2.4.1 & KRACK

  • Just wanting to make sure I understand KRACK and the pfSense 2.4.1 release  - what it does and doesn't do…

    1. 2.4.1 includes the patch for the KRACK WPA2 WiFi vulnerability
    2. 2.4.1 KRACK patch only applies if we have a Wifi Network card installed in our pfSense router
    3. External Wifi AP or Modems/Router are not fixed with 2.4.1, even in Bridge mode (or any mode) as the Wifi AP/Modem/Router is controlling the WPA2 protcol.
    4. In case of #3 above, only patching the external WiFi AP/Modem/Router with a KRACK fix will help (from the vendor or using 3rd party firmware)

    Did I misunderstand anything?


  • LAYER 8 Global Moderator

    You forgot the part where krack is for when the device is actually a client via wifi for any of it to matter.

    So sure patch your AP if they are using wireless uplink, ie acting as a client to another AP..

    Are you using the wifi card in pfsense as a client to some other wifi router/AP?

    The issue with Krack is that all the end point devices need to be patched… Not a real big issue with the major OSes.. The issue is all the little iot devices that connect via wifi..  Those are the ones that going to take a long time to get all fixed.  While you have 1 device open to it on your network, it is a viable attack vector into your network.

  • The ISPs and the firmware makers are being lazy about pushing an update, so I'm using my linksys e2000 updated with Firmware: DD-WRT v3.0-r33607 mega (10/25/17)  in switch mode for wireless til this crap is cleared up…

    Wireless N will be fine for a while.  Just so long as the WPA2 isn't busted.

  • LAYER 8 Global Moderator

    Not sure I would take it to that extreme.. There is no code in the wild that I am aware of and they have to be in your wifi range, etc.

    Sure code will become available soon enough, etc.  Then at some point the script kiddie next door might be able to read a guide on how to do it.. Then at this point then hopefully you have all your iot devices patched, etc..

  • so far, all fix on KRACK vunerability on AP side just disables the roaming feature.

    unfortunately, we cant do that, so instead we patch the devices and the devices that doesnt receive updates to fix the issue goes to the bin.

    luckily my IP Cams are wired up (although they have WiFi capability but I just dont use them) because PoE.

  • Sounds expensive, but I suspect thats what business like (-;

  • LAYER 8 Global Moderator

    "devices that doesnt receive updates to fix the issue goes to the bin."

    When - like right now?  Or say in 3 months?

    "AP side just disables the roaming feature."

    Are you AP actually using wifi uplink?  If not then they its not an issue.

  • Since DD-WRT openvpn is up to date, I also went ahead and made mine a openvpn client to my pfsense in the USA.  (Unrelated side not)
    Works well.  I do think DD-WRT is a very good option for people who's hardware may not get patches.

  • Thanks everyone for all the info!
    It appears there is no urgency for me to update my pfSense box to 2.4.1 since the Wifi routers don't operate in roaming mode. Its the clients that are hosed.
    Basically, I'm not worry about my Windows PC, Apple devices, Android Devices, Raspberry devices as they are all getting security updates, etc.
    But when I start taking stock of every other 'internet connected devices', I have, I just have to throw up my hands and say "I give up" and not worry about it.
    I mean, there's TVs, Set-top boxes, wireless cameras, wifi enabled DVD players, remote controlled light switches, temperature sensors, wifi enabled 3d printers, wifi enabled 2d printers, etc. None of that stuff is EVER going to get patched. 
    So you either have to pitch it all and go back to stone tablets, or ignore it and realize it's more likely someone will bust down your door, raid the place and set fire to it on the way out, then go to the effort of 'stealing' your wifi data in hopes of getting something useful.

  • LAYER 8 Global Moderator

    "None of that stuff is EVER going to get patched.  "

    Why would you say that.. You mean you won't take the time to patch it when the maker releases the patch.. Or that there is no method to update them?  DVRs and TVs all have ways to update the firmware they run, etc.  Same with printers.

    I have some lights and such, that were a concern of mine.  But tp-link has stated they will be updated.  You can check responses and such from many a company that create devices that use wifi here.

    What I would be more concerned with is some oddball device made in china that has not real link to any sort of support page or info or even what company you could check with on it being updated, etc.  If it a major player I would have to assume at some point it will be fixed.  But it could be months, etc.  And yeah it quite possible might be a PITA for some of the devices.  TVs for example can be a pain to update.. Have to boot from a usb quite often, etc.

    I am a fan of using a wire for any sort of device that isn't mobile.. My printers and TV for example rarely move..  Shoot even when playing with the old chromecast devices - I had gotten the optional hardware option when it came out for $15 ;)

    "throw up my hands and say "I give up" and not worry about it."

    Not sure I would agree with the not worry about it statement.. But I sure wouldn't be loosing any sleep over it either.. But something to let simmer on the back burner for a bit and give the manufactures a bit of time to get their act together.

Log in to reply