Mailing List
Mailing List
Sign Up Here
Like, follow & share: visit DrayTek UK's Facebook page visit DrayTek UK's Twitter page visit DrayTek UK's Linkedin page
DrayTek

 

Security Advisory: WPA2 Krack Vulnerability

 

WPA2 is the security system used by most wireless (WiFi) networks. It replaced the older obsolete WEP and WPA protocols.

 

In October 2017, researchers studying the WPA2 protocol discovered and demonstrated flaws within the protocol design meaning that client devices' security could be defeated and data intercepted. Client devices are most commonly laptops, phones, tablets etc. but can also include routers and access points in 'special' operational modes.  For someone to implement an attack, they have to be within physical range of your wireless network - it cannot be conducted remotely from the Internet. This vulnerability has been called 'Krack'.  This is an 'evolving threat' so you should check back on this page, check for new firmware for any products and install them when available as a matter of habit.

 

What other Wireless client devices may be affected?

 

As well as the most obvious devices mentioned above (laptops, phones and tablets) client devices will include any wireless devices which is connected as a client to a WiFi base station/access point, including:

 

  • Laptops (Windows, MacOS, Linux etc.)
  • Phones (iOS, Android etc.)
  • Tablets (iPad, Microsoft Surface, Android etc.)
  • eReaders (Kindle, Nook etc.)
  • Printers
  • IOT devices
  • Internet Personal Assistants (Amazon Echo/Dot/Alexa, Google Home, Apple HomePod)
  • Home automation (door entry, lighting, HVAC, thermostats etc.)
  • Home entertainment (TVs, HiFi, games consoles, media servers)
  • Connected (Internet) appliances etc.
  • Wireless repeaters or bridges
  • A router using WiFi as its Internet connectivity source
  • WiFi-enabled IP Cameras (CCTV) or WiFi baby monitors
  • Connected motor vehicles (cars)
  • Any other client device using WPA2

 

All of those client devices could need a patch/update to eliminate the problem. There is no later protocol than WPA2 that you can switch to instead and older protocols (WPA, WEP) are considered obsolete.

 

DrayTek Products

 

Please read the whole of this section.

 

If you use a DrayTek wireless product (router or access point) and you are only using it as the wireless base, (i.e. to provide WiFi to your portable devices) then it is not vulnerable to 'Krack' and a patch/update is not necessary for that operation.

 

Wireless WAN is a feature of more recent DrayTek routers whereby the router gets its Internet access not from Broadband but from a secondary WiFi feed/hotspot/base. If you are using Wireless WAN then the vulnerability will be present as the router is a WiFi client in that scenario.  

 

If you are using a DrayTek Access Point (VigorAP series) in Universal Repeater Mode or Station Mode (as opposed to the more common/usual base station mode) then the device will be vulnerable to Krack.

 

WDS operation on DrayTek Access Points / Routers are not vulnerable.

 

Although it is theoretically possible to mitigate the client vulnerability by rejecting EAPOL retries on the router/AP, it would not be standard-compliant and your client would still be vulnerable on any other networks so patching the client is the correct solution (i.e. upgrade your client device's firmware). 

 

Remember, even if your router or access point is not vulnerable, your wireless device (client) almost cvertainly is and you should seek an update for that.  Ask your vendor about WPA2 Krack (or search their web site).

 

Updated Firmware

 

DrayTek plan to issue new firmware as soon as possible for affected models. The new firmware will be versions nos. as below. You should download and install these as soon as possible if you are using your device in the affected modes:

 

Routers with Wireless WAN support

 

  • Vigor2862 version, 3.8.7
  • Vigor2860 version, 3.8.5.1
  • Vigor2830v2 version, 3.8.1.3
  • Vigor2925 version, 3.8.5
  • Vigor2926 version, 3.8.7
  • Vigor2912 version 3.8.5
  • Vigor2120 version 3.8.5

 

DrayTek Access Points with universal repeater or Station Mode

 

  • VigorAP 910c, version 1.2.3.1
  • VigorAP 900, version 1.2.1.1
  • VigorAP 902, version 1.2.3
  • VigorAP 810, version 1.2.3
  • VigorAP 710, version 1.2.3
  • VigorAP 800, version 1.1.6.2

 

We will update this page if there is updated information.  If you have non-wireless versions of the above series, obviously you are not affected but you should still keep your firmware up to date anyway.

 

Advice Regarding other Products (non-DrayTek)

 

You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors and any wireless device and then follow the advice of each of them regarding any necessary precautions or updates.  Remember to check all Internet/Wireless connected devices, such as those in the list above.

 

It is important to stress - even if your DrayTek router or access point is not affected by this vulnerability, your wireless client (see list of device types are the top of the page) almost certainly is and you should seek updated firmware or software from your vendor.  That may not be available for older devices as vendors do not support products indefinitely (or chipset vendors no longer produce or support the components/code) in which case you should consider retiring your device or mitigating the risk in some other way. 

 

Even if your product is not affected by this issue, you should still always keep your products up to date with the latest firmware which may provide other enhancements or security improvements.

 

 

Further details on the vulnerability

 

Technical details of the vulnerability are available on this web site.

 

If you are browsing to TLS protected sites (SSL / HTTPS), including webmail services like Gmail, then the attack does not allow access to that data. If you are using an email client with SMTP, IMAP/POP3, those should also already have encryption between your client and the mail server (e.g. TLS), so would not be readable by using this vulnerability (but now is a a good time to check that you do have encryption enabled for email and that you're browsing web sites with HTTPS whenever possible).

 

The vulnerabilities are logged under the following references : CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 and also specifically under vendor reg at VU#228519.

 

 

Keep up to Date via our Mailing List

 

It is always recommended that you keep your router and other hardware up to date with the latest firmware and read vendor mailing lists. We will advise users of any critical or important issues. UK/Irish users can join the UK mailing list -  join here.

 

 

 


Disclaimer : Please check this web page again for any new/updated information. The information on this page is based on our current understanding of the threat/issue at the time of writing and may have evolved or been superceded at your time of reading. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.