New WIFI WPA2 vulnerability -- modem updates coming?

Need Help?

That's what we're here for! The goal of the Rogers Community is to help you find answers on everything Rogers. Can't find what you're looking for? Just ask!
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
I've Been Here Awhile
Posts: 3

Re: New WIFI WPA2 vulnerability -- modem updates coming?

If one wants to educate oneself, take at look at the following How To Geek and Wired articles.  HTG does give some immediate protection ideas -- while we wait for Roger's modem manufacturers to send clients patches.

...October HTG article...

...October Wired article (NB: the article has a rather shrill bias so keep that in mind)...

 

Just my 2 cents...

I've Been Here Awhile
Posts: 2

Re: New WIFI WPA2 vulnerability -- modem updates coming?

In response to Mahomed and Triple_Helix, yes. that's true, but their update/fix does not help with non windows devices such as linux, android, and smart home devices such as WEMO and NEST. Having a modem/wifi router fix will solve all home intranet concerns.

 

P.S. don't really like the reply configuration of this forum. If one replies to an entry it just gets appended to the end of the list without reference to the original post: very awkward. Also, no way to delete an entry, so sorry for the empty post. It was the only way to avoid a double post. 

I Plan to Stick Around
Posts: 124

Re: New WIFI WPA2 vulnerability -- modem updates coming?

To clear up any confusion if an Access point or gateway is operating in standard AP mode (which all rogers gateways do) then there is no risk to the gateway itself. If the AP is acting has a client bridge, repeater, in a mesh or includes 802.11r (fast roaming used in enterprise deployments) then the device should be patched as it is acting as a client in that case.

 

This attack is targeted at the client device and patching the router/access point will do nothing to prevent the attack from happening if the client device (windows/mac/linux/androi/IOS, and all smart tvs/smart home devices etc etc) has not been patched. The hacker would need to be within range of the Access point or router you are connecting to to initiate the attack and potentially read your data stream or inject malware. Using HTTPS Sites only would add an extra layer of protection but that can be broken as well. Browse safe while on any Wi-Fi until you know your Client device has been patched. Do online banking, online ordering etc on wired connections if possible.

 

Here is a large list of vendors and their current patch status. Looks like Android devices will need to wait until at least November and beyond and many android devices will never get patched due to lack of vendor support after 2 years.

 

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vu...

I'm Here A Lot
Posts: 6

Re: New WIFI WPA2 vulnerability -- modem updates coming?

 I wonder what/if and when Rogers does the work on their routers to patch for this? 

 

 Can the router have a patch installed regarding this issue without changes to the device as well?   Does the fact the device doesn't have a patch yet defeat upgrading the router software? I have a bunch of stuff including Rokus, cameras,  thermostats you got wonder about them being patched by the vendors in a timely manner.

 

 I see on their (Krack hack)  website with many apps they tested that used encryption  the data could be decrypted as a result of this hack.  Scary stuff this one.

I'm Here A Lot
Posts: 6

Re: New WIFI WPA2 vulnerability -- modem updates coming?

 

 Sorry I asked some questions already answered here in my previous post,  didn't see those answers.  Don't like the way this website adds new posts here.

Highlighted
I Plan to Stick Around
Posts: 33

Re: New WIFI WPA2 vulnerability -- modem updates coming?

Is there a firmware update available for this vulnerability yet? If so what version should we be running, and if not when will one be available?

I'm a Senior Advisor
Posts: 2,139

Re: New WIFI WPA2 vulnerability -- modem updates coming?

@User1030445

 

To you and all the others who have provided some clarity on this security risk and brought it to the forefront, it is greatly appreciated.  I had heard about it in the news a while back, but it seemed to disappear.

 

Hopefully Rogers with Hitron and Intel will get the version upgrades to deal with this issue out ASAP.  It is also good to know what devices are covered at this time.

 

My concern will be the devices (i.e., Android and BB10 devices and others that are not in support anymore).  I have two Android LG phones on version 6, and there is no indication that they will be upgraded to 7 even, and I wonder how the security fixes will make it to these devices.  I would hope that Android will find some way to put them out as  hot fix we can download and run.  My BB Q5's, now that is a different story, BB provides no support for 10 at all, only to the Android versions through Android, them and via carriers.

 

And one last comment, your concern at how difficult it is to follow responses in these threads, because they don't have a subthread model with your reply ending somewhere at the bottom, could be a long way from the original post.

The only way around it is to tag the person, to quote them, or link their post, which is not intuitive as no other board I am involved in does this.  This has been raised many times, and you are not the first to raise your concern.

 

Bruce

I'm a Senior Advisor
Posts: 2,139

Re: New WIFI WPA2 vulnerability -- modem updates coming?

