OpenWrt Forum Archive

Topic: KRACK Attack against WPA2

The content of this topic has been archived between 30 Mar 2018 and 3 May 2018. Unfortunately there are posts – most likely complete pages – missing.

snocrash wrote:

Can someone answer this please:  Do the current snapshots contain the KRACK patches?

downloads.openwrt.org  snapshots/trunk/ar71xx/generic/

What I infer from the developers post (embedded below) is that the snapshots are updated - build date 3 November

But I just want this confirmed before I go to the hassle of re-flashing?

This also means that all people have to do is download the latest snapshot image - flash it - and you're done.. all updated. There's very very little difference between the snapshot and 15.05.1, so no one should be worrying about the snapshot being "bleeding edge" and risky, simply because there's been so little development done since 05.1

Look forward to an informed response

wigyori wrote:

We've decided that for CC we'll do a bugfix release (CC.1a or CC.2), which will only include the upgraded dropbear, *ssl, dnsmasq, and hostapd binaries. The kernel will remain the same, as upgrading that will require going through a whole RC cycle, which we're not geared up to.

The builds are running, will be available in the next couple days for the targets supported by CC.

Regards,
-w-

The development snapshots are updated with Krack prevention.

kukulo wrote:

The development snapshots are updated with Krack prevention.

Thanks for the quick and straightforward answer. I'll download the snapshot and flash it up - see how it goes.

This is a problem on the client side but not on the AP side. The WPA2 implementation is faster as several changes have been made recently in response to serious weaknesses researchers have identified in the previous system, for details can read further.

(Last edited by ExpertDeveloper on 20 Dec 2017, 13:44)

@ExpertDeveloper

Indeed you'd need to read a little more about the KRACK attack, here are some suggestions to start with:
https://www.krackattacks.com/
https://www.krackattacks.com/#patch-client-and-ap
https://www.krackattacks.com/#ap-mitigations

I'm still waiting for a confirmation from the openwrt core developers on whether the current trunk is patched or if a new patched openwrt version will be released - as mentioned in some posts above. Until then I consider openwrt WPA2 affected/broken. Period.

So is there now a way to patch routers running openwrt 15.05 so that they are no longer vulnerable to Krack attacks? I don't find a clear answer to this question.

If not what packages would need to be upgraded in order to do it? Would it be for some reason very hard to cross-compile them?

I have the feeling from dd-wrt fix, that having a corrected version of hostapd would be enough (I'm using hostpad), is that correct?

http://svn.dd-wrt.com/ticket/6005
http://svn.dd-wrt.com/changeset/33525

Thank's in advance!

(Last edited by pparent on 12 Mar 2018, 15:41)

The fix is called 17.01.4, and no just patching hostapd isn't sufficient.

Problem is that this so-called "fix" creates other important problems, that for now makes it unusable for me.

https://forum.lede-project.org/t/ram-us … 05/12989/2
https://forum.lede-project.org/t/high-c … qd/12992/8
https://forum.lede-project.org/t/sqm-bb … rformance/

Is there really no other solution?
What else that hostapd needs to be patched?

This topic sure seems to say that patching hostapd is enough:
http://www.linuxtopic.com/2017/10/krack-attack.html

(Last edited by pparent on 28 Mar 2018, 16:24)

The discussion might have continued from here.