KRACKATTACKS Major Wireless Security Issues - Your advisory is unclear and possibly flawed


#1

Hi,

As I’m sure you’re aware there are 10 major security vulnerabilities that have been found in WPA2 encryption (all versions) allowing a hacker within range of your wireless to intercept and see traffic very easily. I appreciate they predominantly target client side equipment (especially Android and Linux devices), and all Wireless clients need patching immediately, but equally routers/WAPs also need to be patched, as so long as one side is ‘secure’ the attack vector will fail.

https://www.krackattacks.com/

Does the current Firmware for the Peplinks resolve these issues and secure your equipment and if not when are they going to be patched as it’s a pretty serious state of affairs.

Thanks


#2

Hi Terezar,
The basic overview is that the current firmware is vulnerable if using WiFi as a WAN, but the WiFi AP of the Peplink devices is unaffected. Here is Peplinks announcement with more in depth information.


#3

O.K. it’s a nice statement, but I fail to see the difference between wi-fi WAN and wi-fi LAN, both use WPA/WPA2 to connect to clients, the only difference is that one puts you straight out on the web and the other aligns you with the LAN (and the web). I’m not saying their release is inaccurate, but as security is my paramount concern (and also my job), I’d appreciate some explanation as to how these two Wi-Fi protocols differ.

The WPA hack replaces encrypted keys on the 4 way handshake, this is a wireless issue at a deep level and would not (from what I can see) affect whether that wireless network reports to a WAN or a LAN! Please can you raise and advise with Peplink. Thanks


#4

Also, read another way:

“Wi-Fi AP functionality” is not affected could simply mean that the AP (access point) will still work and is not affected by this vulnerability in terms of it’s operation, but:
“Wi-Fi WAN functionality” in other words anything you do once connected to the Access point is!! :slight_smile: :slight_smile:


#5

Jees, thanks for starting yet another thread on this topic. :upside_down_face:


#6

No worries. You suspect (and I know) that Peplink devices are currently vulnerable to this issue like the majority of other (but by no means all) Firewall manufacturers, most are scrabbling to fix and prevent cypher key repeating/transposition.

What I really wanted from Pepwave was a simple acknowledgment that they were (like most others) affected and that they were in the process of delivering firmware updates for all their devices by (say) the end of October which is what one of your competitors; Watchguard have stated and I’m confident will deliver . .

These vulnerabilities are particularly bad in Linux based operating systems of which ALL the Pepwave family use, as such they are not just vulnerable in their current state, but very insecure.

Can you get an update from them as they seem to use these forums as a way of delegating responsibility for their issues to others, instead of properly engaging with their Customers.

Thanks

Tereza


#7

It maybe because Its a Thursday and its been a busy week so I’m tired and lacking patience, or maybe I have completely misunderstood this vulnerability and your 100% in the right to be pounding away at this issue with multiple posts on it and near abusive comments aimed the Peplink engineering team, but this issue seems to have been answered already?

The Key Reinstallation Attack AKA KRACATTACK targets WiFI clients NOT Access Points (unless that access point also itself acts as client in some way - ie as a WiFi repeater).

Peplinks Response to this vulnerability has been quite clear. The devices that are affected are those that use WiFi as WAN functionality (ie those that act in the role of a WiFI client). Their guidance to disable WiFi WAN as a workaround seems valid to me.

On the https://www.krackattacks.com/ page you link to in the FAQs section is a paragraph that says the following (i have highlighted pertiernant parts in bold):

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

As you can see it also recommends disabling client functionality as a way to mitigate the issue- as per the response from Peplink.

I don’t see what your issue is on Peplink’s response. If I have missed something please advise what that is.


#8

Hi Terezar

May I quote from the Krackattacks.com site:
“Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”

We have already confirmed that our WPA2 AP implementation is not vulnerable to any part of the KRACK attack vulnerabilities. WIFI as WAN acts as a client and our client implementation is vulnerable to to these attack vectors as already confirmed by Kieth in another post.

thanks
James


#9

What we have here, is a failure to communicate. Seriously. The announcement was written by an expert using terminology that confused a non technical person.

@Terezar: wi-fi LAN refers to normal wifi, a network created by a Peplink router. Wifi WAN is short for “wifi as wan” which refers to a feature of the Surf SOHO. Did you read the manual? The Surf SOHO can get online using three different technologies: ethernet, 4g/LTE via USB antenna, and someone else’s WiFi network. Wi-Fi as WAN refers to using someone else’s WiFi network.

If you purchased your Peplink device form 3G Store, they offer technical support and should be better at communicating with non technical people. Don’t know about other re-sellers.

We are fortunate on this forum to be able to interact with network experts, but experts have their own lingo. Knowing the lingo is the price of admission. Experts in all fields have their own lingo. An online forum for doctors, for example, would be obtuse to normal folks. Often experts are terrible at explaining things, because they deal with other experts all the time and thus come to assume a base of knowledge that non-experts do not have.


#10

Thanks for everyone’s clarifications and I appreciate @terezar’s persistence. This vulnerability is important and getting lots of attention.

Thanks to @Michael234’s comment too. We will be more sensitive to the use of language to communicate such technical information in the future to avoid confusion as much as we can.

We did acknowledge that some of our products are affected, and that we are in the process of working on firmware updates. But just to clarify again, the vulnerability is only affecting selected products which have WiFi client (also known as WiFi WAN or WiFi as WAN) capability.

A WiFi client is a WiFi device working in client mode.

Typically, a WiFi device can work in either client mode or AP mode. Your home WiFi router is working in AP mode while your phones, tablets, laptops work in client mode. Hope this helps.