All replies

    • marcmarshall

      This thread seems to have been hijacked by the HTTPS concern of a poster. Can we please stay on topic? (moderator??).

       

      It has been a couple months now since the KRACK exploit was exposed. I just checked on the ASUS website and there is a firmware patch for the KRACK exploit available on the download page for the AC68U router.  This TM-AC1900 is just a re-branded version of the RT-AC69U with some software changes to support T-MO cellspot.

       

      I also see that since the last firmware update for the TM-AC1900, which I think was in10/2015, there have been about 14 firmware updates for the AC68U.

      This router looks to be "orphaned" and support has apparently been halted. I think that is on T-Mobile. I do not think this will be remedied unless T-Mobile works with ASUS to get them to continue support for the routers that they purchased from them.

       

      T-Mobile please take some action on this!

       

      Note to moderator: Since this thread has been sidetracked I will repost this to new thread if I do not get a response.

      • snn555

        76. Re: TM-AC1900 and KRACK WiFi vulnerability

        All comments in the thread thus far are valid and Germaine to the topic at hand. Also to note Apple and Android have both released patches for recent phones through a security patch for this issue. There is no cause to create yet another thread on this topic. The topic is anchored in this thread and any new information will be communicated via this thread.

        • tidbits

          77. Re: TM-AC1900 and KRACK WiFi vulnerability

          marcmarshall wrote:

           

          This thread seems to have been hijacked by the HTTPS concern of a poster. Can we please stay on topic? (moderator??).

           

          It has been a couple months now since the KRACK exploit was exposed. I just checked on the ASUS website and there is a firmware patch for the KRACK exploit available on the download page for the AC68U router. This TM-AC1900 is just a re-branded version of the RT-AC69U with some software changes to support T-MO cellspot.

           

          I also see that since the last firmware update for the TM-AC1900, which I think was in10/2015, there have been about 14 firmware updates for the AC68U.

          This router looks to be "orphaned" and support has apparently been halted. I think that is on T-Mobile. I do not think this will be remedied unless T-Mobile works with ASUS to get them to continue support for the routers that they purchased from them.

           

          T-Mobile please take some action on this!

           

          Note to moderator: Since this thread has been sidetracked I will repost this to new thread if I do not get a response.

          That's on topic.  This is about the KRACK exploit is it not?  People are looking for it to be patched when HTTPS traffic should have died YEARS ago.  This is the field I work in and the media is blowing it out of proportion.  The most ironic thing is a lot of websites went to https traffic as soon as this exploit went public when they learned that https traffic is not affected. This would be a non issue if everyone used https traffic which any security expert worth his job will tell you.

          • amc2002

            78. Re: TM-AC1900 and KRACK WiFi vulnerability

            Wow. You're right. Patch released yesterday for the RT-AC68U, despite the fact that Asus support told me that it wasn't necessary, that this router was not affected by this issue.

             

            I fully expect T-Mobile to follow up on this now and make sure our routers are patched.

             

            From the Asus site:

             

            Version 3.0.0.4.382.185472017/11/1040.6 MBytes

            ASUS RT-AC68U Firmware version 3.0.0.4.382.18547
            Security fixed
            - Fixed KRACK vulnerability
            - Fixed CVE-2017-14491: DNS - 2 byte heap based overflow
            - Fixed CVE-2017-14492: DHCP - heap based overflow
            - Fixed CVE-2017-14493: DHCP - stack based overflow
            - Fixed CVE-2017-14494: DHCP - info leak
            - Fixed CVE-2017-14495: DNS - OOM DoS
            - Fixed CVE-2017-14496: DNS - DoS Integer underflow
            - Fixed CVE-2017-13704 : Bug collision
            - Fixed predictable session tokens, logged user IP validation, Logged-in information disclosure (special thanks for Blazej Adamczyk contribution)
            - Fixed web GUI authorization vulnerabilities.- Fixed AiCloud XSS vulnerabilities

             

            New features
            - HDD Hibernation
            - URL filter black/white list
            - Bandwidth limiter on guest network
            - URL filter support https website

            1 of 1 people found this helpful
            • polsar

              79. Re: TM-AC1900 and KRACK WiFi vulnerability

              So now that ASUS has provided the patch (11/10/2017) we should see an update from tmobile i'd hope soon?  Or a replacement router?  Otherwise they are exposing all their users to a significant security vulnerability.

               

              The firmware is here:

              RT-AC1900 BIOS & FIRMWARE| Networking | ASUS USA

              • tidbits

                80. Re: TM-AC1900 and KRACK WiFi vulnerability

                polsar wrote:

                 

                So now that ASUS has provided the patch (11/10/2017) we should see an update from tmobile i'd hope soon? Or a replacement router? Otherwise they are exposing all their users to a significant security vulnerability.

                 

                The firmware is here:

                RT-AC1900 BIOS & FIRMWARE| Networking | ASUS USA

                It's blown out of proportion...  WAY out of proportion...

                 

                You guys need to understand the difference between http and https traffic and how WPA plays a role in said traffic.  Also how one needs to take advantage of this exploit.  Companies are patching it because people got caught up in the media hype that security firms are pushing to get their names in the media for advertising. 

                 

                As long as you use https traffic you are fine.  Every website should be using https right now, and there is no excuse not for them to use it.  Some websites for some reason or another do not direct you to their https pages, but often you'd have to manually go there yourself.  BluBorne is a much more critical exploit that deserves this kind of attention.

                • amc2002

                  81. Re: TM-AC1900 and KRACK WiFi vulnerability

                  You've made your point @tidbits, and the bottom line is this:

                   

                  1) Sites still use http. You can whine and complain that everyone should be using https, but the fact is, they're not. People aren't going to restrict themselves to sites that only use https either. I can whine and complain that people go 50mph in the left lane as well, but you can't change the world.

                  2) T-Mobile handed out, leased, or sold these routers to its customers. There have been MANY MANY security updates that resolve other important issues that should LONG AGO have been pulled over to this T-Mo branded router.

                  3) If T-Mobile doesn't want to continue to support these routers, they should release those of us who put a deposit on them years ago from our obligations and just let us flash them to the updated Asus firmware.


                  It's not just about http vs. https traffic. This is about supporting a customer base that has not been supported properly by T-Mobile on one of its products.

                   

                  We've heard your arguments. You've made your case. I'm hoping you'll hear mine and realize the world doesn't always do what is right or proper. People are going to continue to use sites that use http, because there are still many many of them out there.

                  1 of 1 people found this helpful
                  • magenta2997940

                    82. Re: TM-AC1900 and KRACK WiFi vulnerability

                    100 % Agree!!! Come on TMO

                    • tidbits

                      83. Re: TM-AC1900 and KRACK WiFi vulnerability

                      amc2002 wrote:

                       

                      You've made your point @tidbits, and the bottom line is this:

                       

                      1) Sites still use http. You can whine and complain that everyone should be using https, but the fact is, they're not. People aren't going to restrict themselves to sites that only use https either. I can whine and complain that people go 50mph in the left lane as well, but you can't change the world.

                      Almost every website has https versions.  Some are not configured correctly and by you putting https in the browser itself fixes the issue for that site.  If it doesn't then the site isn't worth using if you have to enter in vital information.  If you don't then it doesn't matter.  If you have facebook and display everything publicly then you'd be worse off continuing to use facebook than the exploit.

                      2) T-Mobile handed out, leased, or sold these routers to its customers. There have been MANY MANY security updates that resolve other important issues that should LONG AGO have been pulled over to this T-Mo branded router.

                      A person has the right to stop using these a long time ago.  People don't need these really and last I remember these were NEVER sold and were handed out like candy to be a stop gap for wifi calling and not an acually wifi router replacement. 

                      3) If T-Mobile doesn't want to continue to support these routers, they should release those of us who put a deposit on them years ago from our obligations and just let us flash them to the updated Asus firmware.

                      A person could return them and get their deposits back right?  Then a person people can buy and do what they want with their replacements. 
                      It's not just about http vs. https traffic. This is about supporting a customer base that has not been supported properly by T-Mobile on one of its products.

                      It's about a person doing what is needed to protect themselves.  When are you going to stop playing the victim and do what is needed for yourself and stop relying on others to do it for you.

                      We've heard your arguments. You've made your case. I'm hoping you'll hear mine and realize the world doesn't always do what is right or proper. People are going to continue to use sites that use http, because there are still many many of them out there.

                      • tmo_marissa

                        84. Re: TM-AC1900 and KRACK WiFi vulnerability

                        Hey folks,

                         

                        Just wanted to touch base here and let you all know I reached back out again to see if there's any news we can share about upcoming updates to the TM-AC1900. Thanks for staying engaged here -- we'll let you know as soon as we hear back!

                         

                        Marissa

                        • snn555

                          85. Re: TM-AC1900 and KRACK WiFi vulnerability

                          Honestly I can see both sides of the argument. TMobile does need to address the situation of updates for this Hardware in general. If they're not going to then they just need to state so. I don't believe they need to go through the whole effort of releasing deposits and allowing people to flash I believe they either update it or they don't and then the customer decides whether they want to continue using the equipment or not. It is up to each person to do what they can to protect themselves.

                           

                          But again I see both sides and while I personally would like to see some updates if T-Mobile is not going to update then they either need to let us know there are no more updates and let us decide whether we will continue to use these routers in the fashion that they presently are in or request the equipment to be returned un altered.

                           

                          Stating that I don't believe TMobile should be held accountable for what a consumer does outside of the terms of use of the equipment. If TMobile were to release this equipment and allow consumers to flash and modify at will it should not be expected that TMobile would support that equipment.

                           

                          So in the end better communication as far as the intention of what is to be done for this equipment going forward needs to be expressed. Consumers need to decide whether or not they want to continue to wait for updates and if not return the router and buy something they are happy with. At this point in time the router has been out for quite some time so buying a mid-level product today is much like buying this top-shelf router from years past.

                           

                          It should also be stated that T-Mobile has a lot of capital wrapped up in this equipment which was used to offload Network traffic there by making the network more efficient. However it also served a purpose with consumers to save $200 on a router and expand their service with wifi calling. So both sides profited.

                           

                          TMobile would have to decide whether or not it is worth having the equipment returned and having a certain number of customers no longer using it and putting the traffic back on the network. However with unlimited data that might be a shot to the foot. Also to state that with the network being expanded as much as it has been as of late WiFi calling is not as much a necessity for as many people as it used to be. That's not to say there aren't people elsewhere who need wifi calling but with as much of this equipment as there is that has been passed out over the years  TMobile has to decide  whether to take the loss on the equipment or to continue to provide support for it to bolster the network and offload Network traffic onto isps. But again most people still need a router so there's that.

                          1 of 1 people found this helpful
                          • magenta3036171

                            86. Re: TM-AC1900 and KRACK WiFi vulnerability

                            Couple of things to try, if you are using Chrome is to install HTTPS Everywhere and I believe Firefox has similar plugin.  I am not sure if similar plugin is available for Safari (MacOSX) or IE/Edge.  That will help with what @tidbits seems to be saying, but that only addresses if all you do is spend time in the browser.  I do not know about other folks but I use my computer for lot more than just browse the Internet.

                             

                            It would be great if T-Mobile had a position on what their plans are with the ac1900, so current users can make an informed decision on returning the router and moving on to reduce the risk.

                            • magenta3036171

                              If you do decide to use HTTPS Everywhere be ready for websites to break especially the news websites like Newsweek, etc.

                              1 of 1 people found this helpful
                              • amc2002

                                88. Re: TM-AC1900 and KRACK WiFi vulnerability

                                >>>It's about a person doing what is needed to protect themselves.  When are you going to stop playing the victim and do what is needed for yourself and stop relying on others to do it for you.<<<

                                 

                                Wow. Brilliant. Are you kidding me with this? Since when is asking a company to maintain security updates "playing the victim" and "relying on others to do it for [me]?"

                                 

                                Get real. The ASUS version of this router is patched. The T-Mobile one isn't. T-Mobile gave/rented/sold these routers (and yes, they DID, in fact, sell them at one point) to customers to make up for coverage issues. ASUS is protecting its customers. T-Mobile should be doing the same. Simple as that.

                                • eturk

                                  89. Re: TM-AC1900 and KRACK WiFi vulnerability

                                  @tidbits et al... please stop distracting from this specific thread topic: The TM-AC1900 is VULNERABLE. period!

                                  This is clearly verified by Asus releasing a firmware update on Nov 11,2017 to "fix KRACK vulnerability"

                                  RT-AC68U Driver & Tools| Networking | ASUS USA DS of customers with this vulnerable router, that has not had ANY vulnerabilities patched in over 2 years.

                                   

                                  There are probably THOUSANDS of customers with this vulnerable router that has not had any vulnerabilities patched in over 2 years! Those thousands are not reading this and can't be expected to verify every connection is https. That's absurd!

                                   

                                  It's simple, we are waiting for a firmware update from T-Mobile. Any other discussion is an attempt to distract or insult the customers.
                                  Please get us an answer from John Legere.

                                  thanks t-mo team! let's see that awardwinning customer service

                                  1 3 4 5 6 7 Previous Next