KRACK: (K)ey (R)einstallation (A)tta(ck)
From the KRACK website:
In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol. By manipulating cryptographic handshakes, we can abuse this weakness in practice.
Unless a known patch has been applied, assume that all WPA2 enabled Wi-fi devices are vulnerable.
Administrators: Remember to watch this page for changes
Go Directly to Vendor Response Matrix
For Android devices please check the Android Response Matrix
日本人の皆さまへ: こちらをご覧ください(日本語)
The Good
- Should a vendor take responsibility, devices are for the most part updatable.
The Bad
- Many devices do not have an easy way to apply updates.
- A huge burden is placed on the consumer to keep their devices up to date
- It may not be easy to search for all updates to all devices.
- The attack works for both clients and access points
- Updating an access point does not keep clients protected!
The Ugly
- Attacks against Android 6.0+ devices are very easy to accomplish.
- It is advised to disable Wi-Fi and only use 4G for the time being.
- Updates may never come for many IoT devices.
Attacks that can be made
- Adversary can decrypt arbitrary packets.
- This allows an adversary to obtain the TCP sequence numbers of a connection, and hijack TCP connections.
- Adversary can replay broadcast and multicast frames.
- Adversary can both decrypt and inject arbitrary packets. (TKIP or GCMP ONLY)
- Adversary can force the client into using a predictable all-zero encryption key. (ANDROID 6.0+ and LINUX)
Attacks that cannot be made
- Adversary can not recover WPA password.
- Adversary can not inject packets. (AES-CCMP ONLY)
Related Reading
- https://blog.cryptographyengineering.com/2017/10/16/falling-through-the-kracks/
- https://www.reddit.com/r/KRaCK/comments/76pjf8/krack_megathread_check_back_often_for_updated/
Vendor Patch Matrix (non-complete)
| Vendor | Patch Available | In Development | Not Directly Affected |
|---|---|---|---|
| Arch Linux | X | ||
| Arista | X | ||
| Aruba | X | ||
| Asus | X | X | |
| CentOS | X | ||
| Cisco | X | ||
| DD-WRT | X | ||
| Debian | X | ||
| Endian | X | ||
| Extreme Networks | X | ||
| Fedora | X | ||
| FreeBSD | X | ||
| Lenovo | X | ||
| LineageOS | X | ||
| LXDE | X | ||
| Meraki | X | ||
| MikroTik | X | ||
| Mojo Networks | X | ||
| Red Hat | X | ||
| Ruckus | X | ||
| Synology | X | ||
| Turris Omnia | X | ||
| Ubiquiti | X | ||
| Ubuntu | X | ||
| UniFi | X | ||
| VMware | X | ||
| Watchguard Cloud | X | ||
| Watchguard | X | ||
| Windows 10 | X | ||
| WPA_supplicant | X |
Vendor Response (complete)
| Vendor | Official Response | Comment | Last Checked | Last Updated | Date Notified by CERT |
|---|---|---|---|---|---|
| 3com Inc | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Actiontec | Link | N/A | 2017-10-18 | 2017-10-18 | |
| Aerohive | Link | N/A | 2017-10-17 | 2017-10-17 | |
| Alcatel-Lucent | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Amazon | No Known Official Response | "We are in the process of reviewing which of our devices may contain this vulnerability and will be issuing patches where needed." | 2017-10-17 | 2017-10-17 | |
| Android | No Known Official Response | Android 6.0 and above affected (Android uses wpa_supplicant and therefore is affected). | 2017-10-16 | 2017-10-16 | |
| Apple | No Known Official Response; See comment for unofficial response | Via twitter : "Apple has confirmed to me that #wpa2 #KRACK exploit has already been patched in iOS, tvOS, watchOS, macOS betas." LINK | 2017-10-17 | 2017-10-17 | |
| Arch Linux | wpa_supplicant, hostapd | N/A | 2017-10-16 | 2017-10-16 | |
| Arduino | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Asus | LINK | Additionally, an email response from "security@asus.com" says that they are "co-working with chipset vendors for solutions and will release patched firmware for affected routers soon. If your router is RT-N12 D1, RT-N66U, RT-AC66U, RT-AC68U, RT-AC3200, RT-AC88U, RT-AC3100, RT-AC5300 or GT-AC5300 then your router is not affected by the WPA2 vulnerability in router and AP mode." | 2017-10-17 | 2017-10-18 | |
