Home

FAQs

FAQ

EnGenius Advisory

 

WPA2 KRACK Vulnerability

 

Oct. 17, 2017

 

 

What Has Happened

----------------------------

On October 16, 2017 a public announcement was made by security researchers who discovered a weakness in the Wi-Fi Protected Access 2 (WPA2) protocol that is used in all modern Wi-Fi networks. A malicious attacker in range of a potential unpatched victim can exploit this weakness to read information that was previously assumed to be safely encrypted. The vulnerability is within the Wi-Fi IEEE 802.11 standard itself, and is therefore not unique to any particular access point or client device vendor. It is generally assumed that any Wi-Fi enabled device is potentially vulnerable to this particular issue.

 

 

A Summary of How WPA2 Security Works

--------------------------------------------------------

WPA2-AES security consists of both authorization and encryption. The authorization step is used to determine whether a particular client is allowed to access the wireless network, and comes in two flavors, Personal and Enterprise. In WPA2-AES Personal, a pre-shared key or passphrase is used to provide the key identifying credential. In WPA2-AES Enterprise, the Extensible Authentication Protocol (EAP) is used to validate the client credentials against an external RADIUS or Active Directory server. In either the WPA2-AES Personal or WPA2-AES Enterprise scenario, once the client’s authorization credentials are validated, a unique set of encryption keys are established between that particular access point and that particular client device, to encrypt the traffic between them. This encryption process is done via a four-way handshake, where particular keys are passed back and forth between the access point and the client device so each can derive the appropriate unique encryption key pair.

 

 

A Summary of the Vulnerability

------------------------------------------

The security researchers discovered that they could manipulate and replay the third message in the four-way handshake to perform a key reinstallation attack (KRACK). Strictly speaking, each key that is passed in the four-way handshake should only be used once and never re-used. However, in a key reinstallation attack, the attacker pretends to be a valid access point and tricks the client device into reinstalling a key that is already in use, serving to reset the transmit and receive packet numbers. For WPA2-AES, the attacker can then derive the same encryption key as the client device, and then decode upstream traffic from the client device to the access point. For the older (and less secure) WPA-TKIP, the attacker can go even further, and potentially forge and inject new packets into the data stream.

 

For an attack to be carried out to take advantage of this vulnerability, it must be done by a malicious actor conducting a man-in-the-middle attack (i.e. pretending to be an AP on your network and serving to be a relay between the client device and the legitimate wireless network).

 

 

How This Vulnerability Impacts EnGenius Products and Networks

--------------------------------------------------------------------------------------

As the issue occurs on client devices, the first step for any network operator is to check with your client device manufacturers for security patches and updates and apply these updates as soon as they are available.

 

This particular vulnerability has no direct impact on any EnGenius APs operating in “access point” mode. However, EnGenius access points that are used as client devices (i.e. Electron™ APs operating in “client bridge” mode) or any access points that are used for point-to-multipoint communications (i.e. Electron™ APs operating in “WDS bridge” or “WDS station” mode) are potentially impacted by this vulnerability in the IEEE 802.11 protocol.  Furthermore, some advanced applications and features, such as mesh networking and fast roaming (i.e. 802.11r), may also be potentially vulnerable to this issue.

 

EnGenius software developers are currently actively investigating the impact of this vulnerability across all of the products in our product portfolio, and will be issuing firmware releases in the coming days and weeks to address this issue. In the interim, EnGenius still recommends the continued use of WPA2-AES Personal or WPA2-AES Enterprise for network security. Do not use WEP and do not use WPA-TKIP, as the vulnerabilities of those deprecated security protocols are significantly more serious and easier to execute by a malicious attacker.

 

 

FAQs

---------

Can I still run my EnGenius Wi-Fi network?

Yes, you can still run your EnGenius Wi-Fi network. There is no need to shutdown or replace your EnGenius devices.
This vulnerability is within the Wi-Fi IEEE 802.11 standard itself, and is therefore not unique to any particular access point or client device vendor. It is generally assumed that any Wi-Fi enabled device is potentially vulnerable to this particular issue.

 

Are EnGenius wireless products vulnerable to this type of attack?

EnGenius wireless products running in “AP mode” have no direct impact from this vulnerability.
EnGenius access points that are used as client devices such as APs operating in “client bridge” mode or any access points that are used for point-to-multipoint communications such as APs operating in “WDS bridge” or “WDS station” mode are potentially impacted by this vulnerability in the IEEE 802.11 protocol. 
Furthermore, some advanced applications and features, such as mesh networking and fast roaming via 802.11r, may also be vulnerable to this issue.

 

Is my wireless network still secure?

Yes, there is no evidence that the KRACK vulnerability has been used maliciously.
Yes, all passwords and certificates are still secure. This type of vulnerability does not affect passwords, authentication tokens or keys.
A Krack attacker must be onsite to conduct this type of attack.
The malicious actor must also decrypt over-air traffic between the AP and your clients in order to gain any access to your information, and this is not easily done.
EnGenius still recommends the continued use of WPA2-AES Personal or WPA2-AES Enterprise for network security. 
Do not use WEP and do not use WPA-TKIP, as the vulnerabilities of those deprecated security protocols are significantly more serious and easier to execute by a malicious attacker.

 

What can I do immediately to ensure my clients are kept secure?

This vulnerability also impacts client devices, be sure to check with your client device manufacturers and implement any available security patches and updates. Major device vendors are working on fixing these vulnerabilities and will make patches available as soon as possible.
Until client device updates are made available, consider disabling the 802.11r Fast Roaming feature to help reduce vulnerability.

 

When will EnGenius provide security patches and updates for this vulnerability?

EnGenius software developers are currently working on security patches and will issue firmware releases as soon as possible.

 

 

For More Information

------------------------------

The website https://www.krackattacks.com/ provides a detailed summary of the issue along with links to the research paper and tools detailing the vulnerability.

 

EnGenius Model Security Patch Status
EWS360AP Available Now
EAP1200H In Progress
EAP1300 Available Now
EAP1300EXT Available Now
EAP150v2 In Progress
EAP1750H In Progress
EAP2200 Available Now 
EAP300v2 In Progress
EAP350v2 In Progress
EAP600 Available Now
EAP900H Available Now
ECB1200 Available Now
ECB1750 Available Now
EMR3000 Available through automatic update
ENH1750EXT Available Now
ENH202v2 Available Now
ENH220EXT Available Now
ENH500v2 Available Now
ENH710EXT In Progress
ENH900EXT Available Now
ENS1200 In Progress
ENS1750 Available Now
ENS202 Available Now
ENS202EXT Available Now
ENS500 Available Now
ENS500-AC Available Now
ENS500EXT Available Now
ENS500EXT-AC Available Now
ENS620EXT Available Now
EnStation2 Available Now
EnStation5 Available Now
EnStation5-AC In Progress
EnStationAC In Progress
EPG5000 In Progress
ESR1200 In Progress
ESR1750 In Progress
ESR300 In Progress
ESR300H In Progress
ESR350 In Progress
ESR350H In Progress
ESR600 In Progress
ESR600H In Progress
ESR750H In Progress
ESR900 In Progress
EWS1025CAM Available Now 
EWS210AP In Progress
EWS300AP In Progress
EWS310AP Available Now 
EWS320AP In Progress
EWS350AP Available Now
EWS370AP Available Now
EWS371AP Available Now
EWS500AP In Progress
EWS510AP In Progress
EWS550AP Available Now
EWS650AP Available Now 
EWS660AP Available Now 
EWS860AP Available Now
EWS870AP Available Now 
EWS871AP Available Now 
EAP350V2 Available Now
EAP300v2 Available Now
ESR300 Available Now
ESR350 Available Now
ESR600 Available Now

There is no way to increase the speaker volume through the EnViewer App. The customer has to adjust the speaker volume manually or through the EDS camera GUI.

There is no option to delete the tracking history using the EnRoute App.

Please see if the device has a logout button found in the user interface then customer needs to click on logout first before closing the browser to avoid the error message.2. To access the device again he needs to power cycle it and close the browser on his computer and then try to access again once the device is done rebooting.

Yes, snap shot can be shared. What the user can do is to go to the gallery, manually upload the picture or video, and e-mail it just like you would with regular pictures

For best user experience, it is recommended to limit the number of EnRoute users to 20 per IoT router.

The user can add as many compatible routers to EnViewer as he or she wants. User can add them either through 1) the QR code or 2) manually registering the UID or DDNS.

 Compatible routers: EPG5000, EPG600, ESR300, ESR350, ESR600

Scenario:

The customer said that he wants to set up a guest network on the ESR900. He has tried enabling the guest network function but the SSID field would be greyed out.

Fix:

The customer has to first enable at least (2) SSIDs on the band that he wants to have the guest network to be on. The customer can even enable a guest network on both the 2.4GHz and the 5GHz band as long as he sets up (2) SSIDs on the 2.4GHz band and (2) SSIDs on the 5GHz band. The customer can set up the SSIDs on the basic wireless settings option on the 2.4GHz and 5GHz wireless settings pages.

A. Please make sure that your mobile device has Internet access, either through Wi-Fi or 3G.
B. If you would like to connect to your EnGenius Cloud router remotely, please make sure your remote IP address/DDNS domain name is correct; and your EnGenius Cloud router is connected to the internet.

No, not from all of them. The App only receives notification from the last camera setup.

The EnTalk APP supports the Intelligent Phone Router EPG600.  The EnTalk APP supports Android and iOS systems and can be downloaded from Google Play or Apple Store.

Android: Android 2.3.x, Android 3.x, Android 4.x

iOS: iOS 5x, iOS 6x, iOS 7x

EnTalk can only be registered to one IoT gateway at a time.

The user can change the camera resolution through the App. For more options the customer can also access the camera GUI.

Yes, the EnTalk support “Operator” function to let administrator assign any EnTalk user to receive calls from PSTN line, only assigned user can receive calls. The user can configure the operator setting in EPG600 Cloud service EnTalk web page.

Yes, it can. The remote user just need to obtain the UID or DDNS of router from the router’s owner.
 

When the EPG600 connected to a local telephone line (PSTN phone network), any phone call to the local area out of the EPG600 is considered local call. When a user located in a different country uses a smartphone with EnTalk registered to the EPG600 to make a phone call, it is still consider a local call, and the international part is free.

Each user is assigned an extension number from 10-19. Each user can call another user simply by dialing the extension.

The user can add as many EDS cameras as he or she wants to EnViewer but can only able to view 4 at the same time. The user can even view cameras connected to different routers at the same time but still up to 4 at a time.

The first user registered to the EPG600 will be the default operator. If no operator is selected, the PSTN call will go to user 10.

No, the EnShare service itself is free of charge.

Note: If you subscribe the Internet service, i.e. Wi-Fi, 3G and 4G, from WISP (Wireless Internet Service Provider), you may be charged for data transmission fee upon your Internet subscription plan.

The EnTalk App cannot be used to retrieve voice mail. The App does not support voice mail.

The customer can just scan the QR code to add the camera to EnViewer App even before configuring it on the router EnViewer GUI.