Discussion stats
Announcements

Top Contributors
Reply
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability

I think all current information on Netgear products related to this security issue is here: https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

 

According to that page, the fix needs to go into WiFi clients, not WiFi access points/routers (except those used in WiFi bridge mode which means it's running as a WiFi client connecting to another AP).  So, WiFi routers that are not using WiFi bridging are not themselves vulnerable.  Instead, you need all your WiFi clients like your phones, your PCs, your IOT devices, your media devices, etc... upgraded to avoid this vulnerability.

 
Message 26 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

I did find this KB that might help. Basically just says "Sit Tight" and the work around is to just shut everything off. 10/10

 

https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 27 of 73
Highlighted
Initiate

Re: WPA2 - KRACK / Vulnerability

 Just remember someone has to be in range of your wifi signal to exploit the vulnerability.  So a neighbor or someone sitting outside your house.  They must be able to intercept your wifi signal. 
Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 28 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Dolomen wrote:

I did find this KB that might help. Basically just says "Sit Tight" and the work around is to just shut everything off. 10/10

 

https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...


That's not what it says.  It says that unless you're using WiFi Bridging, this is not an issue for Routers.  It's an issue in WiFi clients.  The problem occurs in the side originating a WiFi connection (your phone, your laptop, your IOT device, etc...).  Netgear has already issued firmware updates for some of their products that have a WiFi client component.  One would assume they are working on fixes for others.  But, most customers using a router are not using and do not have enabled a WiFi client in their router.  The usual use of a router is as a WiFi Access Point and that is not vulnerable.  If you are using Bridging to another router via WiFi, then you would be vulnerable.

 

And, the vulnerability requires an attacker to be physically present at your WiFi network (e.g. sitting outside your home).  And, HTTPS connections are not vulnerable, only non-encrypted traffic such as HTTP.

Message 29 of 73
Luminary

Re: WPA2 - KRACK / Vulnerability

For those that use the DD-WRT firmware on your Netgear Router:

 

DD-WRT had a KRACK patch in place and available as a patch on 10/16/2017:

 

http://svn.dd-wrt.com/ticket/6005

 

and the KRACK fix has been incorporated into the 10/17/2017 r33525 DD-WRT builds:

 

ftp://ftp.dd-wrt.com/betas/2017/10-17-2017-r33525/

Message 30 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

tldr: consumers shouldn't buy netgear or linksys products to send a clear message that security should a core value.

 

One shouldn't have to go to obtain an open-source router bin to resolve the issue.  The issue was responsibly reported and CERT notified vendors.  The problem we have here is the Netgear (and Linksys so they are not alone) are simply not responsible companies when it comes to having a concern for the security posture of their customers.  50 days is more than enough time to complete and deploy a fix.  Microsoft (who used to be awful when it came to security) even had the patch released on this most recent patch Tuesday.  They didn't announce it, but it was baked in.  They then released a revised advisory once the vulnerability was publicly announced noting the CVE's addressed.  

 

 

People just need to stop buying Netgear crap.  I'm glad both my Netgear components are within the 15 day return policy for Best (worst) Buy... Time to go with Ubiquity who clearly is recognizing the importance of not just enterprise security, but consumer as well.

 

The best message we can all make is to post this information on other publicly accessible sites so that people will steer clear of Netgear's products.  Once it starts hitting their bottom line, they will see that they need to be a socially responsible company in helping to harden and secure the Internet community inclusive of the consumer.

 

 

 

Message 31 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

How do I know if my WiFi modem router is safe?
Message 32 of 73
Highlighted
Luminary

Re: WPA2 - KRACK / Vulnerability


@Jmac1765 wrote:
How do I know if my WiFi modem router is safe?

Read the following information:

 

https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

 

 

Message 33 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Jmac1765 wrote:
How do I know if my WiFi modem router is safe?

Keep in mind that your larger vulnerabilty is probalby with your mobile devices (phones, laptops, etc...).  The likelihood that a compromise will happen at a more public WiFi (airport, coffee shop, even work, etc...) is way higher than at home.  Not that it can't happen at home, it's just that most attackers will find a public place with lots of potential targets to be a way more interesting place to go.  And, to protect yourself there, you need to upgrade your clients, not your router.  So folks shouldn't just think about this as a router issue.

 

I can't confirm this, but it seems like Netgear is saying that the problem is on the client-side so the only way it affects a router is if the router is using WiFi bridging (which most are not).  The main issue is in fixing your WiFi clients.

