cancel
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Welcome to the new look Community! We're still upgrading and making some changes to the platform over the coming weeks! Stay tuned.
New Contributor Pernicious
New Contributor

Krack WiFi Vulnerability CG3000v2

Does anyone know if Optus is going to push out a firmware update for this, and when? 

 

If they lock us out of managing our own firmware, they really need to be on the ball with security. 

 

For anyone who isn't already aware of it, the Krack vulnerability allows anyone to view and modify anything you send over WiFi, which means your passwords, credit cards, etc, are all at risk.

 

 

12 Replies
Highlighted
New Contributor NotTheCaptain
New Contributor

F@st 3864 modem firmware update

With the KRACK vulnerability for wifi, is there a firmware update/patch for the F@ST 3864 modems which will restore security?

Trusted Contributor
Trusted Contributor

Re: Krack WiFi Vulnerability CG3000v2

Everything I have read is that its something that can attack clients, not routers (also wireless repeaters).

So best thing is for your devices to be updated - and a huge amount wont be updated due to manufacturers no longer supporting them.


Did someone on Yes Crowd answer your question?
Please remember to acknowledge their awesomeness by throwing a Kudo and/or Accepted Solution their way!
0 Kudos
Reply
Respected Contributor
Respected Contributor

Re: Krack WiFi Vulnerability CG3000v2

Yeah I've heard the same as @Paddylee. The router isn't the vulnerable part of this, everything else is. I'd be making sure my phone was updated ASAP. If you're iPhone, Apple already said the fix is in place of its current beta which should be made broadly available to everyone within weeks. Google said they'd have a fix for Android in weeks to but then that needs to go to the likes of Samsung, HTC, LG etc so could be a while if you have one of those

____________________________________________________________________________________________________________________________
I do not represent Optus. The views, opinions and advice expressed in my posts are my own
0 Kudos
Reply
New Contributor Pernicious
New Contributor

Re: Krack WiFi Vulnerability CG3000v2

Unfortunately I don't read it that way from the vulnerability researcher's paper

 

"Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!"

 

https://www.krackattacks.com/#faq

 

 

0 Kudos
Reply
Trusted Contributor
Trusted Contributor

Re: Krack WiFi Vulnerability CG3000v2

That page also states:

 

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

 

 

Remember - you might connect to a wifi router at say a cafe etc - would you know if its "patched" or not - patching your devices would be the best course of action.


Did someone on Yes Crowd answer your question?
Please remember to acknowledge their awesomeness by throwing a Kudo and/or Accepted Solution their way!
0 Kudos
Reply
New Contributor Pernicious
New Contributor

Re: Krack WiFi Vulnerability CG3000v2

Patching my devices is another frustration. I still don't have the Blueborne patch from Telstra, and I'm thinking of using a custom ROM to get it. 

 

I don't believe the CG3000v2 has either 802.11r, nor repeater mode, so the advice is not that relevant. There are 10 CVEs that have been reserved for this family of attacks, only one of which has been fully described so far. When you have a look at who is releasing patches, it's companies like Cisco, Juniper and Netgear - all router and Access Point vendors (Google, Microsoft etc, are there as well, but not "lesser" O/S vendors). This makes me believe that the other 9 CVEs are going to impact the router, especially when they impact AP level keys like the GTK. 

 

If I'm connecting to a cafe, I wouldn't care if the AP was patched or not. Either there is no password, and everything is in clear text, or the password is on the front counter. Once the cr1minal (odd word to filter) is on the same network as me, it's trivial to ARP flood in order to MITM me, if the cafe owner didn't stop client to client traffic. I don't use public WiFi for that reason. (Well, occasionally just to browse, never to log into anything even moderately sensitive).

 

This really is about my home network. My job puts me into contact with sensitive data which I access from home. While HTTPS protects most of this, not all places where sensitive data is stored uses HSTS, so I cannot guarantee that I will notice any kind of SSL stripping or MITM attack. It is serious enough that I am considering asking my employer to pay for a new wireless access point that has been patched. But they already pay for my internet connection, so they should reasonably expect that if Netgear is writing patches, and Optus is customising their firmware and locking us out of getting patches, it's their responsibility to pass on those security patches, as much as it was their responsibility to secure the Telnet default password issue back in 2014:

 

https://yescrowd.optus.com.au/t5/Broadband-Telephony/Netgear-cg3000v2-back-door-vulnerability/td-p/7...

 

I don't really want to get bogged down in whether you agree with my risk assessment. I agree the average home user probably will never be targeted by this attack. However, not all of us are average home users. I'm just annoyed that I can't manage my own security, when the Vendor is releasing patches. 

Occasional Contributor AntikytheraBB
Occasional Contributor

Re: Krack WiFi Vulnerability CG3000v2

I'm keen to see an Optus repsonse on this issue. I actually use two CG3000v2 and they are currently running different versions of the firmware. V2.08.05 and V2.08.07

 

Looking at the Netgear site there is no firmware at all. I assume this is because the CG3000v2 is a custom product for Optus? Is it a rebadged version of another Netgear product? I was wondering if the firmware for that other product may give clues on if a firmware upgrade is required.

Retired Employee MouniraH
Retired Employee

Re: Krack WiFi Vulnerability CG3000v2

Hi All

 

Thank you for your post and raising your concerns

KRACK is a problem with Wi-Fi itself and not related to any particular device. The good news is Microsoft has already patched Wi-Fi vulnerability and Apple is patching in betas, with google bringing in a patch in the coming weeks.

In the meantime to protect yourself, make sure you’re up to date with any patches across any of your devices that use Wi-Fi including routers, refrain from using any public Wi-Fi and continue to check for more updates in the next few weeks.

 

We’ll be sharing more update on patches from manufacturers when they’re available

 

Thanks

Mounira 

Have you seen something helpful? Don't forget to give it a kudos. Asked a question and got an answer? Make sure you mark it as an accepted solution!
0 Kudos
Reply
Occasional Contributor gak
Occasional Contributor

Re: Krack WiFi Vulnerability CG3000v2

Samsung often take months and months to deploy firmware updates on their devices, I think I'm still multiple versions behind the latest Android. Any word on whether they're expediting updates or are they cool just leaving their customers exposed for a while? Might have to go to an alternative brand/device if that's the case...

0 Kudos
Reply
Top Contributors