TM-AC1900 and KRACK WiFi vulnerability

alager12345

    Is there going to be a firmware update to protect against KRACK WiFi vulnerability attack vector?

     

    Here’s what you can do to protect yourself from the KRACK WiFi vulnerability | TechCrunch

     

    Thanks,

    Aaron

      All replies

      • someone@somewhere

        I am interested on when a fix will be provided for this and from who?  Part of the problem is that the firmware on the TM version of the AC68U router is usually behind anyway.  The most recent version for the ASUS regular model is 3.0.0.4.380.7743 which contains some very important fixes that the TM router at version 3.0.0.4.376_3181-g247286a doesn't even have.  Even if Asus was to provide a fix for their regular commercial version of the router, how long will it take to come to the TM version?

         

        On an unrelated topic can someone tell me who thought it was a good idea to have the default communication to the management console of the router to go over HTTP and not HTTPS?  Having my password going over the network in cleartext almost gave me a heart attack.

        • tmo_marissa

          Re: TM-AC1900 and KRACK WiFi vulnerability

          Hey, alager12345 and someone@somewhere! Welcome, and thank you for calling this out. Your WiFi security and privacy are super important! We've passed this up the chain and are working on getting some concrete information. We will share what we hear back as soon as possible! Thank you so much again.

           

          - Marissa

          • tmo_marissa

            Re: TM-AC1900 and KRACK WiFi vulnerability

            OK, folks. So the response was pretty swift!


            Device manufacturers are developing and rolling out patches for this WPA2 protocol vulnerability. While we don't have timelines to offer, we do want to stress that we take security seriously, and we have a few suggestions and details to bear in mind in the interim. It's important to note that this vulnerability only affects WiFi routers and connected devices through 802.11, and attackers would need to be within Wi-Fi range to take advantage of this vulnerability. If Wi-Fi is disabled on your device, there is no issue. While manufacturers are developing patches, here are some suggestions for avoiding the threat (many of which are outlined in the article linked in the original post, but for the benefit of those who haven't read):

             

            • Don't use public Wi-Fi
            • Update devices with the latest software or turn on auto updates if optional. Since we can't say which equipment will receive updates first; it's important that all equipment be updated as soon as patches are available.
            • When possible, connect over encrypted channels such as HTTPS or VPN.
            • Use a wired connection if that's an option.

             

            If we hear more, we'll continue updating here!

             

            - Marissa

              • magenta2912235

                Thanks for responding so quickly! Hopefully ASUS is on the ball and gets an update out soon -- I imagine there's a lot of customers out there running with this router.

                • sohmageek3

                  Re: TM-AC1900 and KRACK WiFi vulnerability

                  Thanks Marissa,  I too am a little concerned that the firmware for the router is behind of the retail non-T-Mobile Branded version.  I'm hoping this can get patched pretty quickly, But I'm also worried that I may end up replacing it before the patch can be issued.  I'm realizing how many devices my family uses with Wifi.  Some only have wifi others can be used via a wired connection.

                   

                  Thanks again!

                    • tmo_marissa

                      Re: TM-AC1900 and KRACK WiFi vulnerability

                      I hear you! I honestly hadn't thought about exactly how many of our devices are connected via WiFi until this broke yesterday (whether that's naive or not, it's certainly the truth and I suppose a natural casualty of modern living). Streaming sticks, an Alexa device, a Roku TV, our family computer (nowhere near our router, of course), a tablet, laptops, and our phones. I don't know how normal this is for three generations under one roof, but it definitely doesn't seem abnormal in 2017 -- maybe I'm living in a tech industry bubble, but we are a very connected family.
                      All that said, our family's plan is to just keep updating all of our equipment as frequently as possible, since that's essentially the best plan of defense at this point. FWIW, if you're thinking of replacing your router *but* still in need of a coverage solution for in-home service, one of our internal teams could work to facilitate the return of the router and sending a 4G LTE CellSpot instead if your circumstances meet the technical requirements outlined on that page.

                      We don't have any new news about the ASUS router this morning, but as we hear of anything, we will definitely share.

                       

                      - Marissa

                  • eturk

                    Re: TM-AC1900 and KRACK WiFi vulnerability

                    most recent TM-AC1900 firmware is 3.0.0.4.376_3181-g247286a

                    seems that was from Jan 2015

                    many security vulnerabilities in almost 3 years have been patched by Asus but t-mo router stopped getting the patches

                     

                    we hope to see T-mo & Asus working together again & keeping this router updated

                      • theothernguyen

                        Re: TM-AC1900 and KRACK WiFi vulnerability

                        yeah. the equivalent to the TM-AC1900 is the Asus branded RT-AC68U which has Version 3.0.0.4.380.7743 last updated 2017/06/16... I don't think the rebranded TM-AC1900 has been getting any firmware updates at all seems like ever since release...

                         

                         

                        I am getting very tempted to just flash the firmware from TM-AC1900 to RT-AC68U or to a DD-WRT version so I can get the security firmware updates/patches..... hmmmm

                      • doc2480

                        Re: TM-AC1900 and KRACK WiFi vulnerability

                        I don't have a router through T-mobile, but I am wondering if T-mobile will be patching Android phones on November 6th to coincide with Googles timeline on fixing the KRACK vulnerability for Android.