Message 34 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

O YEAH AND WHAT IF IM USING MY $300+ POS R9000 IN AP MODE BECAUSE ITS A POS AND ONLY GOOD FOR WIFI??? I DONT GET NO FIX? AND SILENCE FROM CRAPGEAR? DUNNO WTF HAPPENED TO CRAPGEAR BUT THEY SUCK!! NETGEAR IS A YUGE POS!! YUGE!! :-P

Message 35 of 73
Highlighted
Master

Re: WPA2 - KRACK / Vulnerability


@jfriend00 wrote:

@Jmac1765 wrote:
How do I know if my WiFi modem router is safe?

Keep in mind that your larger vulnerabilty is probalby with your mobile devices (phones, laptops, etc...).  The likelihood that a compromise will happen at a more public WiFi (airport, coffee shop, even work, etc...) is way higher than at home.  Not that it can't happen at home, it's just that most attackers will find a public place with lots of potential targets to be a way more interesting place to go.  And, to protect yourself there, you need to upgrade your clients, not your router.  So folks shouldn't just think about this as a router issue.

 

I can't confirm this, but it seems like Netgear is saying that the problem is on the client-side so the only way it affects a router is if the router is using WiFi bridging (which most are not).  The main issue is in fixing your WiFi clients.


I know hot spots have always been a hackers dream so many computers and other mobile devices to play with but they saying the main issue the wifi wpa2 running on mobile devices and not a big issue on the router if I get what you are saying?

I can buy that if there is a update for mobile you should update but would the router need to be protect as well with an update to its firmware as well?

I beginning to think wired lan connections still have their place in a network hard to hack into from the outside and most behind closed doors. I know people who have never have done more just plug their new router in left them unset up and never update the firmware I feel sorry for them but its the way they want to run them.

Message 36 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

@jfriend00, the vulnerability is not related to the client, it's in the router. Not just Netgear router, pretty much all routers. The vulnerability is in the WPA2 protocol, so any router that implement WPA2 is vulnerable. Please read the CERT for details.
Message 37 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Penguin101 wrote:
@jfriend00, the vulnerability is not related to the client, it's in the router. Not just Netgear router, pretty much all routers. The vulnerability is in the WPA2 protocol, so any router that implement WPA2 is vulnerable. Please read the CERT for details.

The CERT itself is not something I can follow.  Are you saying that this statement from Netgear is wrong?

 

NETGEAR is aware of WPA-2 security vulnerabilities that affect NETGEAR products that connect to WiFi networks as clients.

 

  • Routers and gateways are only affected when in bridge mode (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router.

 

 

Message 38 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability

I'd suggest you read here: https://security.stackexchange.com/questions/171402/to-sufficiently-protect-against-krack-is-patchin... and https://www.krackattacks.com/#faq (which I think is a site put up by the person who discovered the attack).  In particular, this:

 

What if there are no security updates for my router?

 

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

 

If your router does not support 802.11r (fast roaming) or you can turn it off and if your router is not using bridging so it is not acting as a WiFi client and you patch your clients which you likely have to do anyway because they roam to other WiFi networks, then it appears to me from what I'm reading that you are safe.  This seems to me like a client-driven issue, not a router-driven issue.  Now, perhaps you can patch a router and protect vulnerable clients (I can't really tell from the literature if that is the case or not), but WiFi clients often roam so the client has to be patched anyway which would protect it.  It doesn't seem like you can just patch the router and say you're done.  And, if you patch your clients (which you probably have to do for roaming reason), it seems like you're safe with your router.  So, I'm spending my time figuring out how to get my clients patched and not losing a lot of sleep over the router-side of things.  

 

It sounds like a lot of people here are slamming Netgear for not "fixing" their problem by patching all their routers immediately.  My point is that, you can complain all you want about that, but that's likely a much, much lower priority than patching your WiFi clients.  That's where I'm spending my energy.

Message 39 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

According to the author who discovered the vulnerability (you also referenced the website), I highlighted the part that is very important in red:

 

"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor."

 

Yes, we all need to update our clients, Microsoft and Linux already released the patches before the vulnerability was released to public, Google and Apple will release patch very soon. But the most dangerous part is in the router itself. The 4-way handshake requres the router to authenticate a client, but if the router is vulnerable, you are still vulnerable. This is not just about someone's own router, think about the routers that provide free public WIFI, they are all vulnerable, and when you try to connect to those free publick WIFI, you might become a victim. Netgear should have released patches much earlier.

Message 40 of 73
Highlighted
Tutor

Re: WPA2 - KRACK / Vulnerability

I am not slamming Netgear because I want my three years old (brand new top of the class, expensive as hell router) fixed right now,

 

but because from the Netgear support webpages is clear to me that it won't be fixed !!!!!

 

They already skipped a ready share patch for my device at the beginning of 2017 !!!!

 

Now Its clear to they don't want to fix old routers at all !!!

