Does anyone know if Optus is going to push out a firmware update for this, and when?
If they lock us out of managing our own firmware, they really need to be on the ball with security.
For anyone who isn't already aware of it, the Krack vulnerability allows anyone to view and modify anything you send over WiFi, which means your passwords, credit cards, etc, are all at risk.
Everything I have read is that its something that can attack clients, not routers (also wireless repeaters).
So best thing is for your devices to be updated - and a huge amount wont be updated due to manufacturers no longer supporting them.
Yeah I've heard the same as @GTFO. The router isn't the vulnerable part of this, everything else is. I'd be making sure my phone was updated ASAP. If you're iPhone, Apple already said the fix is in place of its current beta which should be made broadly available to everyone within weeks. Google said they'd have a fix for Android in weeks to but then that needs to go to the likes of Samsung, HTC, LG etc so could be a while if you have one of those
Unfortunately I don't read it that way from the vulnerability researcher's paper
"Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!"
That page also states:
What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.
Remember - you might connect to a wifi router at say a cafe etc - would you know if its "patched" or not - patching your devices would be the best course of action.
Patching my devices is another frustration. I still don't have the Blueborne patch from Telstra, and I'm thinking of using a custom ROM to get it.
I don't believe the CG3000v2 has either 802.11r, nor repeater mode, so the advice is not that relevant. There are 10 CVEs that have been reserved for this family of attacks, only one of which has been fully described so far. When you have a look at who is releasing patches, it's companies like Cisco, Juniper and Netgear - all router and Access Point vendors (Google, Microsoft etc, are there as well, but not "lesser" O/S vendors). This makes me believe that the other 9 CVEs are going to impact the router, especially when they impact AP level keys like the GTK.
If I'm connecting to a cafe, I wouldn't care if the AP was patched or not. Either there is no password, and everything is in clear text, or the password is on the front counter. Once the cr1minal (odd word to filter) is on the same network as me, it's trivial to ARP flood in order to MITM me, if the cafe owner didn't stop client to client traffic. I don't use public WiFi for that reason. (Well, occasionally just to browse, never to log into anything even moderately sensitive).
This really is about my home network. My job puts me into contact with sensitive data which I access from home. While HTTPS protects most of this, not all places where sensitive data is stored uses HSTS, so I cannot guarantee that I will notice any kind of SSL stripping or MITM attack. It is serious enough that I am considering asking my employer to pay for a new wireless access point that has been patched. But they already pay for my internet connection, so they should reasonably expect that if Netgear is writing patches, and Optus is customising their firmware and locking us out of getting patches, it's their responsibility to pass on those security patches, as much as it was their responsibility to secure the Telnet default password issue back in 2014:
I don't really want to get bogged down in whether you agree with my risk assessment. I agree the average home user probably will never be targeted by this attack. However, not all of us are average home users. I'm just annoyed that I can't manage my own security, when the Vendor is releasing patches.
I'm keen to see an Optus repsonse on this issue. I actually use two CG3000v2 and they are currently running different versions of the firmware. V2.08.05 and V2.08.07
Looking at the Netgear site there is no firmware at all. I assume this is because the CG3000v2 is a custom product for Optus? Is it a rebadged version of another Netgear product? I was wondering if the firmware for that other product may give clues on if a firmware upgrade is required.
Thank you for your post and raising your concerns
KRACK is a problem with Wi-Fi itself and not related to any particular device. The good news is Microsoft has already patched Wi-Fi vulnerability and Apple is patching in betas, with google bringing in a patch in the coming weeks.
In the meantime to protect yourself, make sure you’re up to date with any patches across any of your devices that use Wi-Fi including routers, refrain from using any public Wi-Fi and continue to check for more updates in the next few weeks.
We’ll be sharing more update on patches from manufacturers when they’re available
Samsung often take months and months to deploy firmware updates on their devices, I think I'm still multiple versions behind the latest Android. Any word on whether they're expediting updates or are they cool just leaving their customers exposed for a while? Might have to go to an alternative brand/device if that's the case...