So this is apparently a huge disclosure coming. It sounds like it could be patched, but the problem is that some manufacturers might not update older models, and even if they did, how many average consumers know to update their routers?
How are cable routers patched? I’ve never paid any attention to my FiOS router. Are they patched on their end and pushed down?
At work we got a message from IT about this this morning, saying they’d be rolling out firmware updates urgently, so presumably patches are already out there for at least some enterprise devices.
For many vendors. I’m assuming service provided gear (cable modems and DSL modems that double as access points) will be later down the list. The same for home ethernet routers.
More reading suggest this may include client updates for all platforms as well. Be aware of that in regards to critical security patches presented on your devices.
Windows, MacOS, Linux, and iOS clients will be updated quite quickly. Android unfortunately is often left unpatched forever.
The real problem is that the APs need to be patched also. They don’t auto-update. Most people never, ever, log-in to their routers. Those will remain vulnerable forever.
How exactly does it work with a patched AP and a mix of patched and unpatched clients? Is the communication with the patched devices secure and with the unpatched devices unsecure?
I haven’t played with it myself yet, but it looks like if either side is unpatched you should be able to force it to renegotiate a key.
I always use VPNs on non-home wifi anyway. Not to pat myself on my own back. But that’s what Ima doin’.
I’m glad I saw this thread, I didn’t know about any of this until this morning. I put in a TAC case with Cisco; we have 3 controllers and 75 access points that need to be upgraded here at work, and I’ll need to upgrade the Netgear at home I assume as well. What a cluster fuck.
Cisco doesn’t even have an update for this yet, the tech is going to call me back later this morning with an update.
That’s surprising. It was responsibly disclosed in late August.
The proof of concept released attacks clients, and they say updating clients should be your priority. Of course many wifi APs have client modes too, used to bridge or extend networks. They don’t outright state that APs need patches for AP-mode, but they don’t say they don’t either.
That’s Cisco for you, right at the bleeding edge of their field! Or at least mostly right behind the guys that are at the bleeding edge of their fields, well until they acquire them to get back in front again…
Well like I said, it’s unclear if anything needs to be changed at the AP side of the connection, because the attack is in faking retransmission of part of the handshake to the client. If your router supports client-mode you do definitely need to patch it, and there may be mitigations that can be done on the AP side for unpatched clients.
MS says they already patched all supported versions of Windows.
Yeah I guess the real story here is
- zillions of rando home router brands
- zillions of ancient Android handsets that will never be updated
Everything else gets updated reasonably regularly?
I’m disappointed that Apple hasn’t pushed a patched for this yet, it’s only in beta apparently. Kudos to Microsoft for having it out before today.
You forgot the zillions of random IoT devices. Will your wifi toaster get a patch? How about your out of support smart TV? And what if you’ve been avoiding patching because they sometimes turn on ads?
Anyway, linux and android are the most susceptible because their key can be trivially replaced with all 0s leading to easy packet injection and man-in-the-middle attacks. Linux will be swiftly patched of course, but many android phones out of support are SOL, even if they’re only a year old.
Hopefully there’s some sort of mitigation on the router end, because patching all those clients is a nightmare.
Yeah, it was part of this month’s Patch Tuesday.
Of course, people still need to restate their damn machines. There’s always a percentage who don’t for some reason. But the patch was issued.
So, patched clients connecting to an unpatched access point should be safe, and patched access points connecting to unpatched clients should be safe, but you should patch both to be sure, assuming your router manufacturer issues updates.
I put DD-WRT on my ancient router, and it may not see an update soon, either.
Netgear has patched a small number of router models, but mine is not on the list yet.
Netgear has posted an advisory. Netgear routers are only vulnerable if you put it in bridge mode, which is not enabled by default.
In the same boat with about 20+ controllers and hundreds of APs. Some of the stand-alone APs are patched, so I’m assuming Cisco just needs to bake in the newer AP code into a WLC firmware and we’ll be okay. Ongoing news for it is here:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa