KRACK vulnerability in TomatoUSB?

Discussion in 'Tomato Firmware' started by darksky, Oct 18, 2017.

  1. darksky

    darksky Addicted to LI Member

    Since the Broadcom drivers are a binary blob, are all versions of TomatoUSB (Toastman, Shibby, etc.) forever vulnerable to KRACK?
  2. pegasus123

    pegasus123 Addicted to LI Member

    as i read it, this is client only vulnerability.
  3. tievolu

    tievolu Network Guru Member

    It's an attack on the client, but the fix can be implemented on either the client or the server.

    Ideally all routers and access points would be fixed, because the chances of older Android devices with stock ROMs receiving a fix is zero.

    It's a massive, massive problem.
    Last edited: Oct 19, 2017
    pegasus123 likes this.
  4. Sortec

    Sortec Reformed Router Member

    From what I understand, this crack does not allow access but allows a person to view the data stream.
    Like opening up a window shade, but the window is still closed.
    From the articles I read, it is a client side problem, unless your router is acting as a client AP (then the router becomes a problem).

    However, the person sniffing has to be in close proximity to the effected client (ie within your wifi range). So you wont have to worry about foreign hackers getting into your system unless they are parked outside your house!
  5. tievolu

    tievolu Network Guru Member

    The attacker can't get the wifi password, but they can still do some pretty nasty stuff. From the report:
  6. pegasus123

    pegasus123 Addicted to LI Member

  7. PSL

    PSL Networkin' Nut Member

    As Sortec pointed out, it stands to reason that in the case that Tomato is operating in "Wireless Client" mode it is potentially vulnerable even though Tomato does not implement 802.11r. The Aruba Networks article to which you linked seems to also suggest this:

  8. alpovs

    alpovs Networkin' Nut Member

    Can anyone confirm if I am reading this right? So, if the 802.11r is disabled then the packets still can be read. Right? How is this a fix? Encrypted network becomes open.
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    If a client isn't updated KRACK can make the client replay packets.Some clients will replay with limited or faulty encryption. The only fix is to update the client.

    The router-to-client vulnerability is 802.11r (FT), which Tomato doesn't implement.

    There are additional vulnerabilities if you're using WPA2/TKIP and WPA2/GCMP, the fix is to switch to WPA2/CCMP. Incidentally GCMP is a streamlined form of CCMP (AES) because apparently 802.11AC wasn't fast enough for someone, and of course the streamlining introduced issues.

    All packets can be read at any time if they're sent via WiFi. The big thing about KRACK was finding bugs that caused clients to replay packets which also exposed bugs in clients that caused encryption to either not be used or substantially weakened. Anyone within range can capture the data you're sending over WiFi and then, at their leisure, sit around trying to crack the encryption. Or hold onto the capture until an exploit is found, then use the exploit to crack the encryption.
  10. maurer

    maurer Network Guru Member

  11. TTROUT

    TTROUT Reformed Router Member

    Wrong LEDE and DD-WRT already have patched their firmwares with an option that prevents KRACK, even if the clients are not patched.
  12. AndreDVJ

    AndreDVJ LI Guru Member

    If someone with skills who can reverse-engineer the wireless drivers (they're binary blobs), patch whatever it needs to be patched, and have deep pockets to cover the lawsuit Broadcom will move against the individual, then perhaps we can have this vulnerability rectified in Tomato (we have like 5 architectures or so).

    The binary blob stuff was discussed exhaustively on this forum. I'm pretty sure Broadcom will show the door to invididuals trying to obtain a license for their SDK.

    I don't think Broadcom will be charitable with us individuals and provide binary blobs compatible and linked against our libraries/kernels.

    Current binaries for Asus ARM routers cannot be used on Tomato, because of both licensing issues (e.g. Trend Micro's DPI engine) and missing components (wireless driver won't load - kernel panic). So even if Asuswrt's tree gets patched, it's still an issue for Tomato.
    Justio likes this.
  13. darksky

    darksky Addicted to LI Member

    Yes, I can confirm that LEDE has the patch in the latest release:

    As an aside, I am finding LEDE to be pretty powerful but the webgui is not as friendly or option-rich as tomato's.
  14. Elfew

    Elfew Network Guru Member

    Unfortunately LEDE is available for a lot of routers, without wireless support (driver issue?)
    The Master likes this.
  15. darksky

    darksky Addicted to LI Member

    @Elfew - Yes, you need to carefully research before installing. In my case, I needed to purchase a new router anyway so I made sure the one I did buy would 100% with LEDE. Many TomatoUSB routers are not fully supported due to Broadcom's lack of open-source drivers.
  16. Elfew

    Elfew Network Guru Member

    What router did you buy?
  17. mmosoll

    mmosoll Networkin' Nut Member

  18. darksky

    darksky Addicted to LI Member

    I pulled out my wallet and went with the R7800. I am very happy with it so far. Better range @ 5GHz than the R7000 and it's fun to play with LEDE.
  19. Monk E. Boy

    Monk E. Boy Network Guru Member

    I don't know if breaking the WiFi standard is a particularly good way of handling this issue. I'd just toss clients that can't/won't be updated, instead of introducing issues with pretty much every client at random times.

