The world’s standard for wifi encryption is now hackable. Knowing what patches are available can be a rabbit hole. Our heroes over at ZDNet have compiled the following list of companies who were on the immediate forefront of security updates to the hack that happened in late October, 2017. For further details on the hack itself, and what it means to your business, technology and data security, see the related article below.
The following companies were immediate in their patching for the WPA2 hack:
Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks.
Arris: a spokesperson said the company is “committed to the security of our devices and safeguarding the millions of subscribers who use them,” and is “evaluating” its portfolio. The company did not say when it will release any patches.
AVM: This company may not be taking the issue seriously enough, as due to its “limited attack vector,” despite being aware of the issue, will not be issuing security fixes “unless necessary.”
Update: AVM has now released a statement on the issue:
“FRITZ!Boxes on broadband connections are currently not affected by the wireless security breach known as “Krack,” as such access points do not use the affected 802.11r standard. A possible, theoretical Krack attack targets the wireless connection of a client connecting to the wireless LAN. […]
AVM became aware of Krack on 16 October. Unfortunately, the responsible disclosure policy that applies in such cases was disregarded by the discoverers of the leak. After further investigation and tests, AVM will provide updates for its wireless repeaters.”
Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that “multiple Cisco wireless products are affected by these vulnerabilities.”
“Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards,” a Cisco spokesperson told ZDNet. “When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention.
“Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available,” the spokesperson said.
In other words, some patches are available, but others are pending the investigation.
eero: eeroOS version 3.5 includes a patch to protect against KRACK and is available as an in-app update.
Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix.
Fortinet: At the time of writing there was no official advisory, but based on Fortinet’s support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected.
FreeBSD Project: A patch is actively being worked on for the base system.
Google: Google told sister-site CNET that the company is “aware of the issue, and we will be patching any affected devices in the coming weeks.”
HostAP: The Linux driver provider has issued several patches in response to the disclosure.
Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers.
LineageOS: The Android operating system patched the bug in 14.1 builds, the developers confirmed in a tweet.
Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July.
Netgear: Netgear has released fixes for some router hardware. The full list can be found here.
Microsoft: While Windows machines are generally considered safe, the Redmond giant isn’t taking any chances and has released a security fix available through automatic updates.
Microchip: The company has a list of patches available.
MikroTik: The vendor has already released patches that fix the vulnerabilities.
OpenBSD: Patches are available.
Toshiba: A Toshiba spokesperson told ZDNet: “We are currently investigating the effect of WPA2 vulnerability detail. We are reviewing our countermeasures and will clarify them once they become available.”
Ubiquiti Networks: A new firmware release, version 188.8.131.5237, protects users against the attack.
WatchGuard: Patches for Fireware OS, WatchGuard legacy and current APs, and for WatchGuard Wi-Fi Cloud have become available.
Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members.
Wi-Fi Standard: A fix is available for vendors but not directly for end users.
Details on the hack, and our suggestions on what actions to take, can be seen in the following article series. Should you have concerns around your business data security, do not hesitate to reach out to us at ActiveCo Technology Management.