URGENT NOTICE: Rajant Mesh Networks and the KRACK WPA2 Vulnerability |
|
|
by Josh Parker - Tue Dec 05 14:32:23 UTC 2017
Tags: - mesh, v11, Security, Analysis, instamesh, online, networking |
You probably saw the news yesterday about a new WPA2 vulnerability called KRACK (info at https://www.krackattacks.com/). The vulnerability is built into the WPA2 specification, so a huge number of devices are impacted. In regards to Rajant, here's what you need to know:
What is the vulnerability?
The WPA2 specification allows an attacker to send a packet that will trick a client device into reusing a key. For some clients (depending upon implementation) they can be tricked into using a known key of all zeros. This then compromises that client’s privacy (their traffic can be sniffed and read) AND allows for packet injection to the client (the attacker can send packets to the client on the network’s behalf).
Does it affect BreadCrumbs®?
For most customers, it does not affect BreadCrumbs at all. Rajant BreadCrumbs, by default, are neither Wi-Fi Access Points (APs) nor Wi-Fi Clients. BreadCrumbs use InstaMesh® as their networking protocol. WPA2 is an encryption method specifically for Wi-Fi. The KRACK vulnerability exists on the Wi-Fi client side, so it is all of the client devices out there that have to be updated—for the most part. There is a single Access Point component to the vulnerability for APs that offer 802.11r fast roaming. Since BreadCrumbs do not support fast roaming, they are not affected by this single AP vulnerability. While many routers will need urgent updates due to this vulnerability, BreadCrumbs are not among them.
HOWEVER, there is one use case you should be aware of. BreadCrumbs do offer a hybrid clientmesh mode to support transitioning from a legacy infrastructure to a full mesh infrastructure. This was a feature developed for a specific scenario one of our resellers faced, and was provided to be used temporarily during a network migration. Further information about this feature can be found in the BC|Commander User Guide, Appendix D.4, “Configuration of Client Mode BreadCrumbs.” We are not aware of any customers currently using this feature, but any who are using this feature ARE affected by the vulnerability IF they are not using mesh crypto. In other words, if you have configured a transceiver within a BreadCrumb to act as a Wi-Fi client, it is important to enable Mesh Crypto to protect against this potential vulnerability. We are closely tracking the related tools used inside the BreadCrumbs to support client mode and will incorporate any patches as soon as they are available and can be tested.
For additional information for further questions, please contact Rajant support at support@rajant.com.