Reply

Re: WPA2 - KRACK / Vulnerability

Retired_Member
Not applicable

Re: WPA2 - KRACK / Vulnerability

Unknown by be - - I'm in the same boat with a legacy WiFi router

Message 26 of 45
rhester72
Virtuoso

Re: WPA2 - KRACK / Vulnerability

Virtually every network device ever created is vulnerable unless a patch is made available.

 

It's entirely possible that some devices from various vendors are well past their end-of-support dates, and each vendor will have to make a decision on a case-by-case basis whether to offer a one-off patch or just consider them deprecated and suggest the user upgrade their hardware.

Message 27 of 45
jdpg2
Apprentice

Re: WPA2 - KRACK / Vulnerability

Where is the ORBI and ORBI Pro firmware updates to address this issue?  You have had since end of August to develope a fix... its getting silly now,

Message 28 of 45
jdpg2
Apprentice

Re: WPA2 - KRACK / Vulnerability

Not going to let this subject slide to the bottom of the forums.

 

Netgear where is the update for this exploit?  It shouldnt be that difficutl to patch since you have already addressed it on many of your other products.  Why are you exposing all Orbi users to potential issues through your inaction!

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 29 of 45
Glenee
Apprentice

Re: WPA2 - KRACK / Vulnerability

I agree this needs to be addressed ASAP. Don't wait till after  the fact. These things need to be got in front of before we are singing the woes.

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 30 of 45
tomsliwowski
Apprentice

Re: WPA2 - KRACK / Vulnerability

Just to put things into perspective, the KRACK attack is not so much a router attack as a client one. So the satellite may need updating (assuming it's using WPA for securing connectivity)  but the router doesn't necessarily need one. See the following from the KRACK discoverer's site:

 

https://www.krackattacks.com/#norouterupdates

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 31 of 45
DarrenM
Sr. NETGEAR Moderator

Re: WPA2 - KRACK / Vulnerability

This is a important issue and our engineering team is working on a fix for this exploit for orbi I do not have a exact date on a update but its a high priority.

 

DarrenM

Message 32 of 45
JMU1998
Luminary

Re: WPA2 - KRACK / Vulnerability

In the meantime while fix to hack is being worked on can we have the ability to turn off wifi per schedule? To minimize threats to wireless when not needed we can turn off?

Message 33 of 45
st_shaw
Master

Re: WPA2 - KRACK / Vulnerability

 

I don't believe this would have the effect you want.  As I understand it, the threat is only present when the Orbi satellite connects to the Orbi router.  If the system remains up and running, there is no threat.

 

Turning off the WiFi would create a vulnerability each time it's turned back on and the satellite is forced to reconnect.  This would vastly increase the vulnerability.

 

Message 34 of 45
SalusaSecondus
Aspirant

Re: WPA2 - KRACK / Vulnerability

Unfortunately, simply leaving the system up and running provides no protection against this attack. If an attacker is going to interfere with your communications to effect the KRACK attack, it is trivial for them to deauth the satellite and force it to re-auth whenever the attacker wants.

 

This certainly appears to be a very serious risk to systems using Orbi satellites and I hope that Netgear quickly releases a patch.

Message 35 of 45
mevans567
Aspirant

Re: WPA2 - KRACK / Vulnerability

SOLUTION = BETA FIRMWARE PATCH

NetGear released a patch on 2017-11-02.

Although I had contacted support via email, I never received any response, whether "yes, it's a problem" or "we've issued a patch."

Not the best experience, not a way to build confidence.

But, at least there is finally a patch.

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 36 of 45
JMU1998
Luminary

Re: WPA2 - KRACK / Vulnerability

Is this patch going to be part of the next Firmware release or we will need to patch again after taking next Firmware? 

Message 37 of 45
wchp
Luminary

Re: WPA2 - KRACK / Vulnerability

Downloaded both files

unzipped both and read the release notes.

backed up 2.0.0.74 settings

manually installed 2.0.0.76 beta on both RBS50 units

once they rebooted and came back up on the new firmware

manually installed 2.0.0.76 beta on the RBR50

checked all settings and nothing changed...

