17-10-2017 10:03 AM last edited 19-10-2017 03:44 PM by MikeHales
What is the plan to upgrading the firmware on provided access points following the disclosed vulnerability in WPA2?
Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse
17-10-2017 10:40 AM
I note these two comments in the paper. So it is more the end devices that need updating and that your password is safe at least.
"Note that our attacks do not recover the password of the Wi-Fi network."
"Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients."
17-10-2017 11:03 AM
yes but a patch on the actual access point will completely solve the issue. many wifi router vendors already provided a patch for this actual bug. so my main question is: what is Vodafone going to do about this? are they going to supply a patch for the routers they provide to customers?
17-10-2017 11:05 AM
this is actual Spark current status on the matter:
"Spark has become aware overnight of a global security vulnerability that has the potential to put all Wi-Fi networks, and the devices that access those networks, at risk of being compromised.
We are not aware of any Spark customers who have been compromised by the vulnerability to date.
The Krack vulnerability, which was identified by a security researcher overseas, potentially allows a hacker to eavesdrop on Wi-Fi traffic. The hacker would need to be within Wi-Fi range and would not be able to access encrypted traffic (e.g. most banking websites and some other applications).
Spark is liaising with device manufacturers as a matter of urgency to understand when they will have patches available for their devices and the process for installing those patches on devices. This includes manufacturers of Wi-Fi access points (e.g. modems) as well as all end devices that connect to Wi-Fi networks (e.g. phones, tablets, PCs and laptops, other Wi-Fi enabled devices).
Spark's own Wi-Fi phone box network remains operational. However, we advise customers to take care, as always, when using any public Wi-Fi network.
Spark will advise customers of any further actions they need to take with respect to their devices or modems as soon as more information is available from the device manufacturers."
I'd expect Vodafone to undertake similar action and inform their customers
19-10-2017 01:24 PM
While somewhat 'unlikley to occur' busness many of us communicate with via WiF somewhere in the loop can reasonably be concerned with KRaCK exploits. I'd like to think that 'home' wifi routers are seen as important given the amount of home office work many of us survive by. Can we be assured that the vulnerablity is either 'covered' or being looked into with some sense of urgency. Vodafone has extensive international technical resource to call upon. Formal communication to customers could be a good way of alleviating unnecessary criticisim.
19-10-2017 03:42 PM
Quick update on this one.
We have received the following update from both Technicolor and Huawei on the KRACK vulnerability for these devices:
These devices are not susceptible to the KRACK WPA Wi-Fi vulnerability and no firmware update is required on these devices for this issue.
Copyright © Vodafone New Zealand Ltd