Wifi Hacked (KRACK)

muon

muon

muon

Soldato
Joined
8 Nov 2006
Posts
23,529
Location
London
I have reason to believe my router is being continuously hacked. I've reset it once already. Administration passwords were changed since purchase.

http://www.kb.cert.org/vuls/id/JLAD-AS7PN2

I think it is this vulnerability affecting multiple vendors:

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Fortunately my devices don't automatically connect after the hack.

Anyone else have any experience?

Here's the wikipedia article. Seems like a major failure of WPA/WPA2.

https://en.m.wikipedia.org/wiki/KRACK
 
Last edited:
Unfortunately quite a few Wifi standards are possible to hack if you know what you are doing, fortunately most people don't and are not interested. Keeping routers firmware up to date helps a lot.

One way to stop this if you can is to change the router admin password from its default to something completely different and if possible lock your network down so only a given list of MAC addresses can connect to it. Just be very careful doing this and only if you are sure what you are doing.

Normally this is not necessary but can be in densely populated area's like flats.
 
I don't believe what you have mentioned would stop this. Passwords are not default anyway. MAC addresses are spoofed with ease.

I'm still not certain exactly what is happening though. I can switch to another wireless router, but from what I've read this vulnerability exists on all current wireless routers.
 
This has been patched by many suppliers. Have you checked for a firmware update?

What reason do you have to believe you're being hacked and why do you believe that KRACK is to blame?

I'm not even sure that KRACK has been seen in the wild (haven't checked, all of my kit is patched anyway).
 
bremen1874 said:
This has been patched by many suppliers. Have you checked for a firmware update?

What reason do you have to believe you're being hacked and why do you believe that KRACK is to blame?

I'm not even sure that KRACK has been seen in the wild (haven't checked, all of my kit is patched anyway).
Click to expand...

All my devices disconnect after a short while preceded by the lack of internet.

Twice when it happened, internet lost but still connected to "my network" I went into the administrator log in for the router and it was all the russian version of tp-link (wanted to check firewall). Shortly after my PC and phone disconnect from the network and fail to reconnect.

Only started happening yesterday. Normally resolved by restarting router. I did the first time reset to factory settings and chnage passwords all over again. Router is on latest firmware.

I do have an alternate router so I guess I'll try that.

edit: I might first try reducing the antenna power actually.
 
And have you checked for patched firmware?

The first article you link is over two months old. TP-Link have a long list of devices that have been patched since then.
 
Is that a patched firmware? Was there an issue with your model in the first place?

KRACK is a wireless issue. Are you likely to have Russian based hackers in range of your router?

You may have a problem, but I doubt it's KRACK related.
 
bremen1874 said:
Is that a patched firmware? Was there an issue with your model in the first place?

KRACK is a wireless issue. Are you likely to have Russian based hackers in range of your router?

You may have a problem, but I doubt it's KRACK related.
Click to expand...

To me it seems like fake network is hijacking my network.

Yes I have potentially have 100+ people in range. Lots of hi rises one of which will contain international students.
 
If it keeps happening then disable the wireless for a while.

If it happens again you'll know it isn't wireless related.

If you do have other routers available then they're worth a try.

As with all of these threads it can help if makes and models are mentioned.
 
TP-Link AC1350 (Archer C58).

My backup router will be the standard Hyperoptic router.

I'll see if I can restrict the wireless range.

edit:

New SSIDs with new passphrases.
Strictly WPA2 and 802.11n/ac (in case Auto wasn't doing that).
New admin account.
Transmit power set to low.

I'll see how that goes.
 
Last edited:
What an annoying website they have, how do you find the latest firmware version on their site?

This is the closest I can find, but it doesn't list your model.

http://uk.tp-link.com/download-center.html

It pretty much needs to be a firmware made in Q4, 2017.

Unifi Access Points have patched it, could be an option.
 
Why is your reason you have been hacked?

I do support for an ISP and a lot of people’s knee jerk response is they’ve been hacked. Reality is almost always something much more innocent.