BUT, normally when you install a beta firmware you are supposed to hard reset (paperclip) the router and satellites and then manually configure them from scratch. This is to implement the new code.

You are NOT supposed to restore from the backup you made on the previous version of firmware either. This is to preclude any settings being brought forward that may conflict or improperly interact with the new firmware.

It made no mention of doing this on the beta firmware page or in the readme files... so I didn't do it and don't really know if the "hotfix" is actually implemented and running on the RBK53 system. All devices report they are running the new firmware, but are they really without a hard reset?

I am going to defer to Netgear admins to provide clarification on this topic.

 

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 38 of 45
SkywalkerPD
Apprentice

Re: WPA2 - KRACK / Vulnerability

Hi,

 

Trying to update my setup, starting with the sattelite, I do a manual update, select the proper firmware, it uploads and that's it, nothing happens.

Any suggestions?

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 39 of 45
wchp
Luminary

Re: WPA2 - KRACK / Vulnerability

Download and unzip the RBR and RBS beta firmware.

Power cycle all your devices (RBR50 and RBS50(s))

once everything is up, go to advanced>administration>attached devices

write down the IP address(s) of the satellite(s) 

enter the satellite(s) IP address in your browser

enter the UID and PWD (same as your router)

select firmware update 

browse and navigate to the unzipped folder for the RBS units

select and open the img file

select upload

that should get the job done.

 

 

 

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 40 of 45
SkywalkerPD
Apprentice

Re: WPA2 - KRACK / Vulnerability

Hi,

Thanks for the reply. I did all of the steps above, except the pre boot. Rebooted my setup and now they updated fine. So running on 2.0.0.76 now.

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 41 of 45
wchp
Luminary

Re: WPA2 - KRACK / Vulnerability

The Hotfix did not work out well for me. Had devices all over the house randomly dropping off and then coming right back on again. With 1 Echo, 2 Taps and 8 Dots it got annoying having them keep announcing they had lost their connection. Similar issue with Wink Hub2, and iSmart alarm cams. Downgraded back to 2.0.0.74, hard reset all devices and then manually set up from scratch. 

Things are stable again.  TP-Link LB100's were dropping connections too. IDK... guess that's why they call it a beta.

Message 42 of 45
JMU1998
Luminary

Re: WPA2 - KRACK / Vulnerability

Does anyone know if a new official Firmware will be released that will include this vulnerability fix?

Message 43 of 45
rhester72
Virtuoso

Re: WPA2 - KRACK / Vulnerability


@wchp wrote:

The Hotfix did not work out well for me. Had devices all over the house randomly dropping off and then coming right back on again. With 1 Echo, 2 Taps and 8 Dots it got annoying having them keep announcing they had lost their connection. Similar issue with Wink Hub2, and iSmart alarm cams. Downgraded back to 2.0.0.74, hard reset all devices and then manually set up from scratch. 

Things are stable again.  TP-Link LB100's were dropping connections too. IDK... guess that's why they call it a beta.


Given the only change to the current production firmware was supposed to be the KRACK fix, I'm quite surprised by this.  I also applied it at home (3 Echos, 2 Dots, 2 Nests, 9 Nest Protects, and 1 Google Home Mini) completely without issue - the network works just as well before as after.

 

I'm in AP mode - not sure if that makes a difference.

 

Rodney

Message 44 of 45

Re: WPA2 - KRACK / Vulnerability

Netgear's slow and unresponsive attitude to the Krack exploit is very worrisome. Even though the Orbi is sold, and priced, as a premium WiFi mesh solution it is not getting any significant improvments. The Krack fix is still in beta, the guest network in AP mode is worthless due to lack of isolation, the iOS app is poor and missing features.

 

If you look at some of the other Mesh WiFi products they are adding feature and refinements. One small example, on a competitor's system they have an isolated guest network and you can send someone an invite with access to your guest network for a specific amount of time. ie. 1 hour, 12 hours or 1 day.

"Knock, knock Netgear...is anyone there?"

Model: Orbi High-Performance AC3000 Tri-Band WiFi System (RBK50)
Message 45 of 45
Top Contributors
Discussion stats
Announcements

Orbi WiFi 6E