Wifi Hacked (KRACK)

muon · 25 Dec 2017 at 21:45

I have reason to believe my router is being continuously hacked. I've reset it once already. Administration passwords were changed since purchase.

http://www.kb.cert.org/vuls/id/JLAD-AS7PN2

I think it is this vulnerability affecting multiple vendors:

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

Fortunately my devices don't automatically connect after the hack.

Anyone else have any experience?

Here's the wikipedia article. Seems like a major failure of WPA/WPA2.

https://en.m.wikipedia.org/wiki/KRACK

muon · 25 Dec 2017 at 21:58

I don't believe what you have mentioned would stop this. Passwords are not default anyway. MAC addresses are spoofed with ease.

I'm still not certain exactly what is happening though. I can switch to another wireless router, but from what I've read this vulnerability exists on all current wireless routers.

muon · 25 Dec 2017 at 22:18

bremen1874 said:
This has been patched by many suppliers. Have you checked for a firmware update?

What reason do you have to believe you're being hacked and why do you believe that KRACK is to blame?

I'm not even sure that KRACK has been seen in the wild (haven't checked, all of my kit is patched anyway).

All my devices disconnect after a short while preceded by the lack of internet.

Twice when it happened, internet lost but still connected to "my network" I went into the administrator log in for the router and it was all the russian version of tp-link (wanted to check firewall). Shortly after my PC and phone disconnect from the network and fail to reconnect.

Only started happening yesterday. Normally resolved by restarting router. I did the first time reset to factory settings and chnage passwords all over again. Router is on latest firmware.

I do have an alternate router so I guess I'll try that.

edit: I might first try reducing the antenna power actually.

muon · 25 Dec 2017 at 22:23

bremen1874 said:
And have you checked for patched firmware?

The first article you link is over two months old. TP-Link have a long list of devices that have been patched since then.

I checked today. Latest firmware.

muon · 25 Dec 2017 at 22:29

bremen1874 said:
Is that a patched firmware? Was there an issue with your model in the first place?

KRACK is a wireless issue. Are you likely to have Russian based hackers in range of your router?

You may have a problem, but I doubt it's KRACK related.

To me it seems like fake network is hijacking my network.

Yes I have potentially have 100+ people in range. Lots of hi rises one of which will contain international students.

muon · 25 Dec 2017 at 22:36

TP-Link AC1350 (Archer C58).

My backup router will be the standard Hyperoptic router.

I'll see if I can restrict the wireless range.

edit:

New SSIDs with new passphrases.
Strictly WPA2 and 802.11n/ac (in case Auto wasn't doing that).
New admin account.
Transmit power set to low.

I'll see how that goes.

muon · 26 Dec 2017 at 09:23

Steveocee said:
Why is your reason you have been hacked?

I do support for an ISP and a lot of people’s knee jerk response is they’ve been hacked. Reality is almost always something much more innocent.

Have you asked the isp to check the service? Does the issue continue on wired devices if you turn off Wi-fi?

I’m not insulting your intelligence but there was a notable vulnerability and most vendors patched it, there is a huge **** to truth ratio on internet articles and scaremongering is rife.

I thought it was the router just playing up until I saw the fake tp link admin page in Russian. tplinkwifi.net should also resolve (same as 192.168.0.1) but doesn't.

It happened multiple times within a day when I've never had anything like this before.

A wired connection removes wifi completely so wont reveal anything.

Something is taking over the role of the router in my wifi network which sounds suspicioudly like how the KRACK vulnerability works. But yes it could be a different way of taking over the wifi connection entirely.

bledd said:
What an annoying website they have, how do you find the latest firmware version on their site?

This is the closest I can find, but it doesn't list your model.

http://uk.tp-link.com/download-center.html

It pretty much needs to be a firmware made in Q4, 2017.

Unifi Access Points have patched it, could be an option.

The router settings page have a check button which I use.

Thanks for the tip, if it happens again i'll have to get a patched AP.

muon · 26 Dec 2017 at 12:04

neil_g said:
Could also be a dns hijack/ malware, if the admin page is going elsewhere. Could also stop the Internet working.

You would see the same on wifi and cable in that instance. Try a cable and see if you get the same.

Was one of the first things i checked as the initial symptom is the internet going down. Was fine on the router, remember that all my devices disconnect within a minute which made it a bit more difficult and I didnt want to login to the fake tplink admin page. Devices themselves show a complete dns server failure.

muon · 4 Jan 2018 at 00:02

r7slayer said:
Yes but it works by searching for the WiFi network and then it clones the network on a different channel. It then establishes handshakes with the targeted device. The attacker can then go on to do stuff like stripping the SSL of any connections. If you disable the SSID broadcast you cannot search for the network but all remaining devices remain connected. Not exactly the best method for say businesses that have devices connect all the time but for home users it's a way of protecting their devices.

So this surely describes what was happening to me (doesn't even look that hard). Except either my devices were kicking up a fuss or the attacker wasn't feeding an internet connection.

Worth noting that this hasn't reoccurred since I significantly reduced the transmit power of my router and renamed the SSIDs.