NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
WPA2 - KRACK / Vulnerability
Hi Netgear, I think this is really important and should be monitored closely and all the wifi users should ask the vendors to monitor an patch this. Looks like that WPA2 is about to be cracked and ...
NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II). NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.
NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.
To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page.
Hello Ely,
Please see https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837 . Looks like WAPs are only vulnerable in bridge mode - meaning you need at least 2. The vulnerable handshake would occur when they 'pair'. Which makes sense, as the WAP is not going to try to initiate a handshake session with an endpoint, it's the other way around. Good luck!
Jarmo
NETGEAR is aware of the recently publicized security exploit KRACK, which takes advantage of security vulnerabilities in WPA2 (WiFi Protected Access II). NETGEAR has published fixes for multiple products and is working on fixes for others. Please follow the security advisory for updates.
NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at NETGEAR.
To protect users, NETGEAR does not publicly announce security vulnerabilities until fixes are publicly available, nor are the exact details of such vulnerabilities released. Once fixes are available, NETGEAR will announce the vulnerabilities from NETGEAR Product Security web page.
I have to say...given the known facts about the disclosure of the vulnerability to vendors, I'm not sure 'proactive' is the word I'd use, and the whole reason this thread exists is because CERT waited as long as they could before a coordinated announcement...thus the exact details of the vulnerabilities are very much released as a call to action to those who failed to respond in a timely fashion.
I appreciate that Netgear has a very large number of affected products in the wild, but given that is literally your line of business and that severe security vulnerabilities are discovered against the most common components of consumer network gear every few months, it's really just part of the business model.
To be honest, I'd have preferred a response along the lines of "our bad, we've too many products to patch in only two months, we've hired staff and are literally working three shifts a day to resolve this, please stay tuned for weekly status updates" versus "we're a very proactive company who doesn't release information for your protection". It rings very, very hollow.
So what about recent router models like mine that aren't mentioned in Netgear's announcement? Do they not need a patch (unlikely!), or is Netgear abandoning them?
Unknown by be - - I'm in the same boat with a legacy WiFi router
Virtually every network device ever created is vulnerable unless a patch is made available.
It's entirely possible that some devices from various vendors are well past their end-of-support dates, and each vendor will have to make a decision on a case-by-case basis whether to offer a one-off patch or just consider them deprecated and suggest the user upgrade their hardware.
Where is the ORBI and ORBI Pro firmware updates to address this issue? You have had since end of August to develope a fix... its getting silly now,
Not going to let this subject slide to the bottom of the forums.
Netgear where is the update for this exploit? It shouldnt be that difficutl to patch since you have already addressed it on many of your other products. Why are you exposing all Orbi users to potential issues through your inaction!
I agree this needs to be addressed ASAP. Don't wait till after the fact. These things need to be got in front of before we are singing the woes.
This is a important issue and our engineering team is working on a fix for this exploit for orbi I do not have a exact date on a update but its a high priority.
DarrenM
In the meantime while fix to hack is being worked on can we have the ability to turn off wifi per schedule? To minimize threats to wireless when not needed we can turn off?
I don't believe this would have the effect you want. As I understand it, the threat is only present when the Orbi satellite connects to the Orbi router. If the system remains up and running, there is no threat.
Turning off the WiFi would create a vulnerability each time it's turned back on and the satellite is forced to reconnect. This would vastly increase the vulnerability.
Unfortunately, simply leaving the system up and running provides no protection against this attack. If an attacker is going to interfere with your communications to effect the KRACK attack, it is trivial for them to deauth the satellite and force it to re-auth whenever the attacker wants.
This certainly appears to be a very serious risk to systems using Orbi satellites and I hope that Netgear quickly releases a patch.