| AVM (FRITZ!Box) | LINK | WPA2 flaw – FRITZ!Box on broadband connections are secure. AVM will provide updates for its wireless repeaters. Firmware update for FRITZ!WLAN Repeater 1750E available | 2017-10-18 | 2017-10-20 | |
| Barracuda Networks | LINK | Our investigations indicate that currently only Barracuda NextGen Firewall Wi-Fi Models used under Wi-Fi Client mode are affected. | 2017-10-17 | 2017-10-17 | |
| Belkin, Linksys, and Wemo | LINK | "We are still confirming all product skus affected, including Belkin Routers and Range Extenders, Linksys Routers, Adapters, Access Points, Bridges and Range Extenders and Wemo Products. As mentioned, when firmware is available, it will be posted to the associated brands’ support page." | 2017-10-21 | 2017-10-19 | |
| Broadcom / Cypress | LINK (Cypress community login required) | WICED Studio, wpa_supplicant, and linux releases in late October will address the relevant CVEs. |
2017-10-18 | 2017-10-18 | |
| Brother | No Known Official Response | N/A | 2017-10-19 | 2017-10-19 | |
| Buffalo / MELCO | LINK(JA) | N/A | 2017-10-18 | 2017-10-18 | |
| Canon | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| CentOS | CentOS 6, CentOS 7 | From upstream Red Hat Security Advisories RHSA-2017:2911, and RHSA-2017:2907 Arch: Centos6 i386, x86_64; Centos7 x86_64, ARM (Raspberry PI), ppc64, ppc64le, | 2017-10-18 | 2017-10-18 | |
| Cisco | LINK | Multiple Cisco wireless products are affected by these vulnerabilities. | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| Comcast | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| ConnMann | No Known Official Response | Connman has not released any information or updates yet. LINK | 2017-10-17 | 2017-10-20 | |
| CZ.NIC Turris | LINK | via @spike411: CZ.NIC Turris team is testing a fix (backported from hostapd upstream): LINK | 2017-10-16 | 2017-10-16 | |
| D-Link | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| DD-WRT | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| Debian | LINK | * Add patches to fix WPA protocol vulnerabilities (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088): - hostapd: Avoid key reinstallation in FT handshake - Prevent reinstallation of an already in-use group key - Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases - Fix PTK rekeying to generate a new ANonce - TDLS: Reject TPK-TK reconfiguration - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used - WNM: Ignore WNM-Sleep Mode Response without pending request - FT: Do not allow multiple Reassociation Response frames - TDLS: Ignore incoming TDLS Setup Response retries | 2017-10-16 | 2017-10-16 | |
| Dell | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Denon | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Devolo | No Known Official Response | They are currently reviewing the attack scenario for their products according to this tweet | 2017-10-18 | 2017-10-18 | |
| DrayTek | LINK | DrayTek are investigating solutions for this and plan to issue appropriate updates (firmware) as soon as possible. We will update this page in due course. | 2017-10-17 | 2017-10-17 | |
| ecobee | No Known Official Response | Twitter response 1 and 2: "ecobee is aware of the industry-wide vulnerability in WPA2 referred to as KRACK. The security of our customers is very important to us and we have confirmed that ecobee device security is not impacted by this issue." Likely this means ecobee considers underlying https / ssl to be secure despite KRACK | 2017-10-17 | 2017-10-17 | |
| Edimax | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| ELECOM | LINK(JA) | N/A | 2017-10-20 | 2017-10-20 | |
| EMC Corporation | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Endian | LINK | Community version is not affected. Fixed on Enterprise 5.0 | 2017-10-18 | 2017-10-18 | |
| EnGenius | LINK | "EnGenius software developers are currently working on security patches and will issue firmware releases as soon as possible." | 2017-10-18 | 2017-10-18 | |
| Espressif Systems | LINK | Espressif released patches for the WiFi vulnerabilities in their products including ESP-IDF, ESP8266 RTOS and ESP8266 NON-OS. Arduino ESP32 will be updated shortly. | 2017-10-16 | 2017-10-16 | 22 Sep 2017 |
