• Last Updated:
  • Nov 11th, 2017 8:05 pm
Tags:
None
Sr. Member
Dec 28, 2004
764 posts
169 upvotes
rogershelps on twitter replied to me and said they will be pushing security updates to the modems over the next few weeks automatically and that customer security and privacy their utmost concern and will work with their partners on this
Deal Guru
User avatar
Mar 25, 2003
11109 posts
1427 upvotes
Markham
80TB Mediasonic H82-SU3S2 / 60TB Raid 50 on Mediasonic H8R2-SU3S2
40TB Node 304 / i5-3570 / Server 2016 Essentials
11TB HP Mediasmart EX 495 (E8400, 3.0GHZ, 4GB Mushkin), with Server 2012 Essentials
16TB Qnap TS-459 Pro / 6TB HP Mediasmart EX 485
Newbie
Nov 24, 2006
88 posts
17 upvotes
london
Is anyone aware if DD-WRT, Tomato, Merlin or Open-WRT third party firmware has been updated to address this security issue?
Deal Fanatic
User avatar
Nov 21, 2002
7044 posts
943 upvotes
Winnipeg
shaolin_x wrote:
Oct 19th, 2017 6:34 pm
Is anyone aware if DD-WRT, Tomato, Merlin or Open-WRT third party firmware has been updated to address this security issue?
lede has.

My understanding this is mainly a client based issue. All clients have to be fixed or its useless if the router has the fix. tv/camera/smart switches/plugs/printers, bud redlight, cheap android boxes wifi sd cards. Pointless if the ap and router have the fix your not safe if a client on the chain isn't.
This is the spin argument going around at most router forums on the topic.It has more teeth at tech support if you mention wireless ap or repeater or bridge function on the need for an immediate fix for your router.

Worst case are the point of sale devices. All those things that really don't get updates can't be in the chain. Its truly the biggest sh1t show going.I am amazed this isn't headline news its weird?? Its a bad scenario. Great argument for the pros of opensource vs private hands down.
Penalty Box
Mar 23, 2004
21649 posts
2406 upvotes
audit13 wrote:
Oct 16th, 2017 1:17 pm
Damn, I hide my SSID but that is not of any use either :(
Hiding your SSID may make your wifi network less prone to attack but it actually makes your clients (laptops, phones, tablets, etc.) more prone to attack because then someone can just spoof the SSID your device is "looking for" and boom they're into your device quite easily.

Hiding your SSID is actually a pretty bad idea.
Deal Guru
User avatar
Apr 16, 2001
14556 posts
1424 upvotes
Oshawa
I'm a little pissed that this vulnerability was publicly disclosed. The ultimate result is that millions upon millions of devices are now obsolete.
Whenever someone asks a question that starts with "Why do they..." or "Why don't they...", the answer is always a) money, b) stupidity, or c) both.
Newbie
Nov 24, 2006
88 posts
17 upvotes
london
Why you shooting the messenger? The individual who discovered the flaw had a public duty to bring this issue to light. In fact he gave the major stake holders (google, Microsoft, Apple etc) 2-3 prior notice so they could figure out a fix. If he didn't bring this issue to light he would have been accused of being in cahoots with the government (NSA, CIA, etc) and those in power while leaving the general public in the dark.
Deal Fanatic
Sep 28, 2010
9872 posts
2322 upvotes
Irregular Heptagon
smoraes wrote:
Oct 19th, 2017 5:02 pm
nope apple shafted us on ios 9.3.5 for ipod touch 5 and ipad 2 and android and kitkat or higher fuggetaboutit other than nouget so far or a google device for android if that for older google hardware :)

has rogers put out fixes for the internet modems if anyone has checked - maybe I should put i a case with rogerhelps or on their twitter feeds :)
I heard Rogers has been telling people that their modems aren’t affected by Krack.

Do they intentionally hire the absolute dumbest people? I get that they aren’t a technology company but can’t they hire someone that has a clue? Even on a contract basis. They don’t always have to hire monkeys.
2015 wins: Trip for 2 to NYC with airfare, limo, hotel and insurance ($3700); Maple Leafs tickets($250); 32GB HTC One M9 ($700), Samsung Galaxy Tab 10.1($200), Samsung Galaxy Note 5($850), Aukey 2 port fast car charger($23), Fitbit Flex ($120), Blue Piston Bluetooth Speaker ($30). 2016 wins: nada
Deal Fanatic
Sep 28, 2010
9872 posts
2322 upvotes
Irregular Heptagon
JAC wrote:
Oct 20th, 2017 6:43 pm
I'm a little pissed that this vulnerability was publicly disclosed. The ultimate result is that millions upon millions of devices are now obsolete.
You think publicity made the devices obsolete? The vuln exists. Major manufacturers and OS vendors were informed prior to disclosure.

Keeping it a secret would just mean all your devices were exposed without you knowing. That’s head in sand security.
2015 wins: Trip for 2 to NYC with airfare, limo, hotel and insurance ($3700); Maple Leafs tickets($250); 32GB HTC One M9 ($700), Samsung Galaxy Tab 10.1($200), Samsung Galaxy Note 5($850), Aukey 2 port fast car charger($23), Fitbit Flex ($120), Blue Piston Bluetooth Speaker ($30). 2016 wins: nada
Deal Fanatic
Sep 28, 2010
9872 posts
2322 upvotes
Irregular Heptagon
ES_Revenge wrote:
Oct 20th, 2017 5:15 pm
Hiding your SSID may make your wifi network less prone to attack but it actually makes your clients (laptops, phones, tablets, etc.) more prone to attack because then someone can just spoof the SSID your device is "looking for" and boom they're into your device quite easily.