Have you asked the isp to check the service? Does the issue continue on wired devices if you turn off Wi-fi?

I’m not insulting your intelligence but there was a notable vulnerability and most vendors patched it, there is a huge **** to truth ratio on internet articles and scaremongering is rife.
 
Steveocee said:
Why is your reason you have been hacked?

I do support for an ISP and a lot of people’s knee jerk response is they’ve been hacked. Reality is almost always something much more innocent.

Have you asked the isp to check the service? Does the issue continue on wired devices if you turn off Wi-fi?

I’m not insulting your intelligence but there was a notable vulnerability and most vendors patched it, there is a huge **** to truth ratio on internet articles and scaremongering is rife.
Click to expand...

I thought it was the router just playing up until I saw the fake tp link admin page in Russian. tplinkwifi.net should also resolve (same as 192.168.0.1) but doesn't.

It happened multiple times within a day when I've never had anything like this before.

A wired connection removes wifi completely so wont reveal anything.

Something is taking over the role of the router in my wifi network which sounds suspicioudly like how the KRACK vulnerability works. But yes it could be a different way of taking over the wifi connection entirely.

bledd said:
What an annoying website they have, how do you find the latest firmware version on their site?

This is the closest I can find, but it doesn't list your model.

http://uk.tp-link.com/download-center.html

It pretty much needs to be a firmware made in Q4, 2017.

Unifi Access Points have patched it, could be an option.
Click to expand...

The router settings page have a check button which I use.

Thanks for the tip, if it happens again i'll have to get a patched AP.
 
Could also be a dns hijack/ malware, if the admin page is going elsewhere. Could also stop the Internet working.

You would see the same on wifi and cable in that instance. Try a cable and see if you get the same.
 
neil_g said:
Could also be a dns hijack/ malware, if the admin page is going elsewhere. Could also stop the Internet working.

You would see the same on wifi and cable in that instance. Try a cable and see if you get the same.
Click to expand...

Was one of the first things i checked as the initial symptom is the internet going down. Was fine on the router, remember that all my devices disconnect within a minute which made it a bit more difficult and I didnt want to login to the fake tplink admin page. Devices themselves show a complete dns server failure.
 
Last edited:
Just lock it down it's simple. Just allow your devices by mac address and static IP's and do the usual, change admin password then wifi password. Then disable the SSID broadcast after you're done. Then only your own devices can connect. If you disable SSID then you cant search for your wifi broadcast. But remain connected.
Wi-Fi has been easy to bypass for ages. It's just been made more publically aware that's all. I went over these vulnerabilities at university in a report.
 
What's actually happening? What DNS servers are you using?

Try manually setting Google DNS on one of your devices and seeing if that is affected when the network has problems. It sounds like somebody is messing with the Hyperoptic network in your building and doing ARP spoofing to hijack traffic heading towards the gateway.
 
Not beyond realms of possibility, but I’d doubt it was KRACK being exploited here, not to say it isn’t though.

Through this vulnerability an atttacker can obtain the keys used to encrypt/decrypt traffic, it does not ‘take over’ the router. That said what an attached does once they have the keys...

Arguably they don’t need to do anything, they can just sniff and decrypt the traffic.

Also not broadcasting SSID is just pure security theatre, it does little to nothing towards security and arguably makes things less secure. And in no way makes the SSID unable to be found easily.

I’d love to read a university report that says MAC filtering, static ips and hiding SSID are sound security measures (and would also argue their definition as ‘vulnerabilities’ ;) ).

Especially if you are up against an adversary using more advanced exploits such as KRACK, all of the above will be trivial to bypass.
 
Last edited:
Yes but it works by searching for the WiFi network and then it clones the network on a different channel. It then establishes handshakes with the targeted device. The attacker can then go on to do stuff like stripping the SSL of any connections. If you disable the SSID broadcast you cannot search for the network but all remaining devices remain connected. Not exactly the best method for say businesses that have devices connect all the time but for home users it's a way of protecting their devices.

 
You must log in or register to reply here.
Back
Top Bottom