Updated List of WPA-2 KRACK Patches in Consumer Routers

KRACK WPA2 WiFi security flaw

[Update, 22-Nov-2017, 1:30pm EST: Added info from Linksys about their recent KRACK updates]

The newly-reported WPA-2 Wi-Fi vulnerability known commonly as KRACK (Key Reinstallation AttaCK) diminishes the potential security of almost all password-protected Wi-Fi connections in use today. More formally known as CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088, there are already many router vendors issuing firmware patches to fix this.

Client Devices Also Need to Be Updated to Protect Against KRACK

It’s important to note that client devices – that means everything from your iPhone and Macs all the way down to your Wi-Fi-connected printers and webcams – also need to be patched to fully protect against this. Based upon this hostap posting it seems routers can be set to not allow clients who retry the vulnerable key negotiation, thereby blocking this type of attack, but it may come at a cost of denying some clients entry.

Several vendors have released patches already, and we expect more to be coming. Where known, we’ll include details of how much protection is included in the patch.

List of Routers and KRACK-related Firmware Updates

Here’s what we know from consumer-focused router vendors who have either made public statements or provided information directly to us here at The Mac Observer (sorted alphabetically):

  • Apple: Apple doesn’t seem to think their routers are affected and instead are focusing on updating client devices, though that doesn’t make sense given what we know about KRACK combined with the fact that their last update was 10 months ago.Update 19-Oct-2017: we still haven’t heard anything concrete from Apple, but it’s possible AirPort/Time Machine hardware acts similarly to the TP-Link stuff below, blocking this attack by not entirely following the WPA-2 spec.On the client side, current betas of macOS, iOS, tvOS, and watchOS all contain the fixes, which means we’ll likely see those available in the coming weeks. Hopefully Apple will release fixes for older OSes, too, for folks whose hardware can’t run the latest.
  • Asus: Nothing yet. Update 19-Oct-2017: At 01:46am this morning, ASUS posted to their forums that they’re aware of and investigating a patch in partnership with their chipset vendors. No ETA other than “soon”.
  • DD-WRT: Changeset 33525 appears to contain the fix (and has code to peruse for anyone truly interested in what the fix contains). That means anything with a release number equaling 33525 or higher contains the patch. KONG released a test 33525 build to his personal TEST repository and the latest 33525 Brainslayer release is also now available.
  • D-Link: In a statement on their website, D-Link says, “D-Link has requested assistance from the chipset manufacturers. As soon as patches are received and validated from the chipset manufacturers, D-Link will post updates on its website support.dlink.com immediately.”
  • eero: eeroOS version 3.5 addresses router-related KRACK vulnerabilities and is available for all customers. Launch your eero app for the firmware update.
  • Google Wi-Fi: In a statement to CNET, Google said, “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”
  • Linksys (Belkin): Most routers, including Linksys’ Velop Mesh system, have been updated to address KRACK [Updated 11/22/2017].
  • NETGEAR has posted a security advisory, detailing every affected device and firmware version. Many devices, including their Orbi mesh product, do not yet have firmware updates available to patch KRACK, so be sure to check regularly over the coming days and weeks for updates.
  • Synology: SRM 1.1.5-6542-3 has been released for both the Synology RT2600ac and RT1900ac routers and appears to contain fixes for the entirety of the KRACK vulnerabilities.
  • TP-Link: In their forums, TP-Link posted, “TP-Link is aware of the flaws (KRACK) in the WPA2 protocol. We are now investigating if our products are affected by the vulnerabilities. Once verified, will release an announcement on the official website about the affected products, and offer software fixes for them. We will keep updating here as well.” A follow-up post says that “beta releases should be available in the coming weeks.”Update 19-Oct-2017: TP-Link posted to their forums:

    “According to the 802.11 Wi-Fi standard, an AP (authenticator) will check and accept Replay Counter value that already used in message to the client during the 4-way handshake, which is one of its vulnerabilities. Maybe some APs, as the author mentioned, will work fully in accordance with the 802.11 standard, but we can confirm that TP-Link isn’t involved with this vulnerability from the code level. TP-Link APs/Routers will check the replay counter value in message 4, and if it’s a value already used, will reject the packet. Thus we clarify that routers/gateways working in default router mode or access point mode (as an Authenticator) will not be affected by the vulnerabilities.”

    The TL;DR on this is that TP-Link says they didn’t quite follow the Wi-Fi spec and don’t allow recurring uses of the Replay Counter variable, therefore blocking this attack, even from the client.

  • Ubiquiti: Ubiquiti has updated both their Enterprise products (version 3.9.2) as well as their AmpliFi mesh products (version 2.4.3) to protect against KRACK.

CERT is also maintaining a list, as are iMore and FixKRACK. If you have more information or questions, please post in the comments below. We’ll keep this article updated with anything that we (or you!) find.

9 thoughts on “Updated List of WPA-2 KRACK Patches in Consumer Routers

  • I’m trying to contact the vendors for my IOT devices that use wifi, and checked with ecobee, who indicated that their thermostats are NOT susceptible to KRACK. To quote their response,

    <

    blockquote>”ecobee is aware of the industry-wide vulnerability in WPA2 referred to as KRACK. The sacristy of our customers is very important to us, and we have confirmed that ecobee device security is not impacted by this issue.”

    Hoping others will be so prompt in their response!

    John

  • it’s possible AirPort/Time Machine hardware acts similarly to the TP-Link stuff below, blocking this attack by not entirely following the WPA-2 spec

    Dave, if as you’ve posited that Apple’s AirPort & Time Capsule range isn’t vulnerable because Apple didn’t follow the WPA2 protocol as written, then that is a good thing, but at the same time, it’s a little disconcerting that someone as big as Apple is ignoring the specs as “promulgated”

  • My understanding from reading the Krebsonsecurity paper was that this is a vulnerability that can be fixed at the client end which overcomes the need to fix the AP.

    Not to say that AP’s shouldn’t be patched also, but that the sniffing vulnerability can be closed off by updating the wpa_supplicant code in the client O/S.

    Using physical cables is a better solution – WiFi is still not good at reducing latency and its still a SHARED medium which Ethernet switches easily overcome.

  • Once again, Apple routers are best! Synology having such a quick fix tells me they are my next router, if Apple stops making routers. All the “fast and frequently updated“ mesh routers, ie glorified wire taps, are all afk.

    1. I am not convinced that Apple routers are patched for this at all. We’ve asked Apple for details about why they feel the way they feel about their routers, and will report back when we get something.

      The fact that only beta versions of Apple’s client software has KRACK-related updates tells me that the routers are likely still affected in some way, too. Apple’s routers last saw an update in December, 2016, long before KRACK was even initially announced in May, 2017.

      Remember, KRACK highlights a vulnerability with the WPA-2 Standard, not some specific codebase. Everything that I understand about KRACK tells me it’s nearly impossible that someone’s year-old WPA-2 code would not be affected.

      1. Well if they are not, it’s going to be huge uproar on this. They had that 7.7.8 patch released out of the blue 9 months ago (December 20, 2016). Conceivable it had a fix for this by divine providence, but it would be earlier than the paper submission.

        So I’m inclined to put on my foil hat on this too. It’s a big story if you’re right. Telling people ‘everything is cool with your router’ when it’s not is a huge mistake IMO.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.