dozens of routers. I worked on this fix so I have seen the C/C++ source necessary to make fixes to this I am surprised there isn't a bit more urgency from WiFi router makers. A fix to our Ubiquiti systems was available the day the vulnerability leaked. WiFi router companies will be judged by their response to this security crisis! There is so much open source code, like the Linux sources and some of the open source router firmware replacements, that contain fixes you could use as example code. Please fix fast. I am fond of my TP-Link products and have been recommending them to friends. But as Head of Security & Privacy I have to consider response time to major security vulnerabilities.

This message is not meant to be arrogant but rather to explain that I am not sure the info at http://www.tp-link.com/en/faq-1970.html will be clear to everyone and that I have fixes to my own product, to my phones, tablets, and computers ALREADY. The Ubiquiti UniFi Pro APs I use in many of our facilities are already patched. So tick tock!
  0  
  0  
#108
Options
Re:[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol
2017-10-27 19:30:15
Good day Support,

I have read your statement on "WPA2 Security (KRACKs) Vulnerability Statement" , as published at http://www.tp-link.com/en/faq-1970.html on 10-19-2017 01:20:23 AM.
I am the owner of 3 x Auranet EAP115 V1 , which seem to be missing from both the "Unaffected TP-Link products list" and the "Affected TP-Link products list".
Can you please let me know if the Auronet EAP115 V1 is affected or not, and modify the online statement accordingly ?

Kind regards,
René Fennet
  0  
  0  
#109
Options
Re:[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol
2017-10-28 00:44:01
Been about a week and a half, my device still not patched. When can we expect what to be rolled-out for what devices?
  0  
  0  
#110
Options
Re:[Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol
2017-10-28 01:22:10
What about TL-WA584RE v1?
  0  
  0  
#111
Options
Related Articles