Krack Attack WPA2 vulnerability
agent0071
Enthusiast - Level 2

As publicised here, the WPA2 protocol is pretty much p0wn'd. Has/will Verizon be issuing a firmware update for any of their routers (specifically the quantum gateway) to address the vulnerability? If so, when? If not, why not?

Thank you

56 Replies
denison4
Enthusiast - Level 2

KRACK update yet for ActionTec router and extender? Already patched my Linux Mint OS today against it. No patch found yet for Windows based systems.  Will Verizon issue a patch for ActionTek routers, or will we need to overflash it with an WRT program instead?

0 Likes
CRobGauth
Community Leader
Community Leader

As others have stated, this is not a router vulnerability.

It is in the client side.

Vulnerability is in the ability to inject a fake message to client.

0 Likes
davewwright
Enthusiast - Level 1

All but one of the vulnerabiities are client side, i.e., they require updates to your PC, Mac, tablet, phone, etc.  Most of these vendors have yet to provide patches.  Microsoft has rolled out updates but Apple is still testing fixes in beta.  Expect updates in the next few weeks.

There is one server-side (router) issue.  It only affects routers running 802.11r.  There is no official word from ActionTec -- their web page says we will let you know.  But the assumption is that 802.11r is not enabled on the Verizon FIOS routers.

Neerneemort
Newbie

Everyone should read this: https://www.krackattacks.com/#demo

To "fix" this, the client AND router/Wireless AP etc. need to be patched.

0 Likes
relder1
Newbie

For particulars around KRACK's (Key Reinstallation AttaACKs) you may want to read:

https://meraki.cisco.com/blog/2017/10/critical-802-11r-vulnerability-disclosed-for-wireless-networks...

https//nvd.nist.gov/vuln/detail/CVE-2017-13082

Cisco states, in order to help mitigate:

"We strongly urge all customers to verify that they are either patched to the latest firmware version* or that they have disabled 802.11r."

0 Likes
CRobGauth
Community Leader
Community Leader

Couple of things:

1) This is a peer to peer support forum so Verizon doesn't post here.

2) Do the FIOS rotuers even support 802.11r? I don't think so, but can't say for sure. If they dont, then there isn't a vulnerability. I haven't seen any settings in Quantum router that mentions 802.11r

Kahn2
Enthusiast - Level 3

1. Verizon does not seem to answer its customers anywhere, so it can't hurt posting it here.

2. Windows 7 and above are not vulnerable (so most Win and IOS clients are OK, Lunix and OS X, not so much if they were compiled to support the old WPA extensions), any router that can support multiple access points (this includes WiFi extenders) will implement 802.11r, so you will not see any GUI setting on the router (this is after all a consumer product).  (NOTE: Even on Cisco routers it's not immediately apparent, being a checkbox enabling "Fast Switching").  I would suspect the support exhibited by Fios routers connecting with the IoT would strongly indicate inherent 802.11r support being the case.  So the question is a valid one waiting to be answered.

Side Note: In Linux this is done at compile time, hence why the firmware would require a patch.  I would be overjoyed if it were as simple as turning off a switch.

Kahn2
Enthusiast - Level 3

So exactly WHEN is Verizon going to get around to pushing out a patch to it's routers?  Inquiring potential victims want to know.  Tech support apparenly doesn't have a clue when.

0 Likes
MrsSippyMoon
Newbie

Agree. Verizon, is there an estimated turn around?

0 Likes
Tommy_Router1
Newbie

I believe the G1100 router is manufactured by Actiontec.

I just found this on the Actiontec website:

https://actiontecsupport.zendesk.com/hc/en-us/articles/115005205283-KRACK-Vulnerability

Short Version- It indicates that if a service provider WiFI router is a concern, such as Verizon's, the service provider will 'push' the patch and it requires no other user intervention. 

0 Likes
jonjones1
Legend

Nope.

http://www.fiercecable.com/cable/greenwave-reality-builds-fios-quantum-gateway-for-verizon

Greenwave makes them for verizon.

but yes if their is a patch needed it will be pushed out from Verizon Fios.

0 Likes
FL2MD
Newbie

Is there a Router Firmware Update for KRACK Vulnerability? 

Actiontec MI424WR Rev. 1 Router

0 Likes
tns2
Community Leader
Community Leader

@FL2MD wrote:

Is there a Router Firmware Update for KRACK Vulnerability? 

Actiontec MI424WR Rev. 1 Router


The Actiontec MI424WR all revs, are not believed to be vulnerable.  They don't support 802.11r.  We need to hear first from Actiontec and then Verizon.  Similar from Greenwave and Verizon.  In each case the manufacturer needs to create a fix and pass it on to Verizon to implement and push out.

0 Likes
tns2
Community Leader
Community Leader

Official word from Actiontec on its routers.

"DATED 10/24/2017

Actiontec is aware of the industry-wide KRACK vulnerability affecting Wi-Fi Protected Access protocol standards (i.e. WPA/WPA2).

Our customers are our highest priority, and our goal is to provide you with timely information to ensure that your home network is as safe as possible.

If your Wi-Fi router or network extender was provided by your service provider (i.e. Bell Canada, CenturyLink, Cox, Dish, Google, Frontier, MTS, SaskTel, TDS, Telus, Verizon, Windstream), it is not affected by the KRACK vulnerability, and no firmware update is required. These products do not operate in repeater mode and do not have 802.11r FT enabled."

Bixbyte
Contributor - Level 1

SO EAZY to KRACK Verizon.

I hear 'they' is getting ready to sell a totally different newer Router.

I visited this website that checks your security and I am not able to post their link but you can private email me and maybe VZ will allow me to post their link?

Verizon's job is to protect your privacy as they claim.

There is one issue that really has me worried. 

The privacy website shows me publically listed as 

(MY ISP NUMBER) (MY CITY) (MY STATE) (at FIOS)

And the security firm claims that is totally legal.

THEN I asked them for what info can be harvested off me on the net.

They gave me my bank account name and my unique MAC Address that the 

bank uses just for my presonal bank account.

And there is lots of other info that is available since they know my ISP and my location and that I am a FIOS customer. 

The only way I can imagine getting rid of people that are trying to mine your private information is to beg your internet company to change your ISP or close your account and open a new internet with the same or a different provider???? 

0 Likes