Krack Attack WPA2 vulnerability
agent0071
Enthusiast - Level 2

As publicised here, the WPA2 protocol is pretty much p0wn'd. Has/will Verizon be issuing a firmware update for any of their routers (specifically the quantum gateway) to address the vulnerability? If so, when? If not, why not?

Thank you

56 Replies
Bixbyte
Contributor - Level 1

SO EAZY to KRACK Verizon.

I hear 'they' is getting ready to sell a totally different newer Router.

I visited this website that checks your security and I am not able to post their link but you can private email me and maybe VZ will allow me to post their link?

Verizon's job is to protect your privacy as they claim.

There is one issue that really has me worried. 

The privacy website shows me publically listed as 

(MY ISP NUMBER) (MY CITY) (MY STATE) (at FIOS)

And the security firm claims that is totally legal.

THEN I asked them for what info can be harvested off me on the net.

They gave me my bank account name and my unique MAC Address that the 

bank uses just for my presonal bank account.

And there is lots of other info that is available since they know my ISP and my location and that I am a FIOS customer. 

The only way I can imagine getting rid of people that are trying to mine your private information is to beg your internet company to change your ISP or close your account and open a new internet with the same or a different provider???? 

0 Likes
FL2MD
Newbie

Is there a Router Firmware Update for KRACK Vulnerability? 

Actiontec MI424WR Rev. 1 Router

0 Likes
tns2
Community Leader
Community Leader

@FL2MD wrote:

Is there a Router Firmware Update for KRACK Vulnerability? 

Actiontec MI424WR Rev. 1 Router


The Actiontec MI424WR all revs, are not believed to be vulnerable.  They don't support 802.11r.  We need to hear first from Actiontec and then Verizon.  Similar from Greenwave and Verizon.  In each case the manufacturer needs to create a fix and pass it on to Verizon to implement and push out.

0 Likes
tns2
Community Leader
Community Leader

Official word from Actiontec on its routers.

"DATED 10/24/2017

Actiontec is aware of the industry-wide KRACK vulnerability affecting Wi-Fi Protected Access protocol standards (i.e. WPA/WPA2).

Our customers are our highest priority, and our goal is to provide you with timely information to ensure that your home network is as safe as possible.

If your Wi-Fi router or network extender was provided by your service provider (i.e. Bell Canada, CenturyLink, Cox, Dish, Google, Frontier, MTS, SaskTel, TDS, Telus, Verizon, Windstream), it is not affected by the KRACK vulnerability, and no firmware update is required. These products do not operate in repeater mode and do not have 802.11r FT enabled."

Tommy_Router1
Newbie

I believe the G1100 router is manufactured by Actiontec.

I just found this on the Actiontec website:

https://actiontecsupport.zendesk.com/hc/en-us/articles/115005205283-KRACK-Vulnerability

Short Version- It indicates that if a service provider WiFI router is a concern, such as Verizon's, the service provider will 'push' the patch and it requires no other user intervention. 

0 Likes
jonjones1
Legend

Nope.

http://www.fiercecable.com/cable/greenwave-reality-builds-fios-quantum-gateway-for-verizon

Greenwave makes them for verizon.

but yes if their is a patch needed it will be pushed out from Verizon Fios.

0 Likes
MrsSippyMoon
Newbie

Agree. Verizon, is there an estimated turn around?

0 Likes
Kahn2
Enthusiast - Level 3

So exactly WHEN is Verizon going to get around to pushing out a patch to it's routers?  Inquiring potential victims want to know.  Tech support apparenly doesn't have a clue when.

0 Likes
relder1
Newbie

For particulars around KRACK's (Key Reinstallation AttaACKs) you may want to read:

https://meraki.cisco.com/blog/2017/10/critical-802-11r-vulnerability-disclosed-for-wireless-networks...

https//nvd.nist.gov/vuln/detail/CVE-2017-13082

Cisco states, in order to help mitigate:

"We strongly urge all customers to verify that they are either patched to the latest firmware version* or that they have disabled 802.11r."

0 Likes
CRobGauth
Community Leader
Community Leader

Couple of things:

1) This is a peer to peer support forum so Verizon doesn't post here.

