cancel
Showing results for 
Search instead for 
Did you mean: 

KRACK exploit - WPA2 has vulnerabilities

arabesc
Level 7
What is the ASUS position on the KRACK exploit?
Are ASUS routers vulnerable to it? Are you going to provide fixes?
423 Views
16 REPLIES 16

Korth wrote:
I think attempts are always made to keep platform security vulnerabilities under the radar.


Not exactly. The whole point of coordinated disclosure is to make vulnerabilities public. It just does it in a "responsible" way that provides a reasonable opportunity for vendors to patch before disclosure. The fact that you don't see it on the evening news isn't due to any attempt to sweep it under the rug, just that the average person finds IT security boring. It doesn't sell advertisements unless it's particularly dramatic like Equifax. Even then it's dumbed down quite a bit.

And I guarantee that the current system isn't keeping any blackhats in the dark. Even once patches are available blackhats know that people won't patch. Exploits are often developed by reverse engineering patches. Obviously a zero-day is the holy grail but an existing vulnerability with low patch application isn't bad.
A bus station is where a bus stops. A train station is where a train stops. On my desk, I have a work station…

Korth
Level 14
@haihane -

Put out the spark by pouring gasoline on it ... counterintuitive but I agree it can sometimes prove highly effective at motivating results. The momentum of psychological imperative. Ready Fire Aim philosophy. I'm not entirely convinced it's a good approach for every situation, it carries a slight wafting whiff of anti-intellectualism, lol.

But I don't think it's an approach which would convince large organizations. They always resist relinquishing control to the dirty uneducated mob, lol. Got a security breach, don't call in the helicopters and dogs and searchlights ... instead call in something more subtle like Bond, James Bond.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

Korth wrote:
Put out the spark by pouring gasoline on it


That's not the only reason. There's an ongoing debate about the most responsible way to deal with vulnerabilities. There are many who believe the public has a right to know as soon as a vulnerability is discovered. That way people can adapt and avoid while a patch is developed. Imagine getting breached and then finding out the vendor knew but didn't warn you. That would be frustrating to say the least.

Immediate disclosure ignores nuance and human behavior though. It might work for something like a browser flaw that can be avoided by changing browsers but is impractical for something like an OS flaw where most people don't have the wherewithal to switch. And practically speaking people won't even change browsers because they are mostly unaware or just stubborn. So in an imperfect world full of security illiterates coordinated disclosure is probably as good as it gets.
A bus station is where a bus stops. A train station is where a train stops. On my desk, I have a work station…

Korth
Level 14
That seems like a controversial debate over ethics, freedoms, and censorship. Not technology, business, or security.

Coordinated disclosure does seem wise and necessary and productive. When disclosed to experts who are positioned to properly address things. Not when disclosed to windowscentral and androidcentral and macrumours, lol. Even freedom has its limits, your freedom usually ends where the other guy's freedom starts ... I'd personally feel more "secure" knowing that the people who "need to know" are able to know while the people who want to hack my network are kept in the dark, it just seems like the more sensible and responsible and actually *secure* approach to security.

The blackhats do outnumber the whitehats after all.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

DummyPLUG
Level 10
As my understanding it mainly affect client, except the CVE 2017-13082 (related to 802.11r) affect an AP, so if the router don't work as a client, or don't use 802.11r I think it will be safe.
Please correct me if I am wrong.

gqchicago
Level 7
KRACK has multiple CVE vulnerabilities associated with it. Patch everything, especially devices, access points, and notably android . The best article for overall information out there will be on krebsonsecurity.com ...this has some really good, well written information

https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/

This is from US CERT on KRACK

The following CVE IDs have been assigned to document these vulnerabilities in the WPA2 protocol:
CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it
CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame

All of these weaknesses will start showing up in devices. Anything with a nic and an ip address essentially using wifi could be vulnerable. The only way to really know comprehensively is run a vulnerability scan and see what pops up...download a free copy of nessus vulnerability scanning software. IOT devices, your tv, refrigerator, nest camera system, will end up being vulnerable to this too...and many will never get patched.

MasterC
Community Admin
Community Admin
arabesc wrote:
What is the ASUS position on the KRACK exploit?
Are ASUS routers vulnerable to it? Are you going to provide fixes?


Hi arabesc,

ASUS is aware of the recent WPA2 vulnerability issue. We take security and your privacy seriously, so we are working towards a solution as quickly as possible. In the meantime, we want to help clarify the severity of the potential threat, and let our valued customers know the appropriate steps to take in order to avoid being compromised.

Your devices are only vulnerable if an attacker is in physical proximity to your wireless network. We are co-working with chipset vendors and will release patched firmware for affected routers soon. Before new firmware is released, here are a few ways to stay safe:
(1) Only visit HTTPS websites.
(2) Keep your operating system and antivirus software up-to-date.
(3) When in doubt, be safe and use your cellular network or a wired connection (Ethernet) to access the internet.
_____________________________________________________________
FPS, Racing, and VR Gamer / Tech Enthusiast / ROG Admin