| Extreme Networks | LINK | N/A | 2017-10-16 | 2017-10-16 | 2017-08-28 |
| F5 Networks | LINK | There is no impact; F5 products are not affected by this vulnerability. | 2017-10-19 | 2017-10-19 | |
| Fedora | Fedora 26 / 27 (beta) | Status: Fixed Release: Stable (* Manual installation is possible) Arch: x86_64 and ARM (Raspberry PI) | 2017-10-17 | 2017-10-19 | |
| FortiNet | LINK | FortiAP 5.6.1 has been patched. All other patches are upcoming. | 2017-10-16 | 2017-10-18 | |
| Foundry Brocade | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| FreeBSD Project | Response, patch | Binary and source updates to base system available. Alternatively one can install the security/wpa_supplicant port or package in lieu of the same in base. |
2017-10-17 | 2017-10-17 | (?) |
| No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | ||
| Hewlett Packard Enterprise | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Honeywell | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| HPE Aruba | Patch Info - FAQ | N/A | 2017-10-17 | 2017-10-17 | 28 Aug 2017 |
| Huawei | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| I-O DATA | LINK(JA) | N/A | 2017-10-18 | 2017-10-18 | |
| IBM | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Icotera | Icotera products are not affected LINK | The investigation concluded that none of current Icotera products is affected by the described vulnerability, as it does not apply to a device running Access Point mode only | 2017-10-19 | 2017-10-19 | |
| Intel Corporation | LINK | N/A | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| IPFire | LINK | Update: packages for all architectures are now available | 2017-10-19 | 2017-10-19 | |
| iRobot (Roomba) | No Known Official Response | Chat support: "So far as we can tell, we haven't been impacted. So that's good news lol." IMG | 2017-10-17 | 2017-10-17 | |
| Jolla | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| Juniper Networks | LINK | Patches for WLAN available; patches for SRX and SSG outstanding | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| KPN | LINK | KPN routers to be found safe. See update 17th LINK | 2017-10-17 | 2017-10-20 | |
| Kyocera Communications | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| LEDE | LINK | Released fix in version 17.01.4. | 2017-10-18 | 2017-10-18 | |
| LineageOS | LINK | "All official 14.1 builds built after this tweet have been patched for KRACK.":LINK | 2017-10-17 | 2017-10-17 | |
| Linux | Patches: LINK | wpa_supplicant version 2.4 and above is affected. Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an all-zero encryption key in the 4-way handshake. | 2017-10-16 | 2017-10-16 | |
| Logitech | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| Luxul | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Marantz | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Marvell Semiconductor | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| MediaTek | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| Meraki | LINK | Fixed for Cisco Meraki in 24.11 and 25.7 | 2017-10-16 | 2017-10-16 | |
| Microchip Technology | LINK | N/A | 2017-10-17 | 2017-10-17 | 28 Aug 2017 |
| Microsoft | Windows Related | When clicking the link, accept the EULA then click the link again | 2017-10-16 | 2017-10-16 | |
| MidnightBSD | No Known Official Response | Workaround available by installing wpa_supplicant from mports/security/wpa_supplicant | 2017-10-21 | 2017-10-21 | |
| Mikrotik | LINK | We released fixed versions last week, so if you upgrade your devices routinely, no further action is required. | 2017-10-16 | 2017-10-16 | |
| Mojo Networks | LINK | Update to cloud management platform completed. In order to mitigate client-side vulnerabilities, Mojo recommends upgrading AP software to version 8.5, and enabling MAC Spoofing and Man-in-the-middle attack prevention with built-in WIPs. | 2017-10-17 | 2017-10-17 | |
| NEC (ATERM) | LINK(JA) | N/A | 2017-10-20 | 2017-10-20 | |
| Nest Labs | No Known Official Response | Nest Tweeted: "We plan to roll out patches to our products in the coming weeks. These won't require any action on the part of the user." | 2017-10-17 | 2017-10-17 | |
| netBSD | LINK | N/A | 2017-10-22 | 2017-10-22 | |
| Netgear | LINK | N/A | 2017-10-16 | 2017-10-16 | |
| Nikon | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| Nintendo | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| OmniROM | LINK | "all official OmniROM N builds have the fix included." | 2017-10-19 | 2017-10-19 | |
| OnePlus | No Known Official Response | "We encouraged you to stay tuned and keep track on our Community Forums and official website and other social media channels." | 2017-10-17 | 2017-10-16 | |
| Onkyo | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Open-Mesh / CloudTrax | LINK | An update is expected to be delivered to all of those that use automatic updates by the end over October 17th. | 2017-10-17 | 2017-10-17 | |
| OpenBSD | LINK | Errata patches for the wireless stack have been released for OpenBSD 6.1 and 6.0. State transition errors could cause reinstallation of old WPA keys. Binary updates for the amd64 and i386 platforms are available via the syspatch utility. Source code patches can be found on the respective errata pages. As this affects the kernel, a reboot will be needed after patching. | 2017-10-16 | 2017-10-16 | |
| OPNsense | No Known Official Response | (CALL FOR TESTING) KRACK Attack fixes LINK | 2017-10-18 | 2017-10-18 | |
| Pakedge | No Known Official Response | Via @spike411 "They have acknowledged they have received my enquiry but don’t have any info about the state of this vulnerability in their products." | 2017-10-16 | 2017-10-16 | |
| Particle | LINK | Once Cypress releases updates to WICED Studio, Particle will create system firmware releases. Users can then build their apps on the new system versions. | 2017-10-18 | 2017-10-18 | |
| Peplink | LINK | "We are developing firmware to address the vulnerability." ... "ETA for the firmware releases is within two weeks." | 2017-10-17 | 2017-10-17 | 2017-08-28 |
| pfSense | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| Pioneer | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| PLANEX | LINK(JA) | N/A | 2017-10-20 | 2017-10-20 | |
| Qualcomm Atheros | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| Rachio | No Known Official Response | Support response: "When it boils down into it, the KRACK attack can only target improperly done HTTPS / SSL connections, and we are perfectly safe in that regard. There is no need for our controller to get an update due to the leak itself, due to the massive lack of a GUI there is nothing at risk from our controller. From what I can see in my research and testing, KRACK vulnerability cannot potentially modify data on the network, or even eavesdrop from our controller. The absolute only thing at risk, after thorough testing, that a KRACK attacker would be able to potentially see is that you have a Rachio on your network. And even then, the only way they have the slightest ability to get any further would be via timing analysis, and even then it only would be your watering times." LINK |
2017-10-17 | 2017-10-17 | |
| Raspbian (Raspberry Pi) | No Known Official Response | Update (20171002 01:38): The fixes for raspbian Jessie and Stretch should now be in the public raspbian repo. The fix for raspbian buster should follow in a few hours. I do not know if/when there will be a fix for wheezy. source: LINK REPO FORUM | 2017-10-17 | 2017-10-17 | |
| Red Hat, Inc. | This issue affects the versions of wpa_supplicant as shipped with Red Hat Enterprise Linux 6 and 7. LINK | Red Hat Security Advisories for Red Hat Enterprise Linux 7 RHSA-2017:2911 and Red Hat Enterprise Linux 6 RHSA-2017:2907 | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| Ring | No Known Official Response | Per support "They promise to update public shortly, actively working with developers." | 2017-10-17 | 2017-10-17 | |
| Ruckus Wireless | Security Advisory Bulletin | More forthcoming. LINK | 2017-10-17 | 2017-10-17 | |
