by Barovsky Investigator
Investigator

Need to upgrade firmware of router

There's a very dangerous hack around called KRACK that breaks WPA2 wireless encryption. Any device that uses this encryption is wide open!

 

I tried to find an upgrade for the EE-supplied router but EE doesn't even know what a firmware patch is! How to I find this upgrade?

18 REPLIES 18
by
EE Employee

Re: Need to upgrade firmware of router

Hi @Barovsky and welcome to the community.

 

We’re aware of the issue and we’ll be working with industry to update software as appropriate over the coming weeks.

 

Many thanks,

 

Lee

by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

Hi,

Weeks?! That's not good enough. Apple, Cisco et al have already made a patch or an os upgrade available. My wifi network is wide open to the world!

 

See this:

 https://www.krackattacks.com/

 Well at least anyone close by.

by Grand Master
Grand Master

Re: Need to upgrade firmware of router


@Barovsky wrote:

My wifi network is wide open to the world!


No, not the world; just those who can drive by your home within range.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Grand Master
Grand Master

Re: Need to upgrade firmware of router

Only routers that are configured to act as clients to a central router really need patching.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

I spent the better part of an hour talking with EE's alleged technical support yesterday and not only had they not heard of it, they had no idea what I was talking about. They promised to phone me back and never did. Technical support? You're joking surely

 

Re your comment about a central router, well that's exactly what I have. When I'm in range, I use my phone via it. I use it to connect to various devices. Yes, you have to be in range, but so what?

by Grand Master
Grand Master

Re: Need to upgrade firmware of router

@Barovsky: Yes, your phone is vulnerable. It's a client to your BB router. What I'm saying is that the BB router is not in itself affected by this crack.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

Sorry that's not true. It's the data stream that is unprotected because the encryption has been broken! Hence any data stream, to a phone, to a laptop to my desktop machine, to my wireless speakers, are routes through to my data. This is why a firmware update is needed (BTW, I factory reset my router and noticed that the firmware is still dated 2014!) And why are EE using some company on Taiwan to supply their routers (Arcadyan) instead of a well-supported make?

 

Yes, you have to be in range to pick up the data stream, but your point is what? That nobody will ever be in range? Duh!

 

I quote from my hosting tech support:

 

The original reference here seems to be https://www.krackattacks.com/ and
it suggests that Android and Linux are especially prone. Basically, the
attack is in the 4 way handshake -- the protocol allows the 3rd shake to be
re-transmitted. 

You may want to assume that someone nearby can evesdrop on your wifi
signal.

 

by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

I just got this from the tech support at my hosting co, make of it what you will:

 

EE is trying to shift responsibility here onto WiFi clients. In fact, both,
the host (WiFi router) and client are equally responsible. If anything, it
makes more sense to fix this at the router level through firmware update.
Android patch is coming out in November and that's for Google's latest OS
version. Given that, I wouldn't hold my breath for EE patching router
firmware.

That said, I don't think you should be overly concerned about the impact of
this vulnerability on you. The real-world impact is targeted man-in-the
middle attacks against high profile targets and attacks against public WiFi
hotspots (connections that are generally assumed to be insecure anyway). 

If you are still concerned about this, I think a much easier route than the
Sisyphus' Task of getting EE to fix the firmware is to use a VPN or HTTPS
with some attention given to presented certs. Perhaps, a few months hence
the stock EE router will already have the patch included.
by Grand Master
Grand Master

Re: Need to upgrade firmware of router

Which hosting co?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

I don't think I'm at liberty to disclose that. Suffice to say, I've been with them for 14 years and I trust their skills.

by Grand Master
Grand Master

Re: Need to upgrade firmware of router

OK, I'm not questioning their skills, but their assumptions & am just wondered where they got that EE is trying to shift responsibility?

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

I suspect it's the statement (made by you?):

 

"Yes, your phone is vulnerable. It's a client to your BB router. What I'm saying is that the BB router is not in itself affected by this crack."

 

That led them to that conclusion, when in fact it's ANY wifi device including the router (of course) that's vulnerable. So by saying it's not the router but any device connected to it, EE avoids having update the firmware on its routers. Else why would pretty much EVERY other router/PC maker/supplier be updating the firmware or OS, wg Cisco, Apple et al if it wasn't necessary?

by Grand Master
Grand Master

Re: Need to upgrade firmware of router

I'm not EE. I'm a private individual like you. Have you mislead your hosting co? Perhaps you need them to retract that statement.

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

Well that's my confusion not the hosting company's, so they have nothing to apologise for. The statement reads as though it does come from EE, but if it's just your personal opinion then maybe you should have made that clear? Moreover, if it is just your personal opinion, what's it based on if nor info from EE?

by Grand Master
Grand Master

Re: Need to upgrade firmware of router

Unless something comes from accredited staff it's always personal opinion / knowledge anywhere on the Internet. More fake news on the Net! 

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

Fake news? I think not. Let's not go overboard here, KRACK is real. What's not real is EE's response (or lack of one), because their 'technical' dept is not fit for purpose.

 

The only reason I came here in the first place was because I got absolutely no joy at all from my interaction with EE.

by Grand Master
Grand Master

Re: Need to upgrade firmware of router

The following is by the researcher Mathy Vanhoef that found the vulnerability and quoted from the Key Reinstallation Attacks web site: 

 

"Q. What if there are no security updates for my router?

 

A. Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones."

__________________________________________________________________________________________
If you think I helped please feel free to hit the "Thumbs Up" button below.

To phone EE: The local rate landline number +44 207 362 0200 or Freephone +44 800 079 8586 - Option 1 for Mobiles; Option 2 for 4G WiFi; Option 3 for Home Broadband & EE TV.

ISPs: 1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC => 2014: EE 20 Meg WBC
by Barovsky Investigator
Investigator

Re: Need to upgrade firmware of router

I found this on the same page:

 

The direction in which packets can be decrypted (and possibly forged) depends on the handshake being attacked. Simplified, when attacking the 4-way handshake, we can decrypt (and forge) packets sent by the client. When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent towards the client.(my emph. B)

Either way, as an EE customer, using an EE-supplied router and phone, and whether or not there's a greater or smaller risk via the router, it's incumbent on EE to keep up with these events and inform its customers in a timely fashion. The fact that EE tech support had no idea about KRACK (or about firmware patches for that matter, in fact, didn't even know what is was!), is in and of itself an indictment of EE's so-called customer support.

 

I'm paying a minimum of £50 a month for this 'support'.

Can't find what you're looking for?

One of these options may help you find the answers you need.

Let's get started

Join the EE Community to ask, answer, learn and share.