Today, a widespread vulnerability in the WIFI WPA2 protocol was disclosed by researchers, see:
Will the devices offered by Rogers (I'm most concerned about the Hitron CODA-4582 used for Gigabit Internet) have updated firmware pushed soon, to fix things?
From what I see, the fix is from the OS side and not the hardware directly. The windows OS has been fixed according to this link:
Considering that the modem does all the wpa2 work and therefore has this issue, what has Windows got to do with it? We need new firmware for every model that Rogers supports in order to fix this problem, as well as you updating every downstream wifi device that you own.
Vulnerability is in the firmware of devices with a certain version of Infineon BIOS and these need to be patched with update from hardware vendor. Windows included a patch in the October updates which changes how Windows handles the handshake for Wifi. Both are needed. In Enterprise we have been able to patch around 75% of devices with firmware updates. Still waiting on the rest to step up to the plate . . .
If one wants to educate oneself, take at look at the following How To Geek and Wired articles. HTG does give some immediate protection ideas -- while we wait for Roger's modem manufacturers to send clients patches.
Just my 2 cents...
In response to Mahomed and Triple_Helix, yes. that's true, but their update/fix does not help with non windows devices such as linux, android, and smart home devices such as WEMO and NEST. Having a modem/wifi router fix will solve all home intranet concerns.
P.S. don't really like the reply configuration of this forum. If one replies to an entry it just gets appended to the end of the list without reference to the original post: very awkward. Also, no way to delete an entry, so sorry for the empty post. It was the only way to avoid a double post.
To clear up any confusion if an Access point or gateway is operating in standard AP mode (which all rogers gateways do) then there is no risk to the gateway itself. If the AP is acting has a client bridge, repeater, in a mesh or includes 802.11r (fast roaming used in enterprise deployments) then the device should be patched as it is acting as a client in that case.
This attack is targeted at the client device and patching the router/access point will do nothing to prevent the attack from happening if the client device (windows/mac/linux/androi/IOS, and all smart tvs/smart home devices etc etc) has not been patched. The hacker would need to be within range of the Access point or router you are connecting to to initiate the attack and potentially read your data stream or inject malware. Using HTTPS Sites only would add an extra layer of protection but that can be broken as well. Browse safe while on any Wi-Fi until you know your Client device has been patched. Do online banking, online ordering etc on wired connections if possible.
Here is a large list of vendors and their current patch status. Looks like Android devices will need to wait until at least November and beyond and many android devices will never get patched due to lack of vendor support after 2 years.
I wonder what/if and when Rogers does the work on their routers to patch for this?
Can the router have a patch installed regarding this issue without changes to the device as well? Does the fact the device doesn't have a patch yet defeat upgrading the router software? I have a bunch of stuff including Rokus, cameras, thermostats you got wonder about them being patched by the vendors in a timely manner.
I see on their (Krack hack) website with many apps they tested that used encryption the data could be decrypted as a result of this hack. Scary stuff this one.
To you and all the others who have provided some clarity on this security risk and brought it to the forefront, it is greatly appreciated. I had heard about it in the news a while back, but it seemed to disappear.
Hopefully Rogers with Hitron and Intel will get the version upgrades to deal with this issue out ASAP. It is also good to know what devices are covered at this time.
My concern will be the devices (i.e., Android and BB10 devices and others that are not in support anymore). I have two Android LG phones on version 6, and there is no indication that they will be upgraded to 7 even, and I wonder how the security fixes will make it to these devices. I would hope that Android will find some way to put them out as hot fix we can download and run. My BB Q5's, now that is a different story, BB provides no support for 10 at all, only to the Android versions through Android, them and via carriers.
And one last comment, your concern at how difficult it is to follow responses in these threads, because they don't have a subthread model with your reply ending somewhere at the bottom, could be a long way from the original post.
The only way around it is to tag the person, to quote them, or link their post, which is not intuitive as no other board I am involved in does this. This has been raised many times, and you are not the first to raise your concern.