Forbes https://www.forbes.com/sites/thomasbrewster/2017/10/16/krack-attack-breaks-wifi-encryption/#151517ab... has just put out a full description on the KRACK vulnerability, as well, Rogers now has a notice with FAQ at the top of MyRogers.

 

In the Forbes article, they do mention that there may be delays in getting fixes out and that Intel at this time only has an announcement, no current fixes to push out, so that will impact our modems until they do.

 

The recommendation on Forbes is that at the end of the day, there may be devices that remain unsecure to the vulnerability, and the current best recommended solutions is as follows:

 

"For those users whose routers, PCs and smartphones don't yet have updates, there are some measures they can take to protect their online privacy. A Virtual Private Network (VPN) software could protect them, as it will encrypt all traffic. Only using HTTPS encrypted websites should also benefit the user, though there are exploits that can remove those protections. Changing the Wi-Fi password won't prevent attacks, but it's advisable once the router has been updated."

 

I am unsure how this would be implemented and it is not described - would guess a VPN setup on your device, or a hardware device inbetween, encrypting all traffic so there is no risk of open unencrypted text, even if they do manage to use this hack.

 

It actually isn't a bad idea to have a VPN in place - I have for years, ever since I was working in a health care setting where all traffic was managed by hardware VPN's and software on the device side.  I would see this as the next move in the same way when antivirus and fire walls first came in, there was a very slow implementation and now it would be irresponsible to operate without one.

 

The article also stated that they are testing and publishing the reality that there are easier ways to implement the KRACK.

 

"Vanhoef is promising more too. Though he admitted some of the KRACK attacks would be difficult to carry out, he's to release more information on how to make them significantly easier to execute, especially for Apple's macOS and the OpenBSD operating system."

 

Glad people like this out there are working hard to test and inform us of these risks.  He kept it on the low communication side to the industry, in July but got little response to his notice, so he took it to the International standards association, who then immediately immediately for the industry to respond.

 

I am sure we will keep hearing more soon, but they are at least providing us with temporary solutions and the reality that some devices may never get patched.  

 

Search software VPN if you want to learn more on that solution.

 

Bruce

Network Architect
Network Architect
Posts: 611

Re: New WIFI WPA2 vulnerability -- modem updates coming?

Community,

 

Earlier this week, I promised some updates and here we are. As soon as this vulnerability got disclosed, Rogers started working with third party suppliers to assess the situation and ensure that our customers are protected.

 

First and foremost, some background information. The exploit is called KRACK for Key Reinstallation Attack. This exploit is comprised of 10 vulnerabilities. The first set of vulnerabilities allows the reinstallation of a pairwise transient key (PTK), a group key or an integrity key. A transient key is unique for each client and each session on the WiFi network. It is not the pre-shared key (a.k.a the WiFi password).

 

The second set of vulnerabilities, still under evaluation can affect devices supporting Wireless Network Management (802.11v) extensions.

 

Theoretically, reinstalling a key could allow an attacker to decrypt transmission between a client device and a WiFi access point but it does require the attacker to do within reach of your WiFi network. It is not a vulnerability that can be exploited remotely through the Internet for example.

 

What’s next:

We are currently assessing every single WiFi device in use at Rogers and applying the necessary corrections as they become available. What this means for us is that we are discussing with most third party suppliers and pushing upgrades as necessary. In parallel, we are conducting internal vulnerability assessments on the devices used by our clients to ensure that we reach the same conclusion.

 

Since the vulnerability exist in a process call the 4-way handshake (between the client and access point), it is important to ensure that both sides are patched. This means that you should ensure to apply all the available security fixes from Microsoft, Apple, Google, etc. on computers, tablets and smartphones. Keep an eye open for updates available on other connected devices (thermostat, TV, fridges…).

 

As for Rogers gateways, the assessment showed that none of the following gateways are impacted at the moment as none of them have 802.11r (Fast BSS Transition) enabled.

 

List of NOT IMPACTED Rogers gateways (updated October 20, 2017 – 10AM)

  • Cisco/Technicolor DPC3825
  • Hitron CGN2
  • Hitron CGN3ROG
  • Hitron CGN3ACR
  • Hitron CGN3ACSMR
  • Hitron CGN3AMR
  • Hitron CGN3AMF
  • Hitron CGNM3552
  • Hitron CODA-4582
  • Hitron CODA-4582U

 

Finally, although the vulnerability does not expose the actual WiFi password, it is a good practice to use a strong WiFi password and to change it periodically.

 

--Dave

I'm Here A Lot
Posts: 8

Re: New WIFI WPA2 vulnerability -- modem updates coming?

Hi RogersDave,

 

Could you comment on whether these older gateways are impacted and should be replaced?

 

Cisco DPC2325

SMC D3GN

SMC 8014WG

SMC 8014WN