[Update, 22-Nov-2017, 1:30pm EST: Added info from Linksys about their recent KRACK updates]
The newly-reported WPA-2 Wi-Fi vulnerability known commonly as KRACK (Key Reinstallation AttaCK) diminishes the potential security of almost all password-protected Wi-Fi connections in use today. More formally known as CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088, there are already many router vendors issuing firmware patches to fix this.
Client Devices Also Need to Be Updated to Protect Against KRACK
It’s important to note that client devices – that means everything from your iPhone and Macs all the way down to your Wi-Fi-connected printers and webcams – also need to be patched to fully protect against this. Based upon this hostap posting it seems routers can be set to not allow clients who retry the vulnerable key negotiation, thereby blocking this type of attack, but it may come at a cost of denying some clients entry.
Several vendors have released patches already, and we expect more to be coming. Where known, we’ll include details of how much protection is included in the patch.
List of Routers and KRACK-related Firmware Updates
Here’s what we know from consumer-focused router vendors who have either made public statements or provided information directly to us here at The Mac Observer (sorted alphabetically):
- Apple: Apple doesn’t seem to think their routers are affected and instead are focusing on updating client devices, though that doesn’t make sense given what we know about KRACK combined with the fact that their last update was 10 months ago.Update 19-Oct-2017: we still haven’t heard anything concrete from Apple, but it’s possible AirPort/Time Machine hardware acts similarly to the TP-Link stuff below, blocking this attack by not entirely following the WPA-2 spec.On the client side, current betas of macOS, iOS, tvOS, and watchOS all contain the fixes, which means we’ll likely see those available in the coming weeks. Hopefully Apple will release fixes for older OSes, too, for folks whose hardware can’t run the latest.
- Asus: Nothing yet. Update 19-Oct-2017: At 01:46am this morning, ASUS posted to their forums that they’re aware of and investigating a patch in partnership with their chipset vendors. No ETA other than “soon”.
- DD-WRT: Changeset 33525 appears to contain the fix (and has code to peruse for anyone truly interested in what the fix contains). That means anything with a release number equaling 33525 or higher contains the patch. KONG released a test 33525 build to his personal TEST repository and the latest 33525 Brainslayer release is also now available.
- D-Link: In a statement on their website, D-Link says, “D-Link has requested assistance from the chipset manufacturers. As soon as patches are received and validated from the chipset manufacturers, D-Link will post updates on its website support.dlink.com immediately.”
- eero: eeroOS version 3.5 addresses router-related KRACK vulnerabilities and is available for all customers. Launch your eero app for the firmware update.
- Google Wi-Fi: In a statement to CNET, Google said, “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”
- Linksys (Belkin): Most routers, including Linksys’ Velop Mesh system, have been updated to address KRACK [Updated 11/22/2017].
- NETGEAR has posted a security advisory, detailing every affected device and firmware version. Many devices, including their Orbi mesh product, do not yet have firmware updates available to patch KRACK, so be sure to check regularly over the coming days and weeks for updates.
- Synology: SRM 1.1.5-6542-3 has been released for both the Synology RT2600ac and RT1900ac routers and appears to contain fixes for the entirety of the KRACK vulnerabilities.
- TP-Link: In their forums, TP-Link posted, “TP-Link is aware of the flaws (KRACK) in the WPA2 protocol. We are now investigating if our products are affected by the vulnerabilities. Once verified, will release an announcement on the official website about the affected products, and offer software fixes for them. We will keep updating here as well.” A follow-up post says that “beta releases should be available in the coming weeks.”Update 19-Oct-2017: TP-Link posted to their forums:
“According to the 802.11 Wi-Fi standard, an AP (authenticator) will check and accept Replay Counter value that already used in message to the client during the 4-way handshake, which is one of its vulnerabilities. Maybe some APs, as the author mentioned, will work fully in accordance with the 802.11 standard, but we can confirm that TP-Link isn’t involved with this vulnerability from the code level. TP-Link APs/Routers will check the replay counter value in message 4, and if it’s a value already used, will reject the packet. Thus we clarify that routers/gateways working in default router mode or access point mode (as an Authenticator) will not be affected by the vulnerabilities.”
The TL;DR on this is that TP-Link says they didn’t quite follow the Wi-Fi spec and don’t allow recurring uses of the Replay Counter variable, therefore blocking this attack, even from the client.
- Ubiquiti: Ubiquiti has updated both their Enterprise products (version 3.9.2) as well as their AmpliFi mesh products (version 2.4.3) to protect against KRACK.
CERT is also maintaining a list, as are iMore and FixKRACK. If you have more information or questions, please post in the comments below. We’ll keep this article updated with anything that we (or you!) find.