Forbes https://www.forbes.com/sites/thomasbrewster/2017/10/16/krack-attack-breaks-wifi-encryption/#151517ab... has just put out a full description on the KRACK vulnerability, as well, Rogers now has a notice with FAQ at the top of MyRogers.
In the Forbes article, they do mention that there may be delays in getting fixes out and that Intel at this time only has an announcement, no current fixes to push out, so that will impact our modems until they do.
The recommendation on Forbes is that at the end of the day, there may be devices that remain unsecure to the vulnerability, and the current best recommended solutions is as follows:
"For those users whose routers, PCs and smartphones don't yet have updates, there are some measures they can take to protect their online privacy. A Virtual Private Network (VPN) software could protect them, as it will encrypt all traffic. Only using HTTPS encrypted websites should also benefit the user, though there are exploits that can remove those protections. Changing the Wi-Fi password won't prevent attacks, but it's advisable once the router has been updated."
I am unsure how this would be implemented and it is not described - would guess a VPN setup on your device, or a hardware device inbetween, encrypting all traffic so there is no risk of open unencrypted text, even if they do manage to use this hack.
It actually isn't a bad idea to have a VPN in place - I have for years, ever since I was working in a health care setting where all traffic was managed by hardware VPN's and software on the device side. I would see this as the next move in the same way when antivirus and fire walls first came in, there was a very slow implementation and now it would be irresponsible to operate without one.
The article also stated that they are testing and publishing the reality that there are easier ways to implement the KRACK.
"Vanhoef is promising more too. Though he admitted some of the KRACK attacks would be difficult to carry out, he's to release more information on how to make them significantly easier to execute, especially for Apple's macOS and the OpenBSD operating system."
Glad people like this out there are working hard to test and inform us of these risks. He kept it on the low communication side to the industry, in July but got little response to his notice, so he took it to the International standards association, who then immediately immediately for the industry to respond.
I am sure we will keep hearing more soon, but they are at least providing us with temporary solutions and the reality that some devices may never get patched.
Search software VPN if you want to learn more on that solution.
Earlier this week, I promised some updates and here we are. As soon as this vulnerability got disclosed, Rogers started working with third party suppliers to assess the situation and ensure that our customers are protected.
First and foremost, some background information. The exploit is called KRACK for Key Reinstallation Attack. This exploit is comprised of 10 vulnerabilities. The first set of vulnerabilities allows the reinstallation of a pairwise transient key (PTK), a group key or an integrity key. A transient key is unique for each client and each session on the WiFi network. It is not the pre-shared key (a.k.a the WiFi password).
The second set of vulnerabilities, still under evaluation can affect devices supporting Wireless Network Management (802.11v) extensions.
Theoretically, reinstalling a key could allow an attacker to decrypt transmission between a client device and a WiFi access point but it does require the attacker to do within reach of your WiFi network. It is not a vulnerability that can be exploited remotely through the Internet for example.
We are currently assessing every single WiFi device in use at Rogers and applying the necessary corrections as they become available. What this means for us is that we are discussing with most third party suppliers and pushing upgrades as necessary. In parallel, we are conducting internal vulnerability assessments on the devices used by our clients to ensure that we reach the same conclusion.
Since the vulnerability exist in a process call the 4-way handshake (between the client and access point), it is important to ensure that both sides are patched. This means that you should ensure to apply all the available security fixes from Microsoft, Apple, Google, etc. on computers, tablets and smartphones. Keep an eye open for updates available on other connected devices (thermostat, TV, fridges…).
As for Rogers gateways, the assessment showed that none of the following gateways are impacted at the moment as none of them have 802.11r (Fast BSS Transition) enabled.
List of NOT IMPACTED Rogers gateways (updated October 20, 2017 – 10AM)
Finally, although the vulnerability does not expose the actual WiFi password, it is a good practice to use a strong WiFi password and to change it periodically.