Security Advisory: WPA2 Krack Vulnerability


Security Advisory: WPA2 Krack Vulnerability

In October 2017, researchers studying the WPA2 protocol discovered and demonstrated flaws within the protocol design meaning that client devices' security could be defeated and data intercepted. Client devices are most commonly laptops, phones, tablets etc. but can also include routers and access points in 'special' operational modes. For someone to implement an attack, they have to be within physical range of your wireless network - it cannot be conducted remotely from the Internet.

If you are browsing to TLS protected sites (SSL / HTTPS), including webmail services like Gmail, then the attack does not allow access to that data. If you are using an email client with SMTP, IMAP/POP3, those should also already have encryption between your client and the mail server (e.g. TLS), so would not be readable by using this vulnerability (but now is a a good time to check that you do have encryption enabled for email and that you're browsing web sites with HTTPS whenever possible).

This vulnerability has been called 'Krack' and the vulnerabilities are logged under the following references : CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 and also specifically under vendor reg at VU#228519. Technical details of the vulnerability are available on this web site.

Which wireless client devices may be affected?

As well as the most obvious devices mentioned above (laptops, phones and tablets) client devices will include any wireless devices which is connected as a client to a WiFi base station/access point, including:

  • Laptops (Windows, MacOS, Linux etc.)
  • Phones (iOS, Android etc.)
  • Tablets (iPad, Microsoft Surface, Android etc.)
  • eReaders (Kindle, Nook etc.)
  • Printers
  • IOT devices
  • Internet Personal Assistants (Amazon Echo/Dot/Alexa, Google Home, Apple HomePod)
  • Home automation (door entry, lighting, HVAC, thermostats etc.)
  • Home entertainment (TVs, HiFi, games consoles, media servers)
  • Connected (Internet) appliances etc.
  • Wireless repeaters or bridges
  • A router using WiFi as its Internet connectivity source
  • WiFi-enabled IP Cameras (CCTV) or WiFi baby monitors
  • Connected motor vehicles (cars)
  • Any other client device using WPA2

All of those client devices could need a patch/update to eliminate the problem. There is no later protocol than WPA2 that you can switch to instead and older protocols (WPA, WEP) are considered obsolete.

DrayTek Products

Please read the whole of this section for the whole context.

If you use a DrayTek wireless product (router or access point) and you are only using it as the wireless base, (i.e. to provide WiFi to your portable devices) or in WDS mode then those are not vulnerable to 'Krack' and a patch/update is not necessary for that operation (but you should always keep firmware up to date anyway).

If you are using a DrayTek Access Point (VigorAP series) in Universal Repeater Mode, Station Mode or using Wireless WAN then you need to update your firmware to protect against Krack. See the section below for the firmware versions..

Remember, even if your router or access point is not vulnerable, your wireless device (client) almost certainly is and you should seek an update for that. Ask your vendor about WPA2 Krack (or search their web site).

Mitigation for Unpatched Clients

If you cannot update your client devices or you believe unpatched clients might be used on your network, it may be possible to mitigate the client vulnerability by rejecting EAPOL retries on the router/AP, however, it would technically not not be standard-compliant (with WPA2) which may not matter (it will slow down authentication on congested networks) but your client will still be vulnerable on any other networks so patching the client is the correct solution (i.e. upgrade your client device's firmware). Check with your vendor whether your specific access point or router can disable EAPOL retries.

Updated Firmware

DrayTek have already issued new firmware. The new firmware will be versions nos. as below. You should download and install these as soon as possible if you are using your device in the affected modes:

Routers with Wireless WAN support

  • Vigor 2862 version, 3.8.7
  • Vigor 2860 version,
  • Vigor 2830v2 version,
  • Vigor 2925 version, 3.8.5
  • Vigor 2926 version, 3.8.7

DrayTek Access Points with universal repeater or Station Mode

  • VigorAP 910c, version
  • VigorAP 900, version
  • VigorAP 902, version 1.2.3
  • VigorAP 810, version 1.2.3
  • VigorAP 710, version 1.2.3
  • VigorAP 800, version

We will update this page if there is updated information. If you have non-wireless versions of the above routers, obviously they are not affected but you should still keep your firmware up to date anyway.

Advice Regarding other Products (non-DrayTek)

You should check equivalent statements/advisories from the providers of all of your other networking hardware vendors and any wireless device and then follow the advice of each of them regarding any necessary precautions or updates. Remember to check all Internet/Wireless connected devices, such as those in the list above.

It is important to stress - even if your DrayTek router or access point is not affected by this vulnerability, your wireless client (see list of device types are the top of the page) almost certainly is and you should seek updated firmware or software from your vendor. That may not be available for older devices as vendors do not support products indefinitely (or chipset vendors no longer produce or support the components/code) in which case you should consider retiring your device or mitigating the risk in some other way.

Even if your product is not affected by this issue, you should still always keep your products up to date with the latest firmware which may provide other enhancements or security improvements.

Keep up to Date via our Mailing List

It is always recommended that you keep your router and other hardware up to date with the latest firmware and read vendor mailing lists. We will advise users of any critical or important issues. UK/Irish users can join the UK mailing list - join here.

Disclaimer : Please check this web page again for any new/updated information. The information on this page is based on our current understanding of the threat/issue at the time of writing and may have evolved or been superceded at your time of reading. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.