                         

                        Microsoft already has a fix for that severe WiFi security exploit (updated)

                          • snn555

                            Re: TM-AC1900 and KRACK WiFi vulnerability

                            That patch will probably come with a security patch update from Google as T-Mobile does not have anything to do with software updates. And of course and you can depend on those updates being within three months hopefully of the original release date.

                              • snn555

                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                I am unable to attach a screenshots as they will not post however suffice to say that my router states it is on the most current firmware and going to the Asus support site for this router there are no drivers or tools listed anywhere for this router.

                            • snn555

                              Re: TM-AC1900 and KRACK WiFi vulnerability

                              Flashing Merlin or DD WRT will void your warranty and remember.....Tmobile owns these routers.

                               

                              That said I have FW 3.0.0.4.376_3181

                              • tmo_marissa

                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                Hey all, it's the end of the day but I wanted to just check back in and let you know we've reached out to our contact who works specifically with the ASUS equipment and to ask if we have any details to offer -- we will share whatever we hear back. In the interim, to check for any updates, you can follow these steps: upgrade firmware. I do think yours is the most recent for the T-Mobile device, snn555. Thanks for bearing with us!

                                 

                                - Marissa

                                • tmo_marissa

                                  Re: TM-AC1900 and KRACK WiFi vulnerability

                                  OK, guys! Thank you again so much for your patience. We heard back with some updates today. According to ASUS and Broadcom’s information, only the STA/repeater mode is impacted by this vulnerability. AP mode is not affected by this security issue. Since the TM-AC1900 firmware does not support repeater mode or media bridge mode, the TM-AC1900 should not be affected. TL;DR: in its default mode, the router we provide should be okay.
                                  That said, if ASUS feels that a patch is necessary, we'll let you know ASAP what we hear!

                                   

                                  - Marissa

                                    • eturk

                                      Re: TM-AC1900 and KRACK WiFi vulnerability

                                      sorry Marrisa, you got conned by whoever you spoke with

                                       

                                      Check KRACK Attacks: Breaking WPA2 for first-hand truth about the KRACK attack they created to exposedthis vulnerability.

                                      "AP" mode means "access point" mode. Search for "access point" in the main page and you will see clearly that ALL modern WPA2 users are affected because of WPA2 basic security method.

                                       

                                      ALL WPA2 routers & clients are vulnerable in AP mode, the mode most of the worlds routers are in.

                                       

                                      So sad we live in an age of alternative facts

                                        • amc2002

                                          Re: TM-AC1900 and KRACK WiFi vulnerability

                                          Looks like that's Asus' official line (see GitHub link below): "Additionally, an email response from "security@asus.com" says that they are "co-working with chipset vendors for solutions and will release patched firmware for affected routers soon. If your router is RT-N12 D1, RT-N66U, RT-AC66U, RT-AC68U, RT-AC3200, RT-AC88U, RT-AC3100, RT-AC5300 or GT-AC5300 then your router is not affected by the WPA2 vulnerability in router and AP mode."

                                           

                                          SInce ours is based on the RT-AC68U, ASUS is actually claiming it's not affected. Wonder why?

                                           

                                          Link here: GitHub - kristate/krackinfo: Vendor Response Matrix for KRACK WPA2 (Key Reinstallation Attack)

                                            • tmo_marissa

                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                              eturk I definitely hope I have not been conned! amc2002 I feel like that "wonder why" is rhetorical, but thanks to the curse of interacting in a forum via text rather than in a medium where we can hear voice inflections, I feel obligated to respond even though I'm not exactly sure what was meant!   Please forgive me if this is super goofy and no reply was necessary.

                                              I haven't heard anything over here regarding why the router is/isn't affected, other than the info that ASUS provided originally which was passed on to me by our director who works with their products.

                                              On the same page as their official statement, it looks like they have an email address to contact -- if there's a concern that the information they've released to us and to other folks isn't accurate, I would definitely recommend reaching out, because I can not imagine that they want vulnerable equipment out there. If anyone does opt to do so, I would definitely be interested in hearing about the response you receive!

                                              In the meantime, I've forwarded the link to this thread, and the other link kindly provided below to support the general concern and ask for an update, regardless of Krack vulnerability for this product. I will keep everyone posted on any responses I receive! Thanks for staying so engaged here.

                                               

                                              - Marissa

                                                • amc2002

                                                  Re: TM-AC1900 and KRACK WiFi vulnerability

                                                  Marissa, the "wonder why" wasn't rhetorical at all. I believe eturk was wrong to say you were conned by your support staff. I was posting backup for you - that this was, indeed, Asus' response to this issue.

                                                   

                                                  My "wonder why" was in reference to the fact that Asus is claiming these particular routers ARE NOT affected by the KRACK isssue. I'm curious why, since it seems almost every other WiFi router on the face of the planet is? I would love an answer from Asus actually as to why this is so, and why they claim that the  RT-AC68U is not affected by this (and therefore, neither is the TM-AC1900). But I'm sure that answer would have to come from ASUS.

                                                   

                                                  Thanks for continuing to keep us up to date on this!

                                                    • tmo_marissa

                                                      Re: TM-AC1900 and KRACK WiFi vulnerability

                                                      amc2002, I though that might be the case, but I didn't want to assume!

