Discussion stats
Announcements

Top Contributors
Reply
Highlighted
Tutor

Re: WPA2 - KRACK / Vulnerability

So I'm not as worried as I was when I first posted this since it apparently only exposes users using bridge mode which I don't do.  Having said that, I agree with the various comments regarding Netgear's lack of readiness for this flood of questions.  It sounds like essentially there isn't a good fix for those in bridge mode.  They should just come out and say that so it's very clear that "if you use bridge mode there you are exposing yourself, proceed with caution."   Something honest and straightforward like that would earn a bit more respect than cut and paste PR language.  Just one users opinion...

Model: R7000|Nighthawk AC1900 Dual Band WiFi Router
Message 51 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Geolebeau wrote:

So I'm not as worried as I was when I first posted this since it apparently only exposes users using bridge mode which I don't do.  Having said that, I agree with the various comments regarding Netgear's lack of readiness for this flood of questions.  It sounds like essentially there isn't a good fix for those in bridge mode.  They should just come out and say that so it's very clear that "if you use bridge mode there you are exposing yourself, proceed with caution."   Something honest and straightforward like that would earn a bit more respect than cut and paste PR language.  Just one users opinion...


That's basically included right here: https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-... which has been referenced dozens of times in this thread.

Message 52 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

Dear jfriend00,

"So, let's summarize a bit here so people can perhaps target their posts in a bit more rational direction."

 

This is the crux of my argument.  I should have been able to find simple answers to my questions on the Netgear website which I could not find.  Nothing.  That is why I came to the forums and started a post.  If they had put even basic information for owners to read about and understand it would have prevented me from ranting in the first place.

 

Your reply to mk5vv was a great one and I applaud you for helping us to understand the situation in a more refined manner.  Thank you for helping us all out on this confusing subject.

Message 53 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

Dear Geolebeau,

 

You have mirrored my sentiments perfectly.  Thanks for taking the time to respond.

Message 54 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

It should be mentioned that while, yes, this is a client-side vulnerability, access-point side patches can mitigate it. With that in mind the responsible thing for every vendor of access points, wireless routers, pretend-routers like Netgear, whatever, to do is to produce mitigation patches.

Message 55 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

For those who keep saying it is a client-side vulnerability, please define "client".

Message 56 of 73
Highlighted
Luminary

Re: WPA2 - KRACK / Vulnerability

client = a device attempting to securely authenticate with an access point using WPA2. E.g. your phone, laptop, tablet, security camera, streaming media player, gaming console, smart refrigerator, etc.

If you have typed your wifi password into it to connect it to your wifi access point it's a client and it's probably affected.
Message 57 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points.

Message 58 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Penguin101 wrote:

Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points.


Can you point to any reference material on what makes an access point vulnerable to this issue (other than one used as a client for bridging) and what type of patches to an access point prevent or mitigate anything?  I have not been able to find such as reference.

Message 59 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Ignitionnet wrote:

It should be mentioned that while, yes, this is a client-side vulnerability, access-point side patches can mitigate it. With that in mind the responsible thing for every vendor of access points, wireless routers, pretend-routers like Netgear, whatever, to do is to produce mitigation patches.


Can you point to any reference material for what type of "mitigation" can be done with a router patch (besides fixing the client side vulnerability when using bridging)?  I ask because I have not been able to find any info on what mitigation an access point can actually do when used with a vulnerable client.

Message 60 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

https://www.krackattacks.com/#amivulnerable

 

It actually make sense. The vulnerability is in the protocol itself, in order for the AP to communicate with the client, they have to use the same 4-way handshake protocol, but since the protocol itself is vulnerable, the communication is vulnerable until both are fixed.

 

The manual mitigation is not a simple work, that is why Netgear should release a patch to fix the vulnerability. It is not Netgear's own fault for this vulnerability, but their slow response to the vulnerability is.

You can follow the steps in https://www.krackattacks.com/#ap-mitigations to manully modify the AP to fix the vulnerability. I haven't tried so I don't know if it works.

Message 61 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

In FAQ, read specially:

https://www.krackattacks.com/#wpa3

https://www.krackattacks.com/#patch-client-and-ap

 

If you want to know how the attack works:

https://www.krackattacks.com/#details

When a client joins a network, it executes the 4-way handshake to negotiate a fresh encryption key. It will install this key after receiving message 3 of the 4-way handshake. Once the key is installed, it will be used to encrypt normal data frames using an encryption protocol. However, because messages may be lost or dropped, the Access Point (AP) will retransmit message 3 if it did not receive an appropriate response as acknowledgment. As a result, the client may receive message 3 multiple times. Each time it receives this message, it will reinstall the same encryption key, and thereby reset the incremental transmit packet number (nonce) and receive replay counter used by the encryption protocol. We show that an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake. By forcing nonce reuse in this manner, the encryption protocol can be attacked, e.g., packets can be replayed, decrypted, and/or forged. The same technique can also be used to attack the group key, PeerKey, TDLS, and fast BSS transition handshake.

