Chiming in to thank Marissa, amc2002, etc for all the input that helped me in researching this router, which I did end up buying, though I'm not a T-Mobile customer, and specifically to install Tomato firmware on it. Marissa, I hope you're being paid. You are a goddess of customer service.
I also wanted to say that if you read back through all this thread, amc2002's post on Oct 31, 2017 2:38 PM shows that key-reinsertion (KRACK stands for key reinsertion attack) has always been disabled in router/AP mode. The RT-AC68U needed a firmware patch because it makes available the repeater and bridge modes. Marissa's post on Oct 18, 2017 3:29 PM shows that repeater and bridge modes aren't available in the TM-AC1900 firmware, so there’s nothing to patch in relation to KRACK.
What you should be worrying about is the patch date on your Android phone anytime you’re near wifi….
Thanks wooshu for making it so clear - magenta3036171 if you look at the post just above yours, wooshu says that key re-insertion is disabled in AP/router mode, so we're good, because KRACK is due to key re-insertion.
If you put the router in repeater or bridge mode, key re-insertion could be enabled, but this router doesn't have those modes (according to the statement above), as it wasn't included in T-Mobile's version of the firmware.
1 of 1 people found this helpful
I thought WDS (Wireless - Bridge) is the same thing as bridge mode? If that is the case I do see the option to configure that on my AC1900 with firmware 18.104.22.168.376_3181.
Sorry, I was going by what had been said, and didn’t take a good look at the stock firmware on this router before replacing it. I think we’re getting confused between AP/Bridge mode and STA/Repeater mode. Repeater mode is often referred to as a bridge, but the Asus/Broadcom engineers are making a distinction, and referring to things as AP (access point) or STA (station) modes. Marissa did say in her Oct 18, 2017 3:29 PM post that “TM-AC1900 firmware does not support repeater mode or media bridge mode”, but first she said “According to ASUS and Broadcom’s information, only the STA/repeater mode is impacted by this vulnerability. AP mode is not affected”
To illustrate the difference between AP and STA modes I’ve taken screenshots from my old router which now has Asuswrt-Merlin on it, an Asus firmware variant that will look similar to what you have with the T-Mobile variant, but includes the STA/Repeater option.
“In Repeater mode, [the router] wirelessly connects to an existing wireless network to extend the wireless coverage. In this mode, the firewall, IP sharing, and NAT functions are disabled.”
The 2nd wifi broadcast link is where the vulnerability lies. If you have this available in your firmware, you need a patch for KRACK.
“[The router] can be configured in Media Bridge mode.The Media Bridge mode provides the fastest Wi-Fi connection for multiple media devices simultaneously.To set up the Media Bridge mode, you need two [routers]: one configured as the Media station and the other as a router. Configure one [router] as a router and another [router] as a Media Bridge to provide a simultaneous Wi-Fi connection for your media devices such as computer, Smart TV, game console, DVR, or media player via Ethernet cable. Change to Media Bridge mode to provide a simultaneous Wi-Fi connection for your media devices.
In Media Bridge mode, only wireless devices connect to the P-AP [primary access point?]. Client devices need to be connected to the Media Bridge with a network cable.”
This has only one wifi broadcast link. If you have this, but not STA/Repeater mode, you don’t need a patch for KRACK.
I hope this helps. Thanks again for your help. I think that’s all I have time for on this thread, so wooshu out.
This has been a very useful read. So, if I were to try to boil it all down to a bottom line: if you use this router in Wireless router mode--i.e., the default mode--then it's not vulnerable to KRACK?
@tidbits et al... please stop distracting from this specific thread topic: The TM-AC1900 is VULNERABLE. period!
This is clearly verified by Asus releasing a firmware update on Nov 11,2017 to "fix KRACK vulnerability"
And how long did it take for ASUS to do their own update on this, everyone has been screaming since the exploit was announced and it's been just 11 days since ASUS "fixed" the somewhat equivalent model that has their name on it.
It's simple, we are waiting for a firmware update from T-Mobile. Any other discussion is an attempt to distract or insult the customers.
Please get us an answer from John Legere.
Who do you think ASUS is going to prioritize for updates? You think they are going to focus on a contract version of their router which has some custom code in it or do you think they are going to utilize their engineering/programming department to focus on their own product line first. It's the same when everyone screams at TMO for not updating their phones when some other carrier gets an update first but of course the same folks don't say boo when TMO happens to be the first or one of the first carriers to get an update. TMO doesn't make any of these products nor do they write the code or even have the source code for these products so they are dependent on their partners and/or manufacturers of the products they sell to fix them. If you have a recall on your car, yes the dealer ends up fixing it but if the manufacturer doesn't have a fix or enough parts is it the dealers fault??
One thing to do is to turn off the SSID broadcast of your router. (If they can't see you it's harder to find and hack you!) You will have to remember your wifi SSID and enter it manually i your device as it will not be seen anymore and provide the type of encryption and your password.
Another thing to do is go the MAC filtering and "allow" only your devices. You will need the MAC addresses of your devices and enter them in the allow only table.
Turn off that Guest network!!!
That won't help you. You can still sniff wifi and see both the SSID and the mac addresses.
I guess if this device is being "discontinued", and I want the latest security patches for the many vulnerabilities found within the last few months, it's time to move this device to Merlin software. I guess this is the perfect excuse to do that. If Asus/T-Mobile aren't going to put out anymore firmware updates for this (???) I feel sorry for anyone using this device who may not be as technologically competent who can't get an easy fix for their own safety.
Now I have Firmware Version 22.214.171.124.376_3199.