    I get that telecom vendors don't believe in actually supporting the products they're selling, but maybe this is a wake-up call to not buy the products they're selling. I'm getting ready to buy an unlocked phone from someone other than a telecom vendor specifically so I don't get stuck relying on them for updates. A large portion of their revenue comes from overcharging for equipment on a monthly basis, if enough people switch to service-only plans their revenue will take a hit. And service-only plans are cheaper.
    Sortec likes this.
  20. RMerlin

    RMerlin Network Guru Member

    All my smartphones have been Nexus so far, specifically for the 2+ years of software updates you get.

    Highly disappointed to see the Nexus platform mostly replaced by the much more expensive Pixel platform.
    Tony Ramirez likes this.
  21. redsandvb

    redsandvb Network Guru Member

    Sorry if it's been answered, but it's not clear to me (not sure I understand all that's been stated)...

    If a secondary Tomato router is configured in bridge mode (Wireless Ethernet Bridge), is the traffic from devices plugged in to it vulnerable to KRACK?
  22. maurer

    maurer Network Guru Member

    yes it's vulnerable as the tomato wifi bridge is a client to main tomato AP
    ALL unpatched clients' traffic is vulnerable !
  23. Adriel

    Adriel Network Newbie Member

    But using Tomato as just an AP is fine right, so long as the client is patched?
  24. Cold Winter

    Cold Winter Networkin' Nut Member

    I think its hilarious.
    You mean Broadcom sells a product without
    the H/W specifications and programmers model?

    ... and...

    Router manufacturers were stupid enough to buy it???
  25. AndreDVJ

    AndreDVJ LI Guru Member

    Asus, Netgear, Tenda, TP-Link, and any other organization manufacturing networking hardware using Broadcom SoC, obviously have full SDK access and documentation such as datasheets and diagrams.

    Have you fully understood the difference between individuals and organizations?
  26. darksky

    darksky Addicted to LI Member

    F*ck those manufactures. In a perfect world, hardware and drivers are open-source... this world is far from perfect...
    Elfew likes this.
  27. RMerlin

    RMerlin Network Guru Member

    Asus released a patched firmware for the RT-N66U and RT-AC66U, so it's just a matter of time for the GPL to get uploaded. Once they do, Tomato devs will be able to update their SDK components.
    Ped Man, Monk E. Boy, Elfew and 2 others like this.
  28. redsandvb

    redsandvb Network Guru Member

    That was my fear, thanks for the clarification.

    Good news, Thanks.

    I know they're busy people but hopefully it happens sooner rather than later.
  29. Cold Winter

    Cold Winter Networkin' Nut Member

    So by implication, your saying the H/W spec and programmers model
    ( rather specific docs ) are out there??? If so, I fail to see why FOSS
    community cannot roll their own drivers (seems the LEDE crowd might have).

    If all they have are SDKs /datasheets/ etc... then those "organizations"
    failed basic engineering of the "always have a second source" variety.
  30. RMerlin

    RMerlin Network Guru Member

    The "second source" is why these manufacturers develop routers using multiple suppliers: QCA, Mediatek, Broadcom, etc...

    Sent from my Nexus 5X using Tapatalk
  31. AndreDVJ

    AndreDVJ LI Guru Member

    The contrary. They can't be out there.

    Diagrams, specsheets, data sheets, source code, protocols, patents, APIs, etc. are private, closed-source, non-public information that are licensed for organizations upon signing NDA and many other agreements in order to protect their intellectual property.

    That's why LEDE doesn't work properly on Netgears, and won't work for quite a while (Devices with Broadcom WiFi chipsets have limited LEDE supportability (due to limited FLOSS driver availability for Broadcom chips) unless they fully reverse-engineer the whole thing themselves (and I hope Broadcom won't begin a witch hunt against them such as DMCA takedowns and issue cease and desist orders).

    There are other SoC vendors aside Broadcom, so Asus, Netgear, TP-Link, Tenda, Belkin, etc, can always have second/third/fourth and so on sources, such as Atheros, Realtek, Ralink, etc.

    Our main problem is that Tomato is stuck on Broadcom, and get really get rid of it. We're pretty much at the end of line with Tomato (as it's hard to have new hardware supported).

    It's a good thing that there is LEDE out there, so one day we'll all forget about Tomato and move on with something else. Until then both my Netgears are dead (WNR3500Lv2 is dead, R7000 and R8000 still left).
  32. jerrm

    jerrm Network Guru Member

    This has been discussed ad nauseam.