                                                      • eturk

                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                        I'm happy to be wrong!

                                                         

                                                        my dismay/concern with T-Mo not keeping out routers patched for vulnerabilities for over 2 years leaked out.

                                                         

                                                        hopefully an app will be created to test a router for the vulnerability so a user can avoid routers before connecting.

                                                        Only way to be sure.

                                                         

                                                        and, what specific version Asus firmware has this patch?

                                                        is TM-AC1900 updated with that patch level?

                                                          • tidbits

                                                            Re: TM-AC1900 and KRACK WiFi vulnerability

                                                            eturk wrote:

                                                             

                                                            I'm happy to be wrong!

                                                             

                                                            my dismay/concern with T-Mo not keeping out routers patched for vulnerabilities for over 2 years leaked out.

                                                             

                                                            hopefully an app will be created to test a router for the vulnerability so a user can avoid routers before connecting.

                                                            Only way to be sure.

                                                             

                                                            and, what specific version Asus firmware has this patch?

                                                            is TM-AC1900 updated with that patch level?

                                                            If your traffic is https then you got nothing to worry about at all.  This only affect http traffic, and being 2017 all sites should already be using https.  There is no fundamental reason not to use it.  If a site isn't using https then they are not worth using this time and age.

                                                            • amc2002

                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                              @eturk said: "and, what specific version Asus firmware has this patch? is TM-AC1900 updated with that patch level?"

                                                               

                                                              That's the whole point - according to ASUS, it doesn't look like the Asus branded version of this router will be patched, since Asus is claiming it doesn't have a vulnerability.

                                                               

                                                              That said, it would be nice if the other patches came to this version. If T-Mobile has this router out in the field with their customers, it would be great if they could take their customers' privacy seriously and keep their router up-to-date and not just offer us a cell spot.

                                                               

                                                              Since T-Mobile's coverage has gotten so much better, many of us are just using this router for a *router* now.

                                                               

                                                              So either T-Mobile should get the firmware updated, or release us from any liability in paying for it, so we can update it with the ASUS firmware as needed.

                                                          • marcmarshall

                                                            Re: TM-AC1900 and KRACK WiFi vulnerability

                                                            Marissa,

                                                             

                                                            I called T-Mobile a week or 2 ago about this. This is an exploit where anyone in range of the router can clone the mac address of another device on the network and then use the network. It is because of a vulnerability in the WPA2 security protocol such that the devices do not need the password for handshakes after the initial log on. It certainly exists in all routers using the WPA2 security protocol in AP mode which is specifically used to connect with devices outside the network. There are many articles all over the internet to explain this. It is a universal exploit that requires a security patch by ALL manufacturers of current WiFi devices. I imagine it is also a vulnerability on your phones when people are using "hotspot" tethering.

                                                             

                                                            I think if you call ASUS back and ask to speak with someone who knows what they are talking about they will acknowledge the problem. No doubt they will patch all their own commercial devices first. I would guess that the T-Mo branded model will get faster attention if people at T-Mobile make some noise. After all they have been updatiing this router at all even though they have updates for their version of the same router.

                                                             

                                                            Thank you,

                                                            Marc

                                                              • tmo_marissa

                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                Hey, Marc!


                                                                I want to be super transparent, so bear with me (and forgive me if this is way more detail than you need)! Our Community team here work for the Support site, which is part of T-Mobile's content team. We reached out to colleagues who deliver the content on ASUS equipment (and all other things, internal or external). Since this was breaking news, they were working with ASUS already to get information that we could provide to our frontline teams, because we knew our customers would be concerned. It was through that email chain that we were given the update on the vulnerability (or lack thereof) of the router, and encouraged to share that information with our users here. Our internal content for T-Force has since been updated as well, so our frontline should now be able to provide the same answer -- I'm sorry if you heard something different when reaching out, and that's valuable feedback about our turnaround time. I will do a double check and make sure that Care and Tech also have access to the same information.

                                                                 

                                                                We have forwarded this link and another link provided upthread to a previous post about security update concerns for the router up via the same chain with all original members on it -- product managers and subject matter experts, so I promise that concerns are being passed on to folks on our side. Regarding the veracity of ASUS's statement about this specific router, on their Product Security Advisory site they have a contact email listed, so while we are doing what we can do to amplify your concerns, if you'd like to contact them directly I understand and want to make sure I'm giving that option!

                                                                 

                                                                - Marissa

                                                              • magenta2912235

                                                                Marissa,

                                                                 

                                                                To be somewhat blunt, can you please let your ASUS contact know that, if they're not interested in patching the firmware on this router, that I (and, I imagine, other T-Mobile customers) will refuse to purchase ASUS products in the future, and advise others not to purchase their products as well?

                                                                 

                                                                I'm guessing ASUS doesn't really care unless there's some hint that this might affect their bottom line, so ...

                                                        • sohmageek3

                                                          Re: TM-AC1900 and KRACK WiFi vulnerability

                                                          Marissa, that is good news for the KRACK vulnerability however I still would love to get an updated firmware. Over 2 Years without an update when there are vulnerabilities that are patched on the non-T-Mobile branded version is a little wrong. Generally I try to stay up on security and have eol’d networking equipment at home when there aren’t patches provided regularly.

