You are most definitely at risk!  As pointed out in another thread, Verizon does not make any of the devices impacted by the Krack Exploit. It is not Verizon's responsibility to fix them. That task falls upon the OEM that made the device in question and if and when they do something about it, time will only tell.

If the issue concerns you then disable Wi-Fi and stop using it. You can use a VPN to keep you data secure, but it doesn't stop the Krack exploit.

https://www.krackattacks.com/

> I just completed a chat with support. Accordingly the Jetpack MiFi 6620L does not need a firmware/software patch as the KRACK bug is not applicable to this device.

This contradicts all of the information that is available about the vulnerability from what I have seen so far.  I feel the support person you spoke to is misinformed or being taken out of context.

If you want to take the word of the support person then try to find for us some kind of documentation that we can share with the rest of the community.  The only way the KRACK exploit would not apply would be if you were using the USB tethering feature and disabling WiFi on the MiFi.  No WiFi, No exploit. This might be where the support persons response could be taken out of context due to a lack of details leading up to that statement.

People need to turn up the heat on Verizon and other providers on this. This is turning into legal and moral breach of contract. The KRACK bug which absolutely does affect every, single, WPA2 WiFI device on the planet was announced back in mid October 2017. We are now closing in on 4 MONTHS of waiting. A huge percentage - I bet something like 90% of the other mobile devices these providers have sold on the planet have had patches released. All of these other devices provided some other value based on cellular data and WiFi is a sidebar. Patches were rushed out.

What is very concerning about the hotspots is (a) they provide no other value than WiFI, (b) tend to get used in very public places where they can easily be attacked and (c) have just as long of contracts as the above devices.

I'm now at 4 months of paying Verizon for a paperweight under a contract that I can't get out of economically. I've called several times and 1st level support has NO AWARENESS OF THIS PROBLEM - 4 MONTHS LATER. Advanced support has given me a small credit.

My intent is to never ever pay more than 2 months for a device under contract that I can't use safely. Two months has proven to be a reasonable amount of time, for other vendors. I would strongly encourage others in similar situations to start to push back on paying monthly for these devices. This kind of abject failure, is the stuff that class actions are made of.

So before I'm flamed, let's get some truth out there:

(a) Yes, Novatel makes the hardware and the software. They did that under a contract with Verizon. Verizon is the one that is keeping me under contract for a device flaw that their subcontractor is responsible for. I don't care who in the manufacturing chain is responsible, Verizon is the one charging me

(b) No, there is no other value provided by a hotspot. It's a cellular radio on one side and WiFi router on the other

(c) No, KRACK is not fixed by having the connecting device patched. Both the device and the router have to be patched. Read for crying out loud - it's out there and has been picked up by all the majors.

(d) No, it's not a legacy device for which support has ended. I'm still under contract and have to pay to get out. The vendor can't expect the contract to be valid - this is a broken trust

(e) Yes, at 4 months, without even a policy made available to support staff, it shows bad intent. Head in sand at best

(f) Yes, there is damage. I bought the device because I needed it to run my business. Not having this mobile WiFi, cellular connected network is hurting my company's ability to get work done. Yes I have had to pay for something I can’t use based on a broken promise it would be kept up-to-date

(g) No, there is no evidence that the new models currently being sold and contracted have been patched, new damage happening to new customers

(f) No switching to WEP encryption is not a solution. There have been network frame based 30sec cracks for WEP encryption for years. WEP = zero encryption, WPA2 = even less time to get hacked.

My workaround: Turn on hotspot on a patched tablet which has a much larger battery than the phone. Carry an external battery for the tablet. Buz kill: I can’t find out for sure that Apple has fixed KRACK in their hotspot/router software. I know they have fixed for the device to join a WiFi network. Back to no mobile WiFi….

So let's band together to get one of a couple viable options to happen:

(a) Strongly preferred, via customer pressure, Verizon get's this fixed

(b) Verizon stops charging us and releases all hotspot contracts. If you want to go month to month and pay for a compromised device then the responsibility for any damage switches to you. That's ok, you may have a reasonable use case.

Please, this is one case where it looks like it is not going to happen without customer pressure. There is no reason you should be giving out your personal secrets such as your bank sign on, or your company’s secrets to all your best friends at the coffee shop or airport. If you keep using these devices, then you might as well hand out print outs. At least you will know who you have given the above too.

Verizon if you take this post down. It will show up in many other open forums and it will show bad intent on bad intent. You are better off responding. If you show you are trying and have a plan to make people whole, then they will go from angry at you to being on your side for the difficult position this vulnerability has put you in. Your hotspot business will take a considerable hit for a while, but you will win in the long run.

I've sent you a private message here in the forum. Please check your inbox at <https://community.verizonwireless.com/inbox> to discuss further details about your concern.

