WPA2 vulnerability revealed - update your devices NOW!

[wildweasel]

i can't find any new updates for the firmware on our router over here, should i be worried? it doesn't detect any updates when i check for them in the router settings, and the site that supposedly should have my model on it (Netgear) doesn't yield any results for our router (OnNetworks 300R).

If you can't update your router, at least see if you can update your clients (mobile phones, computer OSes, etc).

[Rachael]

Keep checking.

Hopefully it's not an outdated model - if it is, I expect in the coming weeks users will find a way to patch the WPA2 driver in the firmware manually.

[Viscra Maelstrom]

apparently the router we use is EOL. according to this, the closest i would be able to find firmware-wise for it is for the WNR2000v5. is it safe though to use firmware that's meant to be compliant for another model of router?

edit: also worth mentioning is that Netgear doesn't seem to list that model as being vulnerable.

[Rachael]

No, it is not safe. Not unless the drivers are all the same - the moment you mess up the drivers, the whole thing is gone.

Your best bet is to wait until a user patch is created that covers a lot of models that specifically targets the WPA2 drivers without affecting the rest of the system. Of course, getting in and gaining root access in order to install it is a different story.

Alternatively, if the router belongs to your ISP, see if you can negotiate with them to get a newer one. ISP's typically don't have a problem keeping you up to date on routers if they loan it out to you as their own property. But of course, there's no guarantee the newer one will be patched, but hopefully at least having it will make you eligible for a patch when it becomes available.

[Viscra Maelstrom]

in that case, i'll update my other devices for now. my Win 10 desktop seems to be already okay (since that patch apparently arrived a week ago), which just leaves my iphone and laptop, the last one particularly important, since i use it everyday at work, making it particularly important that it doesn't get hit by the office wifi.

[Matt]

EDIT:

What if there are no security updates for my router or access point? Or if it does not support 802.11r?

Routers or access points (APs) are only vulnerable to our attack if they support the Fast BSS Transition (FT) handshake, or if they support client (repeater) functionality. First, the FT handshake is part of 802.11r, and is mainly supported by enterprise networks, and not by home routers or APs. Additionally, most home routers or APs do not support (or will not use) client functionality. In other words, your home router or AP likely does not require security updates. Instead, it are mainly enterprise networks that will have to update their network infrastructure (i.e. their routers and access points).

so uh yeah nevermind what i had here

[prior butthurt below]

---

D-Link sure is taking its time for a firmware update, and I think an upgrade might be worthwhile.

Which router makers have been real good with this, or have been real good with supporting FOSS third-party software that has already patched this?

EDIT: wtf they locked out the page on their website FAQ for how to turn off wifi on this thing, never buying D-Link again

EDIT: not inexcusable.

EDIT: It's been over a week and no build, and the DIY instructions are incomprehensible to me. :/

[Kinsie]

Brief Update Time:

Apple's operating systems have been updated to fix the vulnerability. Grab the MacOS High Sierra 10.13.1 update for computers, or iOS 11.1 for phones and tablets from 2013 or newer.

Android fixes still seem to be spotty ahead of Google's planned November 6 fix for their own devices, as ever. Verizon have released their own patch for the Galaxy S8 and Galaxy S8+. I don't know much about Android, so please feel free to fill us in on more updates.