                                                          1 of 1 people found this helpful
                                                          • snn555

                                                            Re: TM-AC1900 and KRACK WiFi vulnerability

                                                            editedpost.jpgScreenshot_2017-10-22-11-17-57.png

                                                             

                                                            *edited by Marissa to make the screenshot Halloween-y (and PG)

                                                            • tidbits

                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                              Honestly it's 2017 all websites should be using https://  If they are not they are not worth using, and need to evaluate their online presence.  This exploit doesn't work on https:// traffic.

                                                              • marcmarshall

                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                FYI all- I contacted ASUS this morning. I was told that they have not updated any of their routers to address the KRACK vulnerability but they are working on an update their routers, including the the TM-1900. There is no ETA on when this will happen.

                                                                4 of 4 people found this helpful
                                                                • eturk

                                                                  Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                  anyone here a Linux guru?

                                                                  found one potential way to test a router to see if it's vulnerable: KRACK Vulnerability Test - Test Your WiFi Router for KRACK (FT) - Root Said

                                                                    • amc2002

                                                                      Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                      If I have time tonight, I'll try it out. I have an old netbook (with WiFi) running Linux.

                                                                      • amc2002

                                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                        I tried the test on that page, but there are errors in the instructions. In one step, it says use wifi.conf, which is the config file you make with your login credentials. But in the second, it says use network.conf, which doesn't exist.

                                                                         

                                                                        I went to the original python script page (on Github) and found that you're supposed to use your network config file in both examples (they name it network.conf). So from there, I used the help contents of the attack script itself.

                                                                         

                                                                        I got the first wpa_supplicant command to run fine - it starts up the wifi network, but the wrapper for the test script says ctrl_iface is in use and it throws an error. I think this is probably OK though, but when I try to roam to another AP (I did the guest one), it says FAIL. Not sure why, and I can't seem to find online why it would fail.

                                                                         

                                                                        Anyway, I tried. If anyone else has a linux laptop and would like to try it, it should take you about ten minutes to see if it works correctly for you or not.

                                                                      • eturk

                                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                        Seems routers may not be as vulnerable but they could be modified to keep any device connecting to it from being vulnerable?

                                                                        KRACK Attacks: Breaking WPA2

                                                                         

                                                                        With so many mobile phones not getting updates for a while now, unless they get a security update they'll expose the network to a hack.

                                                                        • jackofly

                                                                          Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                          Me too, please fix it!

                                                                          • magenta2997940

                                                                            Dear T-Mobile if you no longer wish to  continue to support cellspot program, please let Asus to release update and convert it to AC68U.

                                                                            • magenta3036171

                                                                              Asus seems to have release a new firmware Version 3.0.0.4.380.7743_FBWIFI2017/10/19

                                                                              • amc2002

                                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                Hi Everyone,


                                                                                I wrote to ASUS support asking why they are claiming this model is not vulnerable to the KRACK issue. Received a response this morning and would like to share. Relevant part in BOLD.

                                                                                 

                                                                                Hi,

                                                                                 

                                                                                Krack needs to use key re-insertion method, RT-AC68U router/AP mode used Broadcom network authentication server, and key re-insertion does not work in router/AP mode.

                                                                                 

                                                                                In the research’s web site, there are more information for this case: https://www.krackattacks.com/

                                                                                 

                                                                                “Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates (also see this question). We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.”

                                                                                 

                                                                                 

                                                                                Best regards,

                                                                                ASUS Security | ©ASUSTeK Computer Inc.

                                                                                1 of 1 people found this helpful
                                                                                  • snn555

                                                                                    Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                    So basically we can close this thread because everyone is safe and the only thing we could ask for would be more timely updates.

                                                                                    1 of 1 people found this helpful
                                                                                      • tmo_marissa

                                                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                        Thanks for sharing that, amc2002! It's awesome to have a more thorough explanation of the particular vulnerability (or lack thereof) that Krack would take advantage of, especially directly from Asus.
                                                                                        I still want to make sure everyone knows that we appreciate the feedback regarding security updates *in general* and have forwarded it all on. If at any point I hear anything back about an upcoming update for the TM-AC1900, please believe me when I say I will be stoked to return here and deliver news.
                                                                                        <3

                                                                                        1 of 1 people found this helpful
                                                                                          • sohmageek3

                                                                                            Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                            While this is GREAT news regarding KRACK. it still is extremely concerning that there have been no updates for years for the tmobile branded vs the retail Asus one has had updates. I hope that the urgency has not faded now that we have been told KRACK is a non-issue with this device.

                                                                                            1 of 1 people found this helpful
                                                                                      • eturk

                                                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                        Here's the specific KRACK:

                                                                                         

                                                                                        "The silver lining is that WPA2 is NOT fundamentally broken, and that this flaw is relatively easy to fix by eliminating the resending of one-time keys. Vanhoef noted that Windows and iOS are less affected because they do not accept one-time keys that have been sent more than once. However, those platforms are still vulnerable to more creative versions of this attack."

                                                                                        KRACK Attack Threatens All Wi-Fi Networks: What to Do

                                                                                         

                                                                                        So it seems routers can be patched so they no longer send the key more than once? That would protect all devices on the LAN from being vulnerable to the attack? A second level of patch for all those devices that won't get updates (like older T-Mo phones)? Is this already the patch on TM-AC1900? Techies here, please help clarify this.

                                                                                         

                                                                                          • tidbits

                                                                                            Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                            It does very little at all.  This thing is blown out of proportion imho.  As long as your traffic is https: you'll be fine 100% even if the device isn't patched.  It is now 2017 and every website should be using https: traffic.  If they are not then they are honestly not worth using because it does not cost them extra to go this way.

                                                                                              • snn555

                                                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                This is getting a little hairy scary. I'm content checking with the router updater and on this thread from time to time to check for any developments. After all this was a free router and I do understand the need to update and keep up with demand Over time however it was free and most all of the websites I visit if not all are https. Plus I don't really have anybody snooping and sniffing around to get on to my WiFi so there's that.

                                                                                                  • tidbits

                                                                                                    Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                    snn555 wrote:

                                                                                                     

                                                                                                    This is getting a little hairy scary. I'm content checking with the router updater and on this thread from time to time to check for any developments. After all this was a free router and I do understand the need to update and keep up with demand Over time however it was free and most all of the websites I visit if not all are https. Plus I don't really have anybody snooping and sniffing around to get on to my WiFi so there's that.

                                                                                                    You should be telling those websites that don't use https traffic to start using it.  There was no reason not to switch to it as soon as it became available.  All internet related things support it, and it doesn't cost extra to use it.  Some websites do have https sites, but people these websites don't redirect to them and leave people on their http websites. manually input the address with https and see if you connect and then if it does then bookmark that one instead of their http website. 

                                                                                              • marcmarshall

                                                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                This thread seems to have been hijacked by the HTTPS concern of a poster. Can we please stay on topic? (moderator??).

                                                                                                 

                                                                                                It has been a couple months now since the KRACK exploit was exposed. I just checked on the ASUS website and there is a firmware patch for the KRACK exploit available on the download page for the AC68U router.  This TM-AC1900 is just a re-branded version of the RT-AC69U with some software changes to support T-MO cellspot.

                                                                                                 

                                                                                                I also see that since the last firmware update for the TM-AC1900, which I think was in10/2015, there have been about 14 firmware updates for the AC68U.

                                                                                                This router looks to be "orphaned" and support has apparently been halted. I think that is on T-Mobile. I do not think this will be remedied unless T-Mobile works with ASUS to get them to continue support for the routers that they purchased from them.

                                                                                                 

                                                                                                T-Mobile please take some action on this!

                                                                                                 

                                                                                                Note to moderator: Since this thread has been sidetracked I will repost this to new thread if I do not get a response.

                                                                                                  • snn555

                                                                                                    Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                    All comments in the thread thus far are valid and Germaine to the topic at hand. Also to note Apple and Android have both released patches for recent phones through a security patch for this issue. There is no cause to create yet another thread on this topic. The topic is anchored in this thread and any new information will be communicated via this thread.

                                                                                                    • tidbits

                                                                                                      Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                      marcmarshall wrote:

                                                                                                       

                                                                                                      This thread seems to have been hijacked by the HTTPS concern of a poster. Can we please stay on topic? (moderator??).

                                                                                                       

                                                                                                      It has been a couple months now since the KRACK exploit was exposed. I just checked on the ASUS website and there is a firmware patch for the KRACK exploit available on the download page for the AC68U router. This TM-AC1900 is just a re-branded version of the RT-AC69U with some software changes to support T-MO cellspot.

                                                                                                       

                                                                                                      I also see that since the last firmware update for the TM-AC1900, which I think was in10/2015, there have been about 14 firmware updates for the AC68U.

                                                                                                      This router looks to be "orphaned" and support has apparently been halted. I think that is on T-Mobile. I do not think this will be remedied unless T-Mobile works with ASUS to get them to continue support for the routers that they purchased from them.

                                                                                                       

                                                                                                      T-Mobile please take some action on this!

                                                                                                       

                                                                                                      Note to moderator: Since this thread has been sidetracked I will repost this to new thread if I do not get a response.

                                                                                                      That's on topic.  This is about the KRACK exploit is it not?  People are looking for it to be patched when HTTPS traffic should have died YEARS ago.  This is the field I work in and the media is blowing it out of proportion.  The most ironic thing is a lot of websites went to https traffic as soon as this exploit went public when they learned that https traffic is not affected. This would be a non issue if everyone used https traffic which any security expert worth his job will tell you.

                                                                                                      • amc2002

                                                                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                        Wow. You're right. Patch released yesterday for the RT-AC68U, despite the fact that Asus support told me that it wasn't necessary, that this router was not affected by this issue.

                                                                                                         

                                                                                                        I fully expect T-Mobile to follow up on this now and make sure our routers are patched.