Message 62 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Penguin101 wrote:

In FAQ, read specially:

https://www.krackattacks.com/#wpa3

https://www.krackattacks.com/#patch-client-and-ap

 

From your second link there:

 

Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable.

That said, we are working on access points modifications that do prevent attacks against vulnerable clients. These modifications are different from the security patches for vulnerable access points! So unless your access point vendor explicitly mentions that their patches prevent attacks against clients, you must also patch clients.

 

This says that clients must be patched to be safe. 

 

This implies that the only access point vulnerability is in 802.11r (which consumer APs from Netgear not not use) other than bridging which is really a client-side vulnerability than lives in an AP.

 

This links to a discussion of an AP patch that could prevent client vulnerabilities, though it is still in development (appears to work in theory, but there are reliability questions being tested).  And, certainly for any client that roams to other APs, it HAS to be patched to be safe anyway.  If this is the "tip of the spear" of information on this topic, then it seems a bit early to be mad at Netgear for not having this possible AP patch (whose technology is still under development) already shipping in thousands of AP models.  Yes, we can be frustrated at Netgear (and frankly most other manufacturers too) for not supplying more information on what they are working on and when to expect it.

 

And, for ANY client that roams onto different APs outside of your control, you really need to be pursuing a fix from the manufacturer of your client.  That's where you need the "real" patch.  Fix your clients and (as long as you don't bridge your router or use 802.11r on the router) the problem is addressed.   

 

Yes, it would be nice if an AP fix could allay all our fears because fixing a few central APs would be easier than getting all client fixes in place.  But, such an AP fix is not yet available (from any manufacturer that I know of) and for roaming clients, you will always have to have a client fix to be safe.  I'm happy to see some client fixes that have already been deployed (Nest, Windows 10, etc...).  Mobile phone WiFi patches are probably the highest priority for most of us (likely to roam in public places) and those do not yet seem to be available though everyone I've looked into says they are working on them (Apple, Google, etc...).

Message 63 of 73
Highlighted
Tutor

Re: WPA2 - KRACK / Vulnerability

I was done with this thread, bur your fanboyism is irritating.

1) I said that there were AP mitigations but you kept ignoring this and just repeating that "it's a client side vulnerability" as though there's nothing Netgear could do. Yes it is, but as I said it didn't mean there was nothing they could do, and that doesn't mean those mitigations wouldn't help.

2) We all have devices in our homes that don't leave the home. Your wifi scale or washing machine or home theatre streamer or whatever aren't roaming all over the place. So yes, a mitigation isn't a fix, the clue is in the name, but for many devices - esp. those least likely to be patchable - it would really help. Stop minimising how useful that would be.

3) They had 50 days. You said they had 3 weeks.

4) How many more devices have received patches since that original advisory? I'm counting zero. Is it zero? https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-...

5) Speaking of that advisory, stop pointing to it as though it "obviously" answers questions. It's carefully written to minimise the description of harm, and in any event it's inconsistent. For instance, the advisory lists CVE-2017-13082 which is the AP vulnerability for Fast BSS - if no devices are affected by this vulnerability why is it listed at all, so which one is the mistake - listing that CVE or saying you don't need to worry if you don't use bridge mode? Does Orbi use the same logic but not the same protocol, and therefore have the same weakness but not *technically* be covered here so they can say "it's not affected by _this_ advisory" even while they know it's vulnerable?

6) Some of us use bridge mode, stop assuming we don't.

7) I've rolled out mitigation patches on my other AP. It's a better brand. Don't assume other vendors aren't on the ball.

8) No, Netgear don't *have* to provide mitigations. Nor do IP backbone companies have to block malicious endpoints, nor do OS vendors have to provide tools to detect bad software you yourself chose to install, etc. It's what responsible companies do.

9) This isn't the first vulnerability response we've seen from Netgear. Possibly you recall the howler last year when Netgear didn't read the vulnerability disclosure sent to them so we all had a zero-day vulnerability that gave root access to the AP, including changing your DNS or something equally scary. Fun times. You say we can only judge this with hindsight when this is behind us. I think it's pretty easy to call it now.

 

Stop parroting useless minimising points from the advisory like "someone has to be within range to exploit this". Why not also add that statistically speaking it's more likely to be someone else exploited rather than you? This is not useful perspective. You're vulnerable or you're not. My Netgear AP is vulnerable because I need it in bridge mode - so I've taken it out of my network and I've listed it to sell it. Netgear's response to this have ensured I won't buy another, whether it's been just as good as TP Link or D-Link or whatever. That's not where the bar is set.

 

Give up the "I'm not a fanboy, but..." routine, it's getting tiresome.

Message 64 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

@flamebait I totally agree with you.

 

The bridge mode is a feature in router, and if the feature is vulnerable, it needs to be fixed, no matter it's been used or not. Think about it, if there is a feature in Windows that is vulnerable when enabled, and Microsoft says don't worry, you are fine as long as you disable the feature, what will our response be? 

Message 65 of 73
Guide

Re: WPA2 - KRACK / Vulnerability


@Penguin101 wrote:

@flamebait I totally agree with you.