| Sagemcom | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Samsung Electronics | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| Sharp | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| SnapAV | No Known Official Response (See comment for unofficial response) | An email from G Paul Hess, Chief Product Officer states that Araknis Networks Wireless Access Points and Autonomic 1e Music Streamer are affected. "We are currently working on a firmware update, which will be available on SnapAV’s website, as well as OvrC." | 2017-10-16 | 2017-10-17 | |
| Sonicwall | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| Sonos | LINK | We're aware of the issues with WPA2 and our team is working to determine any ramifications this may have for Sonos players. | 2017-10-18 | 2017-10-18 | |
| Sony | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| Sophos AP | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| SUSE / openSUSE | hostap wpa_supplicant | Patches available for wpa_supplicant. hostap in the works. See links for details |
2017-10-20 | 2017-10-20 | 28 Aug 2017 |
| Swisscom | LINK | Internet Box routers not affected. Centro routers and AirTies repeaters to be clarified. | 2017-10-17 | 2017-10-17 | |
| Synology | LINK 1 LINK 1 | Synology DiskStation Manager (DSM) with attached WiFi dongle and Synology Router Manager (SRM) are vulnerable to Krack. As of Version 6.1.3-15152-8: Fixed multiple security vulnerabilities regarding WPA/WPA2 protocols for wireless connections (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088). | 2017-10-17 | 2017-10-17 | |
| Tesco | LINK | Tesco has chosen not to patch the Hudl: "There will be no further updates to the hudl software" | 2017-10-17 | 2017-10-17 | |
| Toshiba Commerce Solutions | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | 15 Sep 2017 |
| Toshiba Electronic Devices & Storage Corporation | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| Toshiba Memory Corporation | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |
| TP-Link | LINK, LINK2 | TP-Link has been working on affected models and will release firmware over the next few weeks on our official website. | 2017-10-18 | 2017-10-18 | |
| Turris Omnia | LINK | N/A | 2017-10-17 | 2017-10-17 | |
| Ubiquiti Networks | LINK | Ubiquiti has released 3.9.3.7537 in beta to mitigate these vulnerabilities in UniFi APs that have a client mode. mFi devices are likely vulnerable and no statement or patch has been released. | 2017-10-16 | 2017-10-16 | |
| Ubuntu | LINK | Updates are available for wpasupplicant and hostapd in Ubuntu 17.04, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS. wpasupplicant and hostapd were updated before the release of Ubuntu 17.10. | 2017-10-16 | 2017-10-16 | |
| Volumio | LINK | Updates are available for wpasupplicant and hostapd in Volumio starting from version 2.296 | 2017-10-18 | 2017-10-18 | |
| WatchGuard | LINK | Sunday, October 15, 2017:,AP120, 320, 322, 420:,Release 8.3.0-657, Cloud mode only. Monday, October 30, 2017: AP300: Release 2.0.0.9, AP100, 102, 200: Release 1.2.9.14, AP120, 320, 322, 420:,Release 8.3.0-657, Non-Cloud (GWC mode) | 2017-10-17 | 2017-10-17 | |
| webOS | No Known Official Response | Also see entry ConnMan | 2017-10-17 | 2017-10-20 | |
| WiFi Alliance | LINK | Users should refer to their Wi-Fi device vendor’s website or security advisories to determine if their device has been affected and has an update available. As always, Wi-Fi users should ensure they have installed the latest recommended updates from device manufacturers. | 2017-10-16 | 2017-10-16 | |
| Xfinity | No Known Official Response | N/A | 2017-10-17 | 2017-10-17 | |
| Xiaomi | LINK | MIUI Beta 9 v7.10.19 for some of the mobile devices released. | 2017-10-22 | 2017-10-22 | 2017-07-28 |
| Xirrus | LINK | As soon as the patch is released, it will be made available through the Xirrus Support Community. | 2017-10-17 | 2017-10-17 | |
| Yamaha | No Known Official Response | N/A | 2017-10-16 | 2017-10-16 | |
| Yi (Xiaomi) | No Known Official Response | "Waiting on a reply" | 2017-10-17 | 2017-10-17 | |
| ZTE | No Known Official Response | Also see entry KPN | 2017-10-17 | 2017-10-20 | |
| ZyXEL | LINK | N/A | 2017-10-16 | 2017-10-16 | 28 Aug 2017 |