                                                                                                         

                                                                                                        From the Asus site:

                                                                                                         

                                                                                                        Version 3.0.0.4.382.185472017/11/1040.6 MBytes

                                                                                                        ASUS RT-AC68U Firmware version 3.0.0.4.382.18547
                                                                                                        Security fixed
                                                                                                        - Fixed KRACK vulnerability
                                                                                                        - Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
                                                                                                        - Fixed CVE-2017-14492: DHCP - heap based overflow
                                                                                                        - Fixed CVE-2017-14493: DHCP - stack based overflow
                                                                                                        - Fixed CVE-2017-14494: DHCP - info leak
                                                                                                        - Fixed CVE-2017-14495: DNS - OOM DoS
                                                                                                        - Fixed CVE-2017-14496: DNS - DoS Integer underflow
                                                                                                        - Fixed CVE-2017-13704 : Bug collision
                                                                                                        - Fixed predictable session tokens, logged user IP validation, Logged-in information disclosure (special thanks for Blazej Adamczyk contribution)
                                                                                                        - Fixed web GUI authorization vulnerabilities.- Fixed AiCloud XSS vulnerabilities

                                                                                                         

                                                                                                        New features
                                                                                                        - HDD Hibernation
                                                                                                        - URL filter black/white list
                                                                                                        - Bandwidth limiter on guest network
                                                                                                        - URL filter support https website

                                                                                                        1 of 1 people found this helpful
                                                                                                      • polsar

                                                                                                        Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                        So now that ASUS has provided the patch (11/10/2017) we should see an update from tmobile i'd hope soon?  Or a replacement router?  Otherwise they are exposing all their users to a significant security vulnerability.

                                                                                                         

                                                                                                        The firmware is here:

                                                                                                        RT-AC1900 BIOS & FIRMWARE| Networking | ASUS USA

                                                                                                          • tidbits

                                                                                                            Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                            polsar wrote:

                                                                                                             

                                                                                                            So now that ASUS has provided the patch (11/10/2017) we should see an update from tmobile i'd hope soon? Or a replacement router? Otherwise they are exposing all their users to a significant security vulnerability.

                                                                                                             

                                                                                                            The firmware is here:

                                                                                                            RT-AC1900 BIOS & FIRMWARE| Networking | ASUS USA

                                                                                                            It's blown out of proportion...  WAY out of proportion...

                                                                                                             

                                                                                                            You guys need to understand the difference between http and https traffic and how WPA plays a role in said traffic.  Also how one needs to take advantage of this exploit.  Companies are patching it because people got caught up in the media hype that security firms are pushing to get their names in the media for advertising. 

                                                                                                             

                                                                                                            As long as you use https traffic you are fine.  Every website should be using https right now, and there is no excuse not for them to use it.  Some websites for some reason or another do not direct you to their https pages, but often you'd have to manually go there yourself.  BluBorne is a much more critical exploit that deserves this kind of attention.

                                                                                                              • amc2002

                                                                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                You've made your point @tidbits, and the bottom line is this:

                                                                                                                 

                                                                                                                1) Sites still use http. You can whine and complain that everyone should be using https, but the fact is, they're not. People aren't going to restrict themselves to sites that only use https either. I can whine and complain that people go 50mph in the left lane as well, but you can't change the world.

                                                                                                                2) T-Mobile handed out, leased, or sold these routers to its customers. There have been MANY MANY security updates that resolve other important issues that should LONG AGO have been pulled over to this T-Mo branded router.

                                                                                                                3) If T-Mobile doesn't want to continue to support these routers, they should release those of us who put a deposit on them years ago from our obligations and just let us flash them to the updated Asus firmware.


                                                                                                                It's not just about http vs. https traffic. This is about supporting a customer base that has not been supported properly by T-Mobile on one of its products.

                                                                                                                 

                                                                                                                We've heard your arguments. You've made your case. I'm hoping you'll hear mine and realize the world doesn't always do what is right or proper. People are going to continue to use sites that use http, because there are still many many of them out there.

                                                                                                                1 of 1 people found this helpful
                                                                                                                  • magenta2997940

                                                                                                                    Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                    100 % Agree!!! Come on TMO

                                                                                                                    • tidbits

                                                                                                                      Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                      amc2002 wrote:

                                                                                                                       

                                                                                                                      You've made your point @tidbits, and the bottom line is this:

                                                                                                                       

                                                                                                                      1) Sites still use http. You can whine and complain that everyone should be using https, but the fact is, they're not. People aren't going to restrict themselves to sites that only use https either. I can whine and complain that people go 50mph in the left lane as well, but you can't change the world.

                                                                                                                      Almost every website has https versions.  Some are not configured correctly and by you putting https in the browser itself fixes the issue for that site.  If it doesn't then the site isn't worth using if you have to enter in vital information.  If you don't then it doesn't matter.  If you have facebook and display everything publicly then you'd be worse off continuing to use facebook than the exploit.

                                                                                                                      2) T-Mobile handed out, leased, or sold these routers to its customers. There have been MANY MANY security updates that resolve other important issues that should LONG AGO have been pulled over to this T-Mo branded router.

                                                                                                                      A person has the right to stop using these a long time ago.  People don't need these really and last I remember these were NEVER sold and were handed out like candy to be a stop gap for wifi calling and not an acually wifi router replacement. 

                                                                                                                      3) If T-Mobile doesn't want to continue to support these routers, they should release those of us who put a deposit on them years ago from our obligations and just let us flash them to the updated Asus firmware.

                                                                                                                      A person could return them and get their deposits back right?  Then a person people can buy and do what they want with their replacements. 
                                                                                                                      It's not just about http vs. https traffic. This is about supporting a customer base that has not been supported properly by T-Mobile on one of its products.

