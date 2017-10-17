The newly-reported WPA-2 Wi-Fi vulnerability known commonly as KRACK (Key Reinstallation AttaCK) diminishes the potential security of almost all password-protected Wi-Fi connections in use today. More formally known as CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088, there are already many router vendors issuing firmware patches to fix this.
Client Devices Also Need to Be Updated to Protect Against KRACK
It’s important to note that client devices – that means everything from your iPhone and Macs all the way down to your Wi-Fi-connected printers and webcams – also need to be patched to fully protect against this. Based upon this hostap posting it seems routers can be set to not allow clients who retry the vulnerable key negotiation, thereby blocking this type of attack, but it may come at a cost of denying some clients entry.
Several vendors have released patches already, and we expect more to be coming. Where known, we’ll include details of how much protection is included in the patch.
List of Routers and KRACK-related Firmware Updates
Here’s what we know from consumer-focused router vendors who have either made public statements or provided information directly to us here at The Mac Observer (sorted alphabetically):
- Apple: Apple doesn’t seem to think their routers are affected and instead are focusing on updating client devices. Current betas of macOS, iOS, tvOS, and watchOS all contain the fixes, which means we’ll likely see those available in the coming weeks. Hopefully Apple will release fixes for older OSes, too, for folks whose hardware can’t run the latest.
- Asus: Nothing yet.
- DD-WRT: Changeset 33525 appears to contain the fix (and has code to peruse for anyone truly interested in what the fix contains). That means anything with a release number equaling 33525 or higher contains the patch. KONG released a test 33525 build to his personal TEST repository. As of the latest update to this piece, there is not yet a Brainslayer release containing this fix.
- D-Link: In a statement on their website, D-Link says, “D-Link has requested assistance from the chipset manufacturers. As soon as patches are received and validated from the chipset manufacturers, D-Link will post updates on its website support.dlink.com immediately.”
- eero: eeroOS version 3.5, currently in beta, contains the fix and will be rolled out as soon as beta-testing completes. Follow the eero blog for further updates.
- Google Wi-Fi: In a statement to CNET, Google said, “We’re aware of the issue, and we will be patching any affected devices in the coming weeks.”
- Linksys (Belkin): Nothing yet, but watch this Linksys Community forum post, for standalone routers and another post in the Velop forums for Linksys’s mesh offering.
- NETGEAR has posted a security advisory, detailing every affected device and firmware version. Many devices, including their Orbi mesh product, do not yet have firmware updates available to patch KRACK, so be sure to check regularly over the coming days and weeks for updates.
- Synology: SRM 1.1.5-6542-3 has been released for both the Synology RT2600ac and RT1900ac routers and appears to contain fixes for the entirety of the KRACK vulnerabilities.
- TP-Link: In their forums, TP-Link posted, “TP-Link is aware of the flaws (KRACK) in the WPA2 protocol. We are now investigating if our products are affected by the vulnerabilities. Once verified, will release an announcement on the official website about the affected products, and offer software fixes for them.
We will keep updating here as well.” A follow-up post says that “beta releases should be available in the coming weeks.”
- Ubiquiti: Ubiquiti has updated both their Enterprise products (version 3.9.2) as well as their AmpliFi mesh products (version 2.4.3) to protect against KRACK.
CERT is also maintaining a list, as are iMore, FixKRACK, If you have more information or questions, please post in the comments below. We’ll keep this article updated with anything that we (or you!) find.