cancel
Showing results for 
Search instead for 
Did you mean: 

KRACK exploit - WPA2 has vulnerabilities

arabesc
Level 7
What is the ASUS position on the KRACK exploit?
Are ASUS routers vulnerable to it? Are you going to provide fixes?
4,092 Views
16 REPLIES 16

darkguy2
Level 7
All routers are vulnerable that use WPA2. Called the tech support line and they had no idea what I was talking about.

xeromist
Moderator
darkguy2 wrote:
Called the tech support line and they had no idea what I was talking about.


Not surprising given that the information came out yesterday, on the weekend. It wasn't supposed to come out until today so some vendors may be caught without a response. I don't know if ASUS was one of the vendors informed ahead of time to allow for a patch to be applied.
A bus station is where a bus stops. A train station is where a train stops. On my desk, I have a work station…

xeromist wrote:
Not surprising given that the information came out yesterday, on the weekend. It wasn't supposed to come out until today so some vendors may be caught without a response. I don't know if ASUS was one of the vendors informed ahead of time to allow for a patch to be applied.


ASUS was notified at the latest on August 28,2017. That is almost three weeks ago. I would think they would have something prepared by now.

We sent out notifications to vendors whose products we tested ourselves around 14 July 2017. After communicating with these vendors, we realized how widespread the weaknesses we discovered are (only then did I truly convince myself it was indeed a protocol weaknesses and not a set of implementation bugs). At that point, we decided to let CERT/CC help with the disclosure of the vulnerabilities. In turn, CERT/CC sent out a broad notification to vendors on 28 August 2017.

XIIIIX
Level 7
https://github.com/kristate/krackinfo#unless-a-known-patch-has-been-applied-assume-that-all-wpa2-ena...

"Unless a known patch has been applied, assume that all WPA2 enabled Wi-fi devices are vulnerable."

Asus is still marked as "No Known Official Response"
As are almost all mayor players :confused:
XII

Korth
Level 14
Wireless is always vulnerable. Encryption is always vulnerable. If you're feeling insecure then stick with wired connections.

The Wi-Fi Alliance along with their members which actually make Wi-Fi parts (Broadcom, Atheros, Qualcomm, etc) are responsible for these sorts of fixes. They'll rollout to OEMs (like ASUS) once they're done.

WPA2 has been broken before, many times over the years. Mostly handled and fixed discreetly. Now and then, like today, it generates great alarm.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

xeromist
Moderator
Yup, found the entry here:
https://www.kb.cert.org/vuls/id/CHEU-AQNMXY

All is not lost as there's still a chance that ASUS has been working on rolling out patches but didn't have the call-centers ready to respond. Still, I agree it would be good to at least see an acknowledgement that ASUS is working on patches or has already rolled some out.

The good news is that most individuals aren't important enough to be targeted. This will be used disproportionately against corporate and gov wifi connections.

Also note that it's not just ASUS routers. This also can and should be patched on client devices which means ASUS tablets and phones. Luckily laptops and G desktops running Windows were probably already patched by Microsoft.
A bus station is where a bus stops. A train station is where a train stops. On my desk, I have a work station…

xeromist wrote:
Yup, found the entry here:
https://www.kb.cert.org/vuls/id/CHEU-AQNMXY

All is not lost as there's still a chance that ASUS has been working on rolling out patches but didn't have the call-centers ready to respond. Still, I agree it would be good to at least see an acknowledgement that ASUS is working on patches or has already rolled some out.

The good news is that most individuals aren't important enough to be targeted. This will be used disproportionately against corporate and gov wifi connections.

Also note that it's not just ASUS routers. This also can and should be patched on client devices which means ASUS tablets and phones. Luckily laptops and G desktops running Windows were probably already patched by Microsoft.


Microsoft patched Windows for this last patch tuesday (October 10), but did not announce that it was included.
https://www.windowscentral.com/microsoft-has-already-patched-krak-wpa2-wi-fi-vulnerability

I noticed that Intel released new drivers for many WiFi-chips today where this is patched.
Sadly, my motherboard (Zenith Extreme) uses WiFi chip from Qualcomm, so I must use Windows for now to be protected if I create a WiFi connection.

Korth
Level 14
I think attempts are always made to keep platform security vulnerabilities under the radar.

No need to panic/anger the masses who may lose confidence in your brand and who will almost certainly demand an instant fix for their insecurities. Drop everything else. Get it done RFN, most extremely urgent top priority. I bought your product so you OWE me. Don't want my Facebook hacked. As if the Powers That Be aren't already swamped by pressures from financial, corporate, and government institutions, they need a little prompting from Joe Consumer to actually put down their donuts and start working.

And no need to advertise technical details to greasy devs who might want to maliciously exploit them, or worse, escalate severity of the problem by dumping kiddy hacks all over the internet.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

Korth wrote:

And no need to advertise technical details to greasy devs who might want to maliciously exploit them, or worse, escalate severity of the problem by dumping kiddy hacks all over the internet.


i think the opposite is true.

want to get something done, expose it to the wide public to force a reaction.

equifax breach was caused because things were kept under wraps. scishow made a breakdown video that even a commoner like me could understand.

while, perhaps, wannacry reached a certain lethality because people tried to keep it under wraps, while third party security investigators kept trying to make it publicly known to little success.

either way (to keep it under wraps, **** still happens. to expose it to wide public, unscrupulous people would still take advantage and infect as many before it gets patched / contained), you're still screwed. the choice is a hard one. i'm still in favor of exposing it to public to force a quick response.
no siggy, saw stuff that made me sad.