                                                                                                                      It's about a person doing what is needed to protect themselves.  When are you going to stop playing the victim and do what is needed for yourself and stop relying on others to do it for you.

                                                                                                                      We've heard your arguments. You've made your case. I'm hoping you'll hear mine and realize the world doesn't always do what is right or proper. People are going to continue to use sites that use http, because there are still many many of them out there.

                                                                                                                        • snn555

                                                                                                                          Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                          Honestly I can see both sides of the argument. TMobile does need to address the situation of updates for this Hardware in general. If they're not going to then they just need to state so. I don't believe they need to go through the whole effort of releasing deposits and allowing people to flash I believe they either update it or they don't and then the customer decides whether they want to continue using the equipment or not. It is up to each person to do what they can to protect themselves.

                                                                                                                           

                                                                                                                          But again I see both sides and while I personally would like to see some updates if T-Mobile is not going to update then they either need to let us know there are no more updates and let us decide whether we will continue to use these routers in the fashion that they presently are in or request the equipment to be returned un altered.

                                                                                                                           

                                                                                                                          Stating that I don't believe TMobile should be held accountable for what a consumer does outside of the terms of use of the equipment. If TMobile were to release this equipment and allow consumers to flash and modify at will it should not be expected that TMobile would support that equipment.

                                                                                                                           

                                                                                                                          So in the end better communication as far as the intention of what is to be done for this equipment going forward needs to be expressed. Consumers need to decide whether or not they want to continue to wait for updates and if not return the router and buy something they are happy with. At this point in time the router has been out for quite some time so buying a mid-level product today is much like buying this top-shelf router from years past.

                                                                                                                           

                                                                                                                          It should also be stated that T-Mobile has a lot of capital wrapped up in this equipment which was used to offload Network traffic there by making the network more efficient. However it also served a purpose with consumers to save $200 on a router and expand their service with wifi calling. So both sides profited.

                                                                                                                           

                                                                                                                          TMobile would have to decide whether or not it is worth having the equipment returned and having a certain number of customers no longer using it and putting the traffic back on the network. However with unlimited data that might be a shot to the foot. Also to state that with the network being expanded as much as it has been as of late WiFi calling is not as much a necessity for as many people as it used to be. That's not to say there aren't people elsewhere who need wifi calling but with as much of this equipment as there is that has been passed out over the years  TMobile has to decide  whether to take the loss on the equipment or to continue to provide support for it to bolster the network and offload Network traffic onto isps. But again most people still need a router so there's that.

                                                                                                                          1 of 1 people found this helpful
                                                                                                                            • magenta3036171

                                                                                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                              Couple of things to try, if you are using Chrome is to install HTTPS Everywhere and I believe Firefox has similar plugin.  I am not sure if similar plugin is available for Safari (MacOSX) or IE/Edge.  That will help with what @tidbits seems to be saying, but that only addresses if all you do is spend time in the browser.  I do not know about other folks but I use my computer for lot more than just browse the Internet.

                                                                                                                               

                                                                                                                              It would be great if T-Mobile had a position on what their plans are with the ac1900, so current users can make an informed decision on returning the router and moving on to reduce the risk.

                                                                                                                            • amc2002

                                                                                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                              >>>It's about a person doing what is needed to protect themselves.  When are you going to stop playing the victim and do what is needed for yourself and stop relying on others to do it for you.<<<

                                                                                                                               

                                                                                                                              Wow. Brilliant. Are you kidding me with this? Since when is asking a company to maintain security updates "playing the victim" and "relying on others to do it for [me]?"

                                                                                                                               

                                                                                                                              Get real. The ASUS version of this router is patched. The T-Mobile one isn't. T-Mobile gave/rented/sold these routers (and yes, they DID, in fact, sell them at one point) to customers to make up for coverage issues. ASUS is protecting its customers. T-Mobile should be doing the same. Simple as that.

                                                                                                                            • tmo_marissa

                                                                                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                              Hey folks,

                                                                                                                               

                                                                                                                              Just wanted to touch base here and let you all know I reached back out again to see if there's any news we can share about upcoming updates to the TM-AC1900. Thanks for staying engaged here -- we'll let you know as soon as we hear back!

                                                                                                                               

                                                                                                                              Marissa

                                                                                                                        • eturk

                                                                                                                          Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                          @tidbits et al... please stop distracting from this specific thread topic: The TM-AC1900 is VULNERABLE. period!

                                                                                                                          This is clearly verified by Asus releasing a firmware update on Nov 11,2017 to "fix KRACK vulnerability"

                                                                                                                          RT-AC68U Driver & Tools| Networking | ASUS USA DS of customers with this vulnerable router, that has not had ANY vulnerabilities patched in over 2 years.

                                                                                                                           

                                                                                                                          There are probably THOUSANDS of customers with this vulnerable router that has not had any vulnerabilities patched in over 2 years! Those thousands are not reading this and can't be expected to verify every connection is https. That's absurd!

                                                                                                                           

                                                                                                                          It's simple, we are waiting for a firmware update from T-Mobile. Any other discussion is an attempt to distract or insult the customers.
                                                                                                                          Please get us an answer from John Legere.

