18-10-2017 04:08 PM
There's a very dangerous hack around called KRACK that breaks WPA2 wireless encryption. Any device that uses this encryption is wide open!
I tried to find an upgrade for the EE-supplied router but EE doesn't even know what a firmware patch is! How to I find this upgrade?
18-10-2017 04:13 PM
18-10-2017 05:08 PM
Weeks?! That's not good enough. Apple, Cisco et al have already made a patch or an os upgrade available. My wifi network is wide open to the world!
Well at least anyone close by.
18-10-2017 05:31 PM
My wifi network is wide open to the world!
No, not the world; just those who can drive by your home within range.
18-10-2017 06:19 PM
Only routers that are configured to act as clients to a central router really need patching.
18-10-2017 07:20 PM
I spent the better part of an hour talking with EE's alleged technical support yesterday and not only had they not heard of it, they had no idea what I was talking about. They promised to phone me back and never did. Technical support? You're joking surely
Re your comment about a central router, well that's exactly what I have. When I'm in range, I use my phone via it. I use it to connect to various devices. Yes, you have to be in range, but so what?
18-10-2017 07:28 PM - edited 18-10-2017 07:29 PM
@Barovsky: Yes, your phone is vulnerable. It's a client to your BB router. What I'm saying is that the BB router is not in itself affected by this crack.
18-10-2017 08:31 PM
Sorry that's not true. It's the data stream that is unprotected because the encryption has been broken! Hence any data stream, to a phone, to a laptop to my desktop machine, to my wireless speakers, are routes through to my data. This is why a firmware update is needed (BTW, I factory reset my router and noticed that the firmware is still dated 2014!) And why are EE using some company on Taiwan to supply their routers (Arcadyan) instead of a well-supported make?
Yes, you have to be in range to pick up the data stream, but your point is what? That nobody will ever be in range? Duh!
I quote from my hosting tech support:
The original reference here seems to be https://www.krackattacks.com/ and it suggests that Android and Linux are especially prone. Basically, the attack is in the 4 way handshake -- the protocol allows the 3rd shake to be re-transmitted. You may want to assume that someone nearby can evesdrop on your wifi signal.
18-10-2017 10:10 PM
I just got this from the tech support at my hosting co, make of it what you will:
EE is trying to shift responsibility here onto WiFi clients. In fact, both, the host (WiFi router) and client are equally responsible. If anything, it makes more sense to fix this at the router level through firmware update. Android patch is coming out in November and that's for Google's latest OS version. Given that, I wouldn't hold my breath for EE patching router firmware. That said, I don't think you should be overly concerned about the impact of this vulnerability on you. The real-world impact is targeted man-in-the middle attacks against high profile targets and attacks against public WiFi hotspots (connections that are generally assumed to be insecure anyway). If you are still concerned about this, I think a much easier route than the Sisyphus' Task of getting EE to fix the firmware is to use a VPN or HTTPS with some attention given to presented certs. Perhaps, a few months hence the stock EE router will already have the patch included.
18-10-2017 10:55 PM
Which hosting co?
19-10-2017 08:30 AM
I don't think I'm at liberty to disclose that. Suffice to say, I've been with them for 14 years and I trust their skills.
19-10-2017 02:12 PM
OK, I'm not questioning their skills, but their assumptions & am just wondered where they got that EE is trying to shift responsibility?
19-10-2017 03:31 PM
I suspect it's the statement (made by you?):
"Yes, your phone is vulnerable. It's a client to your BB router. What I'm saying is that the BB router is not in itself affected by this crack."
That led them to that conclusion, when in fact it's ANY wifi device including the router (of course) that's vulnerable. So by saying it's not the router but any device connected to it, EE avoids having update the firmware on its routers. Else why would pretty much EVERY other router/PC maker/supplier be updating the firmware or OS, wg Cisco, Apple et al if it wasn't necessary?
19-10-2017 04:15 PM
I'm not EE. I'm a private individual like you. Have you mislead your hosting co? Perhaps you need them to retract that statement.
19-10-2017 05:05 PM
Well that's my confusion not the hosting company's, so they have nothing to apologise for. The statement reads as though it does come from EE, but if it's just your personal opinion then maybe you should have made that clear? Moreover, if it is just your personal opinion, what's it based on if nor info from EE?
19-10-2017 05:35 PM
Unless something comes from accredited staff it's always personal opinion / knowledge anywhere on the Internet. More fake news on the Net!
19-10-2017 05:54 PM
Fake news? I think not. Let's not go overboard here, KRACK is real. What's not real is EE's response (or lack of one), because their 'technical' dept is not fit for purpose.
The only reason I came here in the first place was because I got absolutely no joy at all from my interaction with EE.
19-10-2017 07:05 PM
The following is by the researcher Mathy Vanhoef that found the vulnerability and quoted from the Key Reinstallation Attacks web site:
"Q. What if there are no security updates for my router?
A. Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones."
19-10-2017 07:40 PM
I found this on the same page:
The direction in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt (and forge) packets sent by the client. When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent towards the client.(my emph. B)
Either way, as an EE customer, using an EE-supplied router and phone, and whether or not there's a greater or smaller risk via the router, it's incumbent on EE to keep up with these events and inform its customers in a timely fashion. The fact that EE tech support had no idea about KRACK (or about firmware patches for that matter, in fact, didn't even know what is was!), is in and of itself an indictment of EE's so-called customer support.
I'm paying a minimum of £50 a month for this 'support'.
by Cazamataz66 Saturday