Hiding your SSID is actually a pretty bad idea.
Can’t they spoof it even when you aren’t hiding it?
2015 wins: Trip for 2 to NYC with airfare, limo, hotel and insurance ($3700); Maple Leafs tickets($250); 32GB HTC One M9 ($700), Samsung Galaxy Tab 10.1($200), Samsung Galaxy Note 5($850), Aukey 2 port fast car charger($23), Fitbit Flex ($120), Blue Piston Bluetooth Speaker ($30). 2016 wins: nada
Deal Fanatic
Sep 28, 2010
9872 posts
2322 upvotes
Irregular Heptagon
Wink is also saying they won’t patch. Their staff have determined that using SSL fixes the issue.

With this level of incompetence this issue will be around forever.
Last edited by ceredon on Oct 21st, 2017 12:03 pm, edited 1 time in total.
2015 wins: Trip for 2 to NYC with airfare, limo, hotel and insurance ($3700); Maple Leafs tickets($250); 32GB HTC One M9 ($700), Samsung Galaxy Tab 10.1($200), Samsung Galaxy Note 5($850), Aukey 2 port fast car charger($23), Fitbit Flex ($120), Blue Piston Bluetooth Speaker ($30). 2016 wins: nada
Deal Fanatic
Mar 6, 2005
5321 posts
574 upvotes
ceredon wrote:
Oct 21st, 2017 9:39 am
Can’t they spoof it even when you aren’t hiding it?
Yes but when you set to non-broadcast clients will reveal it when they try and search for their non broadcast SSID. Basically whenever they see a “hidden network” it will try and probe (to check if it’s the right one) and reveal the network it’s looking for even if it’s not in range.

Kind of like “hey are you myhiddenssid network?”

Vs with broadcast it will only latch on if it sees the correct SSID (it does not send out probe requests)
Deal Guru
User avatar
Apr 16, 2001
14556 posts
1424 upvotes
Oshawa
ceredon wrote:
Oct 21st, 2017 9:38 am
You think publicity made the devices obsolete? The vuln exists. Major manufacturers and OS vendors were informed prior to disclosure.
Keeping it a secret would just mean all your devices were exposed without you knowing. That’s head in sand security.
Yes, I agree it's not the optimal situation, but there's no guarantee blackhats would have discovered the vulnerability. A longer period before public disclosure combined with discreet manufacturer patches would have allowed a significant number of these unpatched devices to die a natural death, rather than a forced replacement. And let's face it, aside from Google, droid manufacturers have a rubbish history of providing updates.

With the vulnerability made public, there will be a free-for-all taking advantage of the uninformed.
Whenever someone asks a question that starts with "Why do they..." or "Why don't they...", the answer is always a) money, b) stupidity, or c) both.
Deal Guru
User avatar
Nov 5, 2001
10756 posts
1274 upvotes
Edmonton
ceredon wrote:
Oct 21st, 2017 12:03 pm
Wink is also saying they won’t patch. Their staff have determined that using SSL fixes the issue.

With this level of incompetence this issue will be around forever.
Basically Wi-Fi is not considered a secure form of data transmission now regardless of encryption protocol. Hardline with vpn and encryption is the only option.


Any device not under current sales support won't get an upgrade meaning tons of electronics became landfill devices. The average consumer won't care until their Wi-Fi gets haxed and the rcmp busts down their door for hosting cp servers.
Penalty Box
Mar 23, 2004
21649 posts
2406 upvotes
blainehamilton wrote:
Oct 21st, 2017 6:42 pm
Basically Wi-Fi is not considered a secure form of data transmission now regardless of encryption protocol. Hardline with vpn and encryption is the only option.


Any device not under current sales support won't get an upgrade meaning tons of electronics became landfill devices. The average consumer won't care until their Wi-Fi gets haxed and the rcmp busts down their door for hosting cp servers.
That's it in a nutshell and the reality is even if you're susceptible to this vulnerability the chances of you actually getting hacked in this fashion is really very very small. The only people that will be putting anything into the landfills over this are tin foil hatters (of which we know there are many on RFD but in the real world there are very few).

Think about how many people have WPS enabled on their routers given:
1. It is still enabled by default on many of these devices even long after it's a known rather gaping security hole?
2. Most people don't understand how big a security flaw WPS is and they actually foolishly think it's just some easy way to connect devices and use it in that fashion?

And WPS basically lets any real hacker into your network with a degree of ease given how long it's been known about and how many people have it enabled as described above.

As for KRQACK and hosting cp servers (I'm guessing that means child porn servers?) not sure this is really an avenue for that. KRACK allows wireless traffic to be intercepted, it doesn't allow access to your network, right? For that, the WPS avenue would be much more straightforward and effective. KRACK on the other hand would be better for stealing information like internet passwords and the like (e.g identity theft) instead of gaining control over your network. And who is really accessing things like banking, finances, critical identity stuff over their standalone devices like Android boxes, Rokus, etc? On their phones yes but then I've always thought this a bad idea personally and do all that on my laptop, though granted I don't even ever use wifi on my phone (I'm always on mobile data).

Bottom line is "hackers gonna hack" and unless you want to be known for wearing foil hats of various designs, you've probably got multiple "security issues" in the way you use computers and devices daily. Sure do what you can to minimise these, but there's really no reason to go overboard.

Top