Unifi firmware update for KRACK

Posted on
Mon Oct 16, 2017 1:39 pm
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Unifi firmware update for KRACK

Just to let you know, Unifi have released updated firmware to patch against the KRACK vulnerability, but you have to do it as a custom upgrade, its not being recognised automatically by the APs as an upgrade option yet, or at least not by mine.

https://community.ubnt.com/t5/UniFi-Upd ... -p/2099365

Posted on
Mon Oct 16, 2017 1:59 pm
DaveL17 offline
User avatar
Posts: 6741
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: Unifi firmware update for KRACK

Thank you for this.


Sent from my iPhone using Tapatalk

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Mon Oct 16, 2017 4:22 pm
autolog offline
Posts: 3988
Joined: Sep 10, 2013
Location: West Sussex, UK [GMT aka UTC]

Re: Unifi firmware update for KRACK

+1 Thank you - now upgraded. :)

Posted on
Mon Oct 16, 2017 9:25 pm
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: Unifi firmware update for KRACK

My network was already set to mitigate these types of attacks.

How so (just curious)?

Posted on
Tue Oct 17, 2017 12:38 am
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Re: Unifi firmware update for KRACK

Thanks Ian. That hurts my head a little! . I also use 802.1x but using keys and user logins rather than certs as I never fully understood how to set those up.
As a result I also have non 802.1x SSIDs for IoT things. Some like the stats can be segregated on gust networks but my Harmony hub for instance needs to be on the local network. I guess for this vulnerability it doesn't matter if they see the traffic there as it's only info about the remote and they can't use it to then get onto the main network as they don't see the Ssid password?
Also I presume that if those devices then did connect to a spoofed SSID the unifi plugin would see them go offline so you can have alerts on that? Racarter has a plugin coming that does just that via pushover.
Not that I know how I could remedy that remotely?

I had read somewhere that it only needs one side to be patched? If my home APs are patched is my home network and the devices on it secure? Obviously my mobile devices would have an issue on other WiFi networks until they, or the device is patched?

Posted on
Tue Oct 17, 2017 7:24 am
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: Unifi firmware update for KRACK

I figured that you went to some lengths to protect it and that is why I was curious -- thanks for sharing your setup! I've considered locking mine down more at times, but the hassle hasn't been worth the effort thus far since I am primarily wired... but I am indeed glad to see that some people are less lazy than I am regarding it! :-)

FWIW, I have considered using certificates but, as you more-or-less said, there is are so many IoT style devices which can't utilize them. I assume having them separated makes things like discovery and UPnP not work? Not that it is a huge deal, but depending upon the app/application that can be somewhat of an annoyance not to work (thinking here of, say, Roku remote app or similar).

Adam

Posted on
Tue Oct 17, 2017 7:59 am
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Re: Unifi firmware update for KRACK

Having IoT devices on one SSID and iPhone or laptop on another with different SSID still allows connectivity, or does for my Harmony hub at least.

Posted on
Tue Oct 17, 2017 8:01 am
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Unifi firmware update for KRACK

Having IoT devices on one SSID and iPhone or laptop on another with different SSID still allows connectivity, or does for my Harmony hub at least.
Assuming that the IoT Ssid allows internal connectivity.
I am thinking of setting up a IoT external only network for devices that don't need to see my network. Thermostats come to mind and maybe echo dots?
Need to find out as well how to put my pi zero onto the enterprise SSID as well.

Posted on
Wed Oct 18, 2017 12:23 am
siclark offline
Posts: 1960
Joined: Jun 13, 2017
Location: UK

Re: Unifi firmware update for KRACK

Same here. Rely on cat6a where possible but annoying that some devices like harmony hub and echo's don't have Ethernet sockets.
Funny how everyone 10 years ago said everything would be wireless and no need for Ethernet cables!!
I do have advantage of having stripped the house bare 3 years ago so could run it everywhere easily.
And yes to disabling upnp and ensuring no open ports. I also shodan search myself as well to check on how it looks from externally.

Posted on
Wed Oct 18, 2017 9:19 am
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: Unifi firmware update for KRACK

Oh I have UPnP disabled; it is a huge security risk. Generally enterprise gear doesn't even support UPnP. Having applications or hardware open ports on a firewall is a horrible idea or the many other things that it can be used for.

I agree about allowing hardware to open ports without your knowledge - I actually disable that on routers that I setup (where possible). However, the "usability acceptance factor" of families (read: spouse and kids) often requires that the automated discovery of devices via UPnP still function... I don't really see the discovery of devices being a huge security risk; a simple scan would pick up 99% of what the discovery is responding to anyway.

Posted on
Wed Oct 18, 2017 10:19 pm
RogueProeliator offline
User avatar
Posts: 2501
Joined: Nov 13, 2012
Location: Baton Rouge, LA

Re: Unifi firmware update for KRACK


No doubt, like I said, I disable UPnP responses by the router, the ones that I talk about having on and useful are things such as TVs, receivers, and the like that are for discovery. Those are the ones I refer to not having any serious security implications (sure, there probably are but they are minor).

How many devices do you think will patched for KRACK? How many people will actually update the devices?

The average user won't patch, but the average user is not at a high degree of risk of being exploited for this either.... at home. Now, I suspect you will come to see a ton of exploits of this on public hotspots, smaller mom-and-pop businesses who are running consumer grade routers and have no real IT knowledge or experience, etc.. And you will see some in areas of high density such as apartment buildings and condos. However, the rewards for attacking a single, at-home user are pretty low. I'm not saying that it won't happen, nor should you ignore it, but just that you have to keep the individual case in mind.

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 1 guest

cron