 

Sure I'll be buy a new top of the class Netgear device worth 300 euros to be left in pain in less 3years

 

Goodbye Netgear

Message 41 of 73
Highlighted
Tutor

Re: WPA2 - KRACK / Vulnerability

Netgear's advisory is narrowly factual as an advisory should probably be, but unhelpfully repeatedly pointed to by the moderator because it doesn't answer most questions. How on earth can Netgear not have a FAQ?

 

As others have said, KRACK disclosed a collection of related vulnerabilities, that's why there are numerous CVE numbers to track them. Collectively they relate to both clients and access points.

 

Most people are talking about the four way handshake vulnerability, which is a client ("supplicant" in the protocol) issue. That's why you see people saying you have to patch your devices, or Netgear saying it only applies to the AP when it acts as a client (bridge mode). But it's *NOT* true that there's nothing at all an AP can do to mitigate (not eliminate, but reduce the risk) as this as this is a noisy attack and more high end (usually enterprise grade, but not necessarily more expensive than Nighthawk) APs do this and are doing this. So what Netgear appears to be really saying by "only affects bridge mode" is even though they could they're not going to attempt to mitigate this because it's not the AP at fault. That's not what I want to hear, it isn't a completely unreasonable stance but it's sure not going the extra mile. I wish they'd just say that.

 

There are other vulnerabilities that are specifically an issue for the AP, such as the one for Fast BSS (802.11r) handover between access points. Again what Netgear appears to be really saying in their non-answer is "we either don't support handover at all or don't use this protocol to do it in our products". I don't know how Orbi handover works, maybe it's proprietary, maybe it's vulnerable with a similar flaw but because it doesn't use 802.11r this CVE doesn't *technically* apply it's but still vulnerable. It's the kind of thing you'd put in a FAQ about this issue to inform and reassure customers, if Netgear could be bothered.

 

This will be my last Netgear product, the quality of response to various vulnerabilities and security issues has be abysmal and always requires extensive investigation to unearth the facts. Speed of responses to vulnerabilities has been poor, transparent information has been lacking with nothing but "boilerplate" responses, and regular releases leave you guessing about the actual security issues they fixed and how exposed you were with endless "Fixed the security issue" statements in release notes with no more hint than that.

Message 42 of 73
Highlighted
Luminary

Re: WPA2 - KRACK / Vulnerability

Netgear's statement seems to be correct, in that only routers configured to act as clients should be affected because the CVE affecting access points themselves affects 802.11r, and some Googling suggests that it's not implemented on Nighthawk.

Per comments from others, upgrading clients is the most important thing. However, even though most users won't have their Nighthawk configured for bridging, that fact does not negate that those that do are affected and don't have a firmware update available, nor an ETA for one, and that's after NG had plenty of forewarning. Other clients like Arlo seem to be in a similar predicament.

However, I find Netgear's communication lacking, especially for a concerned consumer-level audience.
Message 43 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

I understand that this is not an issue unless in bridging mode, however this is besides the point. This is a security vulnerability that needs to be fixed. The fact that Netgear has not even communicated an ETA for the path is quite disconcerting. If this were an actual flaw, the communication and responsiveness to security concerns does not inspire confidence. Many other manufacturers have provided security fixes.

 

Netgear IRL...https://www.youtube.com/watch?v=NgT2wyBZN6A

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 44 of 73
Highlighted
Virtuoso

Re: WPA2 - KRACK / Vulnerability

Looks like they've patched the firmware for their enterprise products.  Hopefully, they'll get their home products updated quickly.

Keith

(2xWNR2000, 3xWNCE2001, FWAG114, FS116, GS116, 6xR7000)
Message 45 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@mk5vv wrote:

I understand that this is not an issue unless in bridging mode, however this is besides the point. This is a security vulnerability that needs to be fixed. The fact that Netgear has not even communicated an ETA for the path is quite disconcerting. If this were an actual flaw, the communication and responsiveness to security concerns does not inspire confidence. Many other manufacturers have provided security fixes.

 


mk5vv, yours is a very reasonable post.  The reason I'm participating in this thread is that people (many of whom probably don't really understand the vulnerability) had gone a little nuts here in their criticism of Netgear.  I don't have any reason to defend them other than their products work well for me and I've had to return other maker's products who did not work so well.   So, let's summarize a bit here so people can perhaps target their posts in a bit more rational direction.

