Security Advisory: KRACK WPA2 Vulnerability (VU#228519)


#1

On October 16th, 2017, an industry wide vulnerability (VU#228519) in WPA/WPA2, codenamed KRACK, was made public. We have evaluated our products and online services to assess the impact of this vulnerability.

Affected Features:

  • Wi-Fi AP functionality is NOT affected by this vulnerability.
  • Wi-Fi WAN (also known as Wi-Fi as WAN or Wi-Fi client) functionality is affected.

Affected Models:
In general, our products which support “Wi-Fi WAN” functionality is affected, including:

  • MAX: 700, OTG, BR1, BR1 Mini, BR1 Slim, BR1 Pro, HD2, HD4, Hotspot, Transit
  • MediaFast: HD2, HD4
  • Surf: SOHO, On-The-Go
  • Device Connector series

Workaround:
You may disable the Wi-Fi WAN feature to temporarily eliminate the vulnerability.

Permanent Resolution:

  1. We are developing firmware to address the vulnerability.
  2. Release 7.0.3 for MAX and SOHO (only to those models that have Wi-Fi WAN)
  3. Release 6.3.5 for previous generation of MAX and SOHO, which can only support Firmware 6.x series
  4. Release 1.1.1 for Device Connector Rugged
  5. Release 1.0.30 for Surf On-The-Go

ETA for the firmware releases is within two weeks.

References:
Official Vulnerability Note on VU#228519 at CERT: http://www.kb.cert.org/vuls/id/228519

Updates:
Oct 19 - added clarification for client mode operation


KRACK vulnerability fix coming?
KRACK vulnerability fix coming?
Pepwave Surf On The Go and KRACK Vulnerability
KRACKATTACKS Major Wireless Security Issues - Your advisory is unclear and possibly flawed
KRACKATTACKS Major Wireless Security Issues - Your advisory is unclear and possibly flawed
AP One AC Mini and Balance 20 - WAN connection dropping
#3

Good work with your security information and updates.
A hardware competitor has just emailed me this morning with their DNSMasq response, over a week later than Peplink’s!


#4

So out of curiosity, are the APs not affected because of already in-place custom code by Peplink, or something like this? My understanding is that the vulnerability is pretty much industry-wide.


#5

I don’t know what Wifi Wan function is.
so just to confirm if you are using Ac Mini as Ap’s connected to an internet router you are protected?


#6

Some Pepwave products can use a separate Wi-Fi network as a WAN/Internet connection. Useful when traveling, such as in a hotel, for example.


#7

@kgarvey We are not affected on AP side because we are not enabling 802.11r, in which the vulnerability discovered. When we support that, we’ll ensure the fix are in.


#8

Ah, makes sense. Thank you!


#9

I was hacked over bluetooth/wifi over a year ago, when lots of horrible things were happening in security around December. I have a copy of the scripts used that I was able to capture on USB by sheer luck. Total compromise, ironically the only thing protecting me from losing all my personal accounts was that I never stored passwords or used any of the tools I was supposed to trust for security. I no longer use bluetooth or Wifi unless absolutely necessary. I’m waiting for the backdoor to Windows’ update, the whole shared download experience, not for me.


#10

So one migjht travel with an ac mini, power it up in a Hotel room and connect that Ac Mini to the Hotel’s wifi.
Giving your Hotel room hopefully a better experience. I think I have got you. Cheers


#11

Hi Evan,

The AP One AC Mini does not support the WiFi as WAN functionality.
@Keith already made an overview of the products that do support WiFi as WAN in the original post:

  • MAX: 700, OTG, BR1, BR1 Mini, BR1 Slim, BR1 Pro, HD2, HD2 IP67, HD4, Hotspot, Transit
  • MediaFast: HD2, HD4
  • Surf: SOHO, On-The-Go
  • Device Connector series

WiFi as WAN is basically connecting to an existing WiFi hotspot (public or private) and using it as a WAN connection, just like you would use an existing wired WAN connection.
Some other applications of WiFi as WAN could be a yacht/ship connecting to a WiFi hotspot in a port/harbor, or a touringcar connecting to the WiFi hotspot in their own car park.


#12

Hi, this reply is simply inaccurate, there were 10 vulnerabilities that were discovered of which one was in 802.11r - that leaves 9 remaining potentially!

Thanks Tereza


#13

The r in 802.11r stands for repeater I believe and of course if you are repeating with another wi-fi network you will be vulnerable as it is, but the other 9 vulnerabilities remain and work at all levels in the 4 way handshake by replacing one of the ciphers, unless your system has been specifically patched to prevent this and not allow a cipher key to be used again, then your wi-fi connection (between the Peplink AP and unpatched client) is susceptible to cypher change. I work in IT security and have just over 30 year experience in a wide range of systems. Right now I am unconvinced that you have grasped the extent of these vulnerabilities (unless of course you already patched them prior to the public release of this vulnerability, which would be reassuring). Thanks Tereza


#14

Hi Terezar

May I quote from the Krackattacks.com site:
“Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”

We have already confirmed that our WPA2 AP implementation is not vulnerable to any part of the KRACK attack vulnerabilities. WIFI as WAN acts as a client and our client implementation is vulnerable to to these attack vectors as already confirmed by Kieth in another post.

thanks
James


#15

It actually stands for (fast) roaming. As it is not enabled in our AP software, none of them are affected.


#16

#17

Firmware fix is now posted.


#18