2) Do the FIOS rotuers even support 802.11r? I don't think so, but can't say for sure. If they dont, then there isn't a vulnerability. I haven't seen any settings in Quantum router that mentions 802.11r

Kahn2
Enthusiast - Level 3

1. Verizon does not seem to answer its customers anywhere, so it can't hurt posting it here.

2. Windows 7 and above are not vulnerable (so most Win and IOS clients are OK, Lunix and OS X, not so much if they were compiled to support the old WPA extensions), any router that can support multiple access points (this includes WiFi extenders) will implement 802.11r, so you will not see any GUI setting on the router (this is after all a consumer product).  (NOTE: Even on Cisco routers it's not immediately apparent, being a checkbox enabling "Fast Switching").  I would suspect the support exhibited by Fios routers connecting with the IoT would strongly indicate inherent 802.11r support being the case.  So the question is a valid one waiting to be answered.

Side Note: In Linux this is done at compile time, hence why the firmware would require a patch.  I would be overjoyed if it were as simple as turning off a switch.

denison4
Enthusiast - Level 2

KRACK update yet for ActionTec router and extender? Already patched my Linux Mint OS today against it. No patch found yet for Windows based systems.  Will Verizon issue a patch for ActionTek routers, or will we need to overflash it with an WRT program instead?

0 Likes
CRobGauth
Community Leader
Community Leader

As others have stated, this is not a router vulnerability.

It is in the client side.

Vulnerability is in the ability to inject a fake message to client.

0 Likes
Neerneemort
Newbie

Everyone should read this: https://www.krackattacks.com/#demo

To "fix" this, the client AND router/Wireless AP etc. need to be patched.

0 Likes
davewwright
Enthusiast - Level 1

All but one of the vulnerabiities are client side, i.e., they require updates to your PC, Mac, tablet, phone, etc.  Most of these vendors have yet to provide patches.  Microsoft has rolled out updates but Apple is still testing fixes in beta.  Expect updates in the next few weeks.

There is one server-side (router) issue.  It only affects routers running 802.11r.  There is no official word from ActionTec -- their web page says we will let you know.  But the assumption is that 802.11r is not enabled on the Verizon FIOS routers.

jisaac100
Newbie

I was reading about the new threat called KRACKs and understand I need to make sure I have the latest firmware for my router. How do I find the firmware and install it? I am on FIOS and have an ACTIONTEC M1424WR router.

0 Likes
JDSBlueDevl
Newbie

I just talked to someone in tech support. He said that the Actiontec is quite old and may not get patched. That has me upset, as I do not want to be forced to pay for Quantum (which will inevitably get patched). Why should I have to pay for someone else's mistake?

0 Likes
DavidK11
Newbie

I just chatted with Verizon help about the WPA2 KRACK vulnerability, and the representative informed me that my "routers are not vulnerable".  When I asked whether they were never vulnerable or did Verizon already patch them, the representative replied "They were not vulnerable to the KRACK exploit".  I then expressed my surprise saying I read that almost all devices that support WPA2 are vulnerable, and the representative replied with "We have checked and everything appears to be perfect and safe".  I then further inquired whether all Verizon routers (all makes and models) are not vulnerable, or only my 2 Actiontec routers, and the representative replied with "All Verizon routers are not vulnerable."

So I said Wow that's really amazing, and I asked why hasn't Verizon made a public statement to that effect since I'm sure Verizon has many anxious customers who would appreciate a public statement, and the representative replied that he would put the point forward to do so and pass on the message to the concerned teams.

So there you have it.  This representative seemed pretty sure of himself/herself.  I have snapshots of the entire chat.

Verizon, please make a public statement!

0 Likes
micheal154
Enthusiast - Level 2

sounds like **bleep** to me...

 but ok...

0 Likes
jonjones1
Legend

@micheal154 wrote:

sounds like **bleep** to me...

 but ok...


It is amazing some folks just can’t handle the truth. There is no conspiracy to not update firmware. But if it isn’t broke you don’t fix it. ☃️

0 Likes