    Broadcom chip internals and source is not open. Broadcom does not sell to end users, only manufacturers. Manufacturers have access to all they need assuming they have an SDK license. Big boys like ASUS and Netgear have them - assumably, the SDK license is worked into most chip deals. Open source projects do not have a license and do not have access unless they pay the $$$ for the SDK.

    DD-WRT is the only third party project known to have access to a Broadcom SDK license and can compile their own drivers. I don't know if that access is via a license purchased by DD-WRT outright or as a by-product of their relationship with Buffalo.

    OpenWRT/LEDE has buggy and limited drivers cobbled together from what is published and reverse engineered. I consider it mostly useless, but some don't.

    "Always have a second source" is a fallacy. It just doesn't apply in any real sense to SoC products. The second source is another SoC with a completely different board. It's not all that uncommon for v1 of a model to be Broadcom and v2 of the otherwise same model number to be Atheros (or vice versa).
    Last edited: Nov 3, 2017
  33. darksky

    darksky Addicted to LI Member

    ... Not all Netgears, just those using Broadcom hardware. For example, my R7800 uses Qualcomm Atheros hardware and works great with LEDE.
  34. AndreDVJ

    AndreDVJ LI Guru Member

    Yes you're correct. Actually I was referring to Netgears with Broadcom SoC.

    "Works great" you mean fully functional like all ports on switch are working, USB 3.0 working, all radios working, all LEDs working and blinking, etc? Or are there limitations?
  35. darksky

    darksky Addicted to LI Member

    No limitations, everything is working and it's really nice to have a modern kernel and active development team (no insult to tomatousb at all).
  36. Cold Winter

    Cold Winter Networkin' Nut Member

    Good points, however, this point, I'm not too sure about.
    First, your up against multiple unknown entitiies located
    world wide ( good luck with DCMA ) and second, a copyright
    claim really only works if the party "copies" your work and then
    engages in some form of trade with it. If one were to hack this
    blob, it wouldn't be a local affair, the final product would contain
    no code from the original ( why would anyone want that crap )
    and finally, it gets released "into the wild" ... no commerical
    connection of any kind between "developers" and "end users".

    Aside from jurisdiction issues, I suspect you'd have a hard time
    making a case under most legal systems with that kind of prosecution.

    Can you see the "defendants as "person or persons unkown???
    Those "nebulous" parties would I'm sure pay lots of attention
    to that court... eh?
  37. Jacky444

    Jacky444 LI Guru Member

    LEDE is missing a lot of features for my taste. Otherwise the idea is amazing, specially with ability to actually use any packages you like. I do not know where to get GUI for Wireless though, is it a package? Testing it on R7000. Might develop a UI design for it, or something =).
  38. darksky

    darksky Addicted to LI Member

    @Jacky444 - Interesting to hear that you have it on an R7000. My understanding is that the support for 2.4 and even 5.0 GHz wifi there is really basic due to closed source broadcom drivers. Wireless is there, review their wiki:

    As well, some British-sounding guy has a few quick start videos:

  39. Jacky444

    Jacky444 LI Guru Member

    I though that OpenWRT (which it is based on I believe?) have license for broadcom wireless drivers =(. That really does suck tho cause wi-fi is very important thing =/. I do looooove the modularity tho. That's amazing!
  40. ruggerof

    ruggerof Network Guru Member

    Just complementing what RMerlin mentioned, Asus also recently released a firmware for the RT-AC68U patching the KRACK vulnerability.
  41. Elfew

    Elfew Network Guru Member

  42. kille72

    kille72 LI Guru Member

  43. RMerlin

    RMerlin Network Guru Member

    John backported the RT-AC68U fix to his fork that runs on the older code base. He hasn't published yet because he only pushes on releases, but his merge might be of use. Otherwise, you guys will have to manually update the SDK files Tomato uses.

    For MIPS platform that's on SDK 6.34, you'll need the 380_8120 GPL + SDK:

    For the old SDK 5.xx platform, you're out of luck, that platform is no longer supported. Nobody published any update from Broadcom on that SDK.
    Elfew, AndreDVJ, The Master and 4 others like this.
  44. Elfew

    Elfew Network Guru Member

    That sounds great, I hope the patch will be available soon :)
  45. john9527

    john9527 Network Guru Member

    Actually Merlin is 1/2 right.....I ported the KRACK fix over to my fork, but after I had updated the AC68U SDK to the latest version that supports the newer processor revs. I never tried to put the KRACK fix on the version with the older SDK since I think the closed source components that need to be updated are tied to the SDK. Maybe I'm wrong there.

    I've lost track a bit.....did Tomato ever get the newer SDK working?
    pomidor1 likes this.
  46. pomidor1

    pomidor1 Networkin' Nut Member

  47. kille72

    kille72 LI Guru Member

    Good work! When did you plan to update your Github with the newest source code, so we can take a look at it as well?
  48. john9527

    john9527 Network Guru Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice