Good day all!
I work in the WiFi industry and I'm also a Telus residential Internet Customer. I also have several family and friends who use Telus residential Internet, and their security is important to me.
I would like to know how Telus plans to address the WPA2 Key Reinstallation Attack (KRACK) WiFi vulnerability announced on 16 OCT 2017.
The following links detail the attack (first link) and a list of vendor responses (second link).
Among the list of vendor responses, Actiontec (The routers used by Telus) has no information.
I realize there will not likely be an immediate solution, but I would like to know; what is the timeline for installation of security updates on the Actiontec routers provided by Telus?
I'm sure once a fix for the WPA2 protocol is out that the router firmware will be updated. Since it just came out it's hard to say how long it'll take to fix.
The vulnerability is also client side as well. Windows, Mac, iOS, Android, Linux etc. All sides will need patching, especially Android 6.0 devices as they are especially vulnerable.
Thanks for the response Nighthawk. Device patching is straight forward since the user controls the device. I'm more interested in the devices the user doesn't control. What makes you sure the firmware will be patched? I've been looking for a Telus residential maintenance schedule that customers can access, but I haven't been able to find anything.
Part of the reason I've posted this though, is to hopefully someone at Telus is keen and will direct me to Telus's official announcement on the vulnerability.
WEP can be cracked so fast that it's basically useless. Also from what I understand, Actiontec only supplies the hardware, not the ISP specific software.
While waiting for the patch, make sure all your other devices are updated as well. Many won't get updates but that's a risk most users will have to decide if they want to take. The odds of someone trying to hack your network are extremely remote.
@curtis_ Requesting a new modem from Telus will be useless as it'll still be running the same software as the current ones. Better off waiting for an update.
I haven't heard of a single ISP that has announced a timetable for their individual devices at this point. The Wi-Fi Alliance has already issued some updates to their internal members and it's only a matter of time until they are out to vendors etc. Depending on the device manufacturer, some may be out fast, some may take longer. I'd be more cautious around older Android devices as most will never get a fix for this problem.
Thanks Nighthawk. Sounds like an opportunity for Telus to be the first across the finish line!
As for the Android devices, I agree most will never be patched. It makes me shudder to think of all the IoT devices that will live with this bug for the remainder of their service.... Cameras, home automation equipment. etc... Most of that gear has all kinds of vulnerabilities ready to be tested, including... default password exploits. Haha.
The Actiontec gateways will automatically update themselves one the update is available.
The Actiontec isn't a wireless repeater. It's a standard router.
The devices most suseceptible to this hack are not routers but end user devices. Computers, tablets, cell phones (especially Android ones), game consoles, etc.
Language is important on this too. This is a "vulnerability" that may "possibly" be used "if" the hacker is within "close proximity" to the device. This vulnerability has no scale, no great reach. It's most important to organizations that have a trusted W-Fi environment not using authentication. Personally, use VPN software if you're worried, or even if you're not, and relax.
I would like to hopefully dispel peoples complacency with respect to security issues like this. In general, when there is a new exploit, It's inevitable that someone somewhere will automate the attack and make tools available online. People say things like, "I'm not likely a target because of where I live", or "nobody around me is smart enough to do that." Though those things may seem true, the reality is, when tools are available that will exploit targets; simply by driving around, it doesn't take long before it becomes a standard practice for criminals.
@Lola unfortunately, VPN software doesn't protect devices on the victims home network. Specifically un-secure devices with microphones, cameras, or worse yet devices that will provide entry to the house, like an un-patched garage door opener are all targets for criminals. Users almost never change the default passwords on these, so exploiting them once you have access into the network is trivial.
@Control-Alt-Delete Ubiquity APs are outstanding value for the dollar, now if only Telus would buy me one.
Now, taking off my tin-foil hat for a minute. There's no need to panic about this exploit; a simple and effective strategy to combat this.. is... make a list of your devices, keep an eye on the vendors website for patches (or get a geeky friend to do it).. and most importantly .... change the default passwords!!!!