                                                                                                                          thanks t-mo team! let's see that awardwinning customer service

                                                                                                                            • stevetjr

                                                                                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                              eturk wrote:

                                                                                                                               

                                                                                                                              @tidbits et al... please stop distracting from this specific thread topic: The TM-AC1900 is VULNERABLE. period!

                                                                                                                              This is clearly verified by Asus releasing a firmware update on Nov 11,2017 to "fix KRACK vulnerability"

                                                                                                                              https://www.asus.com/us/Networking/RTAC68U/HelpDesk_Download/

                                                                                                                              And how long did it take for ASUS to do their own update on this, everyone has been screaming since the exploit was announced and it's been just 11 days since ASUS "fixed" the somewhat equivalent model that has their name on it.

                                                                                                                               

                                                                                                                               

                                                                                                                               

                                                                                                                              It's simple, we are waiting for a firmware update from T-Mobile. Any other discussion is an attempt to distract or insult the customers.
                                                                                                                              Please get us an answer from John Legere.

                                                                                                                               

                                                                                                                              Who do you think ASUS is going to prioritize for updates?  You think they are going to focus on a contract version of their router which has some custom code in it or do you think they are going to utilize their engineering/programming department to focus on their own product line first.  It's the same when everyone screams at TMO for not updating their phones when some other carrier gets an update first but of course the same folks don't say boo when TMO happens to be the first or one of the first carriers to get an update.  TMO doesn't make any of these products nor do they write the code or even have the source code for these products so they are dependent on their partners and/or manufacturers of the products they sell to fix them.  If you have a recall on your car, yes the dealer ends up fixing it but if the manufacturer doesn't have a fix or enough parts is it the dealers fault??

                                                                                                                               

                                                                                                                            • wooshu

                                                                                                                              Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                              Chiming in to thank Marissa, amc2002, etc for all the input that helped me in researching this router, which I did end up buying, though I'm not a T-Mobile customer, and specifically to install Tomato firmware on it.  Marissa, I hope you're being paid.  You are a goddess of customer service. 

                                                                                                                               

                                                                                                                              I also wanted to say that if you read back through all this thread, amc2002's post on Oct 31, 2017 2:38 PM shows that key-reinsertion (KRACK stands for key reinsertion attack) has always been disabled in router/AP mode.  The RT-AC68U needed a firmware patch because it makes available the repeater and bridge modes.  Marissa's post on Oct 18, 2017 3:29 PM shows that repeater and bridge modes aren't available in the TM-AC1900 firmware, so there’s nothing to patch in relation to KRACK.

                                                                                                                               

                                                                                                                              What you should be worrying about is the patch date on your Android phone anytime you’re near wifi….

                                                                                                                              • wooshu

                                                                                                                                Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                                Sorry, I was going by what had been said, and didn’t take a good look at the stock firmware on this router before replacing it.  I think we’re getting confused between AP/Bridge mode and STA/Repeater mode.  Repeater mode is often referred to as a bridge, but the Asus/Broadcom engineers are making a distinction, and referring to things as AP (access point) or STA (station) modes.  Marissa did say in her Oct 18, 2017 3:29 PM post that “TM-AC1900 firmware does not support repeater mode or media bridge mode”, but first she said “According to ASUS and Broadcom’s information, only the STA/repeater mode is impacted by this vulnerability. AP mode is not affected”

                                                                                                                                 

                                                                                                                                To illustrate the difference between AP and STA modes I’ve taken screenshots from my old router which now has Asuswrt-Merlin on it, an Asus firmware variant that will look similar to what you have with the T-Mobile variant, but includes the STA/Repeater option.

                                                                                                                                 

                                                                                                                                “In Repeater mode, [the router] wirelessly connects to an existing wireless network to extend the wireless coverage. In this mode, the firewall, IP sharing, and NAT functions are disabled.”

                                                                                                                                 

                                                                                                                                The 2nd wifi broadcast link is where the vulnerability lies.  If you have this available in your firmware, you need a patch for KRACK.

                                                                                                                                 

                                                                                                                                “[The router] can be configured in Media Bridge mode.The Media Bridge mode provides the fastest Wi-Fi connection for multiple media devices simultaneously.To set up the Media Bridge mode, you need two [routers]: one configured as the Media station and the other as a router.  Configure one [router] as a router and another [router] as a Media Bridge to provide a simultaneous Wi-Fi connection for your media devices such as computer, Smart TV, game console, DVR, or media player via Ethernet cable.  Change to Media Bridge mode to provide a simultaneous Wi-Fi connection for your media devices.

                                                                                                                                In Media Bridge mode, only wireless devices connect to the P-AP [primary access point?]. Client devices need to be connected to the Media Bridge with a network cable.”

                                                                                                                                 

                                                                                                                                This has only one wifi broadcast link.  If you have this, but not STA/Repeater mode, you don’t need a patch for KRACK.

                                                                                                                                I hope this helps.  Thanks again for your help.  I think that’s all I have time for on this thread, so wooshu out.

                                                                                                                                • jonomite

                                                                                                                                  Re: TM-AC1900 and KRACK WiFi vulnerability

                                                                                                                                  This has been a very useful read. So, if I were to try to boil it all down to a bottom line: if you use this router in Wireless router mode--i.e., the default mode--then it's not vulnerable to KRACK?