TabithaJ_VZW Follow us on TWITTER @VZWSupport  If my response answered your question please click the Correct Answer button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this.

Hi thanks for the response and the sentement, however I have called support multiple times. This issue affects all hotspots so is not an account issue. The device in question is a MiFi 6620L Software version 3.0.

As far as I can tell no VZW hotpots have been remediated for KRACK. If you can offer proof that one has, then I would be willing to do an early upgrade.

If you get the response back that a patch is not needed then I urge you to beg your back office to get ahead of this. There is a huge body of technical information including from the research team at Berkley who found the vulnerability that all WPA2 WiFi encryption is affected. Carrires who persist with this message are eventually going to be the subject of bad press in the WSJ, Forbes and others. The possition is just not going to stand scrutiny.

I'm doing some research for a work around and if it pans out will post in the forum. Perhaps teathering will use the cellular radio only and turn off WiFi. This makes the hotspot useable for one PC at a time.

You might hear back that users most offten do web browsing where sensitive information is protected by https web encryption. The KRACK vulnerabilty allows for malware insertion even if https is used so that's not a viable reason for users to continue to use insecure WiFi.

Carriers who get ahead of this and put a plan and advice in front of their customers are going to be be ahead in the long run.

We in the tech community realize this is a total mess. KRACK affects and estimated 1 trillion devices on the planet and estimates are that it will take over 10yrs for us to get totally past this.

I'm hoping VZW will get serious with Mitel and work out a priority list to begin to give customers options.

Thanks again for the reply.

You're over reacting!

Within days of Mathy Vanhoef's public disclosure of the Krack exploit, researchers theorized that the reason they couldn't make it work was because Mathy Vanhoef intentionally withheld information necessary to make it work, from public disclosure. Now, here it is 100 days later and all available evidence supports this theory. Google Krack and you'll see virtually the same hits as 3 months ago, what you don't see is complaints about being infected with any type of Krack exploit. Google Krack test and the only test requires membership in the Wi-Fi Alliance. Google Wi-Fi Alliance to find out that this is. Search VirusTotal.com and no one has submitted any samples flagged as containing a Krack exploit. No AV vendor has published detention rates involving a Krack exploit. In other words, there is no evidence of a Krack exploit in the wild.

Verizon Wireless is stuck in the middle of this; it's not their job to fix your equipment. It is up to the manufacturer to provide firmware updates and if the equipment is out of warranty then the manufacturer has lived up to their end of the bargain and they are under no legal, moral or ethical obligation to do anything else. The truth is, you buy and use this equipment at your own risk--neither the OEM nor the provider is liable just because someone found a kink in the armor.

Perhaps it would be a good idea to review the Customer Agreement, the contract between you and Verizon Wireless. It does not give exception for firmware that makes you unhappy. If you don't pay the bill it will only affect you and your credit rating.

You make an excellent expert witness for the defense. Some thoughts:

First to our community. Security is a complex issue, you use a complex product where there are many things that can go wrong, including security breaches. It's always good to keep up with current patches and to plan multi layers of security. In this case ensure that you have a current browser and current operating system patches installed. Notice the padlock icon in your browser address bar and be sure your traffic is secured when you have to enter passwords or other confidential information into a website. Use complex passwords that contain special characters and use different passwords especially for your financial institutions so that the loss of one password does not compromise all systems. Know what social engineering is and know how to avoid it. Keep anti-virus software up-to-date and make sure that the firewall is up and running. Do this and you will be ahead of the curve and well on your way to information security. Still you have to keep an ear to the ground when a security discussion in the techie ranks reaches a considerable level of activity. In these cases, you are going to have to decide what to do and what is your risk tolerance. If you are in doubt about a technology's safety, it's best to err on the side of caution and limit what you do with it. That is where I am at with the hotspot.

Now that we have helped the community, let's get into it. You are right, no known exploit in the wild but the wild, by definition, is an unknown space. Arguing from silence that nothing bad has been heard is a weak argument that even the ancient Greeks would take you to task for. The problem is that the intent of malware has changed. It used to be in your face, highlighting its presence. Now with the value of data being so high, it's silent, does everything to hide out. This has caused all responsible vendors to patch the vulnerability promptly. Literally almost every last thing that Verizon sells has been patched. In regard to the value of creating a patch, literally the entire industry does not agree with you. What’s left for hotspots is for customers to access their risk. I doubt anyone reading this would leave their houses, cars, safes unlocked because no one in the neighborhood has reported being robbed yet. The argument from silence is incredibly dangerous in regards to device security.