 

  1. Yes, Netgear is NOT doing a great job communicating about future fixes.  We'd like to see much more info about that.
  2. This page about which products are vulnerable https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-... is a actually a pretty good start.
  3. That page even lists 13 products that already have patches available.  Your product is probably not one of those 13.
  4. It also describes what products are vulnerable when used in bridge mode (which includes extenders).
  5. It also explains that routers not being used in bridge mode are not vulnerable.  To fix your general WiFi vulnerability when connected to all Netgear routers (or any other maker's router for that matter), you need to update your WiFi clients to fix their vulnerability.  This is a CLIENT vulnerability, not a server vulnerability.
  6. An attacker needs to be in physical proximity to your network (e.g. right outside your home or perhaps in a neighbor's home to attack your clients).  Getting a router upgrade does not make the clients safe.  You need client upgrades to make clients safe.
  7. Windows laptops that are up-to-date with Windows 10 updates are already safe (Microsoft has already patched them) even with an unpatched router.
  8. If your router is not using bridge mode to connect to your local network or to your modem, there is no known vulnerability in your router.

So, Netgear does owe people with vulnerable products (cameras, extenders and routers using bridge mode) that don't yet have a patch available some sort of patch timeline.  But, one should not be surprised that all products are not yet patched.  Heck, even Google which is often one of the more responsive firms for important security bugs will not have an Android patch out until early November.  And, even then that will only be for its direct to consumer products.  Other products that use Android (like Samsung phones) will be delayed even further than that because of their distribution pipeline, carrier testing, etc...  Yes, this is complicated and a mess.

 

Also, one should also realize that to patch every product that has ever been shipped that has a WiFi client in it is a BIG job.  This is not just one piece of code that has to be written and tested.  Netgear probably has hundreds of such products that have shippped over it's history.  That's a lot of work if one is going to do it carefully and reliably.  And I can imagine that testing changes to the WiFi connection stack is kind of a hard thing to do as you tend to accumulate a stack of incremental fixes over many years to solve little compatibility issues with all sorts of temperamental WiFi access points that your WiFi client is trying to connect to and it's virtually impossible to repeat all those tests over and over again when you change something central to the connection protocol because you can't reproduce all those other environments that caused fixes along the way.  You have to tread very carefully and test what you can as you go.

 

And, for those of using a Netgear router that are not using Bridge mode, I want to offer you an analogy.  Imagine you have an app on your smartphone.   It may have come on your phone or you may have installed it and played with it awhile ago, but you never use it any more.  Now you find out that that app has a serious privacy bug.  Do you freak out that your entire phone is no longer secure?  No, you probably just make a note to never use that app, maybe even deinstall it.  As long as you're not using that app, your phone is safe.  Well, that's what it's like with Netgear routers.  If you're not using Bridge mode, there's literally nothing Netgear can do with a patch to improve your WiFi security.  Nothing.  So, why are you so mad at them?  They have a bug.  It's in a feature you don't use.  It does not affect the way you are using your router.

 

Ok, if you're using this as a proxy test to see how Netgear might respond if there was an important bug that did affect you, that's reasonable.  They've already patched 15 products.  They are working on it.  They have likely prioritized which products to do first and in some cases may need help from chipset partners.  We need to give them a bit of time to see how many products they are going to cove and in what time frame.  One article says they have over 1200 products.  That might take awhile just for practical reasons.

 

Also, keep in mind what the timeline is here.  A few hardware makers were notified on July 14th (only a few that the attacker had actually tested and found the flaw on).  After it was found to be broader than just a few makers, it was turned over to CERT and a broad notification was sent out on Aug 28th.  That's only three weeks ago.  Netgear has 1200 products.  It's going to take awhile to make dent in that large number of products.  Every product has its own separate firmware and has to be patched and tested individually.

 

So, some more communication would be highly desirable, but I find it kind of unreasonable that folks expect all 1200 products to already have a patch available.  If one is going to do this patching correctly, safely and reliably, you just can't go that fast.  It will take time.

 

Now Netgear will show us over the next several months what kind of company they are in the face of an issue like this.  If there is a stready stream of firmware fixes and we get more communication about what to expect and when, then they have a chance to prove themselves as a responsive vendor.  If not, then we will all make note of who the responsive vendors are in this market and use that information in our future purchases.

Message 46 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

Model: R6700|Nighthawk AC1750 Smart WiFi Router
Message 47 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

GG indeed.  Seems like Netgear doesn't give one damn about us.  Not even allowing us to e-mail them to ask what the heck they are doing to provide a fix.  That really ticks my box.

Message 48 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@GeminiJ13 wrote:

GG indeed.  Seems like Netgear doesn't give one damn about us.  Not even allowing us to e-mail them to ask what the heck they are doing to provide a fix.  That really ticks my box.


Are you using WiFi bridging with your router?  If not, there is no router side vulnerability.  The fix is a client-side fix.

Message 49 of 73
Highlighted
Master

Re: WPA2 - KRACK / Vulnerability

I would hope that they planing too fix security issues as they become the problem is when the say security fix in their firmware updates they will not tell you what they are fixing.

Message 50 of 73