 

The bridge mode is a feature in router, and if the feature is vulnerable, it needs to be fixed, no matter it's been used or not. Think about it, if there is a feature in Windows that is vulnerable when enabled, and Microsoft says don't worry, you are fine as long as you disable the feature, what will our response be? 


Of course bridge mode needs to be fixed.  I never, ever said it doesn't.  But, if you aren't using bridge mode, then you don't personally have to worry about that particular vulnerability.

 

If you want to use the bridge mode fix as a measure of Netgear's responsiveness to a security issue, then that's perfectly fair.  But, a bridge mode fix won't help your WiFi Wemo switch that's connected to your router in any way.  Hopefully all AP manufacturers will discover and deploy an AP-side fix that can lessen or fix all client vulnerabilities.

Message 66 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability

I'm not a fanboy in any sense of the word.  I'm trying to make sure that reasonable people in this thread who don't grok the details of the vulnerabilities understand what is actually going on here.  This thread went absolutely nuts initially and left a lot of people assuming that Netgear was entirely responsible for their vulnerabilities and that until they got an AP fix from Netgear, they were toast.  That's not a fair characterization of the issue and that's what I was trying to make sure people know.

 

Yes, if you are using bridging, you are absolutely vulnerable until you either stop using bridging or get a fix for that from Netgear.  I do wonder why Netgear doesn't have fixes out for this yet as least for current products still under development.  They probably do also have a backlog of literally hundreds or thousands of older products that also need this fix.

 

But, your up-to-date Windows 10 laptop connecting to your Netgear AP is not vulnerable at all because Microsoft has already fixed the windows client.

 

Yes, we are all hoping that AP manufacturers come out with an AP-side fix that prevents or mitigates unpatched clients without compromising connection reliability.  That work appears to be still being investigated.

 

So, I want to make sure the folks in this thread know what to be concerned about, what not to be concerned about and where to be looking for what types of fixes.

 

So, while fanboy-ism should not be tolerated here, neither should the opposite.  Just trying to focus on the realities of the situation and keep all the emotional bashing out of it.

Message 67 of 73
Highlighted
Aspirant

Re: WPA2 - KRACK / Vulnerability

At this point it doesn't really matter....  I have an EX6400 in addition to the R8000 and the EX6400 is vulnerable to the Krack attack because it's pretty much a bridge device (extender).

 

Netgear has almost 2 months to develop, test, and release a fix.  They still haven't released an update, they haven't communicated the status regarding an update, and it shows just how disengaged they are from their consumer customers.  Honestly, in many ways, they setup this Netgear community and expect us to answer one-another's questions to remove dependency on their support, but yet, they don't provide any meaningful input or updates.

 

I suppose they are one notch better than Ring[.]com considering that at least they acknowledged their product the products that are impacted whereas Ring and other vendors are still being ignorant of the whether their product is impacted or not.

 

 

Message 68 of 73
Highlighted
Luminary

Re: WPA2 - KRACK / Vulnerability

I don't know how much you can let Netgear off the hook anyway. I might not run my Nighthawk in an affected mode but I have an Arlo camera that is a client device that literally looks and listens inside my house, and has it been patched yet? No.
Message 69 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@Diggie3 wrote:
I don't know how much you can let Netgear off the hook anyway. I might not run my Nighthawk in an affected mode but I have an Arlo camera that is a client device that literally looks and listens inside my house, and has it been patched yet? No.

Yep, they're totally on the hook for the Arlo (not really the main subject of this thread though). 

Message 70 of 73
Highlighted

Re: WPA2 - KRACK / Vulnerability

Way too long waiting for R7000 patch. Long delays are caused by PROFITEERING by Netgear ( I.E. not employing enough programmer resources).

 

Obvious and very reasonable consumer response here is CLASS ACTION LAWSUIT... who is in?

Message 71 of 73
Highlighted
Guide

Re: WPA2 - KRACK / Vulnerability


@rockandroller wrote:

Way too long waiting for R7000 patch. Long delays are caused by PROFITEERING by Netgear ( I.E. not employing enough programmer resources).

 

Obvious and very reasonable consumer response here is CLASS ACTION LAWSUIT... who is in?


It's a bit hard for us to know how much of this is entirely Netgear's fault.  They could be waiting for a driver update from a chip-maker and then have to test that against several hundred products that they've released over the last decade.  That is apparently the problem that a lot of device makers face right now.  They buy a chip that has WiFi in it that comes with a pre-made driver and the issue needs to be fixed in that driver which is not their code.

 

Also, keep in mind that unless you're using WiFi bridging from your router, your best bet is to get client patches (since that's where the real issue is).

 

Of course, it could just be that Netgear isn't taking the issue seriously too - hard for us to know.  Their communication on the topic is definitely lacking.

 

As for the lawsuit comment, those tend to work when there are proven damages incurred by large numbers of people.  Probably not the case here yet.

Message 72 of 73
Highlighted
Master

Re: WPA2 - KRACK / Vulnerability

It is also a problem that will be with us for many years as people will not ugdate many of the products they buy now believing that there is need to update wifi enable oven, icebox, or even washer or dryer they well all have the very same issue depending on when where made.

Message 73 of 73