You are just plain incorrect, probablally willfully, regarding the relationship of the customer, the manufacturer and Verizon in regards to patches. I can't get a user account with Novatel (sorry for getting the vendor wrong in prior posts) to fix my own device. I tried. These devices do not have the same customer relationship as smartphones and tablets do. Thankfully we have isolated device differences to backboards and such so that the OS makers can provide us updates directly. This is so much better than the bad ole days when the carrier had a long, long OS vetting process and controlled the update. That's for smart devices. We still have the old relationship for hotspots, therefore Verizon is only entity that will cause the update to become available for a hotspot and the update must come down through Verizon’s data network. If there is another way to update the MiFi 6620L specifically then I am all ears. The next question where is the update that addresses this vulnerability? Perhaps you have never owned such a device or owned a older model before this became true. We are dependent on Verizon making the update available. Plain truth.

Sadly, we come to the last part. The legal standing of a vendor to deliver value though a contract period or fix known defects over a reasonable useful life. If you break the phone of course we understand additional risk insurance. If the device fries and does not burn anything down, then of course we understand manufacturing warranties. Let’s don’t obfuscate here. It may be that the contract allows the maker (Novatel) and the supplier (Verizon) to refuse to update the device, leaving it potentially vulnerable and still be able to enforce the contract. What a sad state of affairs. What would be reasonable is that they announce end of support policies like other manufacturer/supplier pairs do. If they want to do that before your contract is up, that’s ok, give a transition plan and an incentive, like other manufactures do. What I don’t believe they should be allowed to do is make no reasonable communication via their support channel, sell new flawed devices and contract them just as if nothing was wrong. There are much larger consumer consent and informed use laws for other products, I can’t see how they would not apply here. If not and regardless is that the relationship Verizon wants to have with it’s customers? Really? At a minimum, business run as such are ripe for disruption.

What I want is (a) acknowledgement of what has and has not been patched in the hotspot space for KRACK or any future vulnerability, easily accessible to customers via customer support plus advice on how to work around, assess impact, such as use it tethered, (b) reasonable transparency about the patch creation status and (c) financial reimbursement to make up for a loss of value from the device’s problem. If you buy a rotten watermelon (and oh boy do they smell) and you take it back to the store, they don’t tell you to contact the grower. Never once has the seller not cheerfully made good. It’s sort of like the “all I needed to know to get along, I learned in kindergarten” sort of thing. Verizon, take the high road here. You can lose by not doing it. You can’t lose by going the extra mile. There are problems at the other carriers regarding this. You have a chance to shine here.

By the way, of course I will pay although I don’t use debt, even for houses, so don’t give a dam about my credit rating. Paying per the contract does not mean all of us should not continue to seek relief or a patch, however. There is another vendor in this space which is facing something like 30 class action suits around the world for willful creation of effects that lowered usefulness of a device after the sale. Refusing to keep up with security patches across a device’s useful life is a willful abandonment. Obviously, we can’t empty the shelves of all unpatched devices, but vendors can’t expect not to have their reputations tarnished in the marketplace when they don’t even recognize the problem or have a plan or have concern for their customers. I contacted a small health device company about the WiFi on their device and was answered promptly that they were aware of KRACK, working with their chip maker and had a prepared statement as to how to minimize risk and promised a roll out plan for their customers soon. What a difference!!

I want Verizon strong and investing in new tech for us. I wish the vendor above with the lawsuits had taken the high road. I believe a transparent vendor, informing their customers, concerned about their security, and offering a path for customers who remain concerned would be created by my asks above. I believe my asks are reasonable, valuable and fair to all involved and I am begging for a course change here. I’m preparing to have world wide customers and believe me, we will never, ever, ever follow the path of the above poster. We will win only by delighting our customers even when things go wrong, even when the things that go wrong are not our problem but are part of the ecosystem affecting our customers satisfaction. We will go the extra mile and stand with our customers because there is absolutely no company or profit without them. Truth!

These comments are written to 7e but they are directed towards Verizon.  I suggest you contact Verizon directly and settle what differences you can with them before writing to the public forums again.  When its done let us know how it went.

Its great everyone is so passionate about security in this thread. However, unless we just want to vent nothing is going to get done unless someone attempts to work with VZW directly.  Verizon is under no obligation to read or respond to anything in the public forum.

> You make an excellent expert witness for the defense. Some thoughts:

My goal was to point out the likelihood of anyone encountering the exploit, but you seem of the opinion that doesn't matter and Verizon should change the way they do business to accommodate … fear. Since you didn't read or failed to understand the Verizon Wireless Customer Agreement, here's what you missed:

"We make no representations or warranties, express or implied, including, to the extent permitted by applicable law, any implied warranty of merchantability or fitness for a particular purpose, about your Service, your wireless device, or any applications you access through your wireless device. We do not warrant that your wireless device will work perfectly or will not need occasional upgrades or modifications, or that it will not be negatively affected by network related modifications, upgrades or similar activity."

All you really have is the proof of concept and that just isn't enough to prove Verizon guilty of neglect. It's kind of like holding Walmart Auto Center liable because nails can give you a flat tire.