How to patch an outdated consumer router against KRACK.


Last updated: October, 2017.

If you're using a consumer router, it's probably vulnerable to KRACK.

This small guide covers installing the LEDE firmware, and ensuring wpad is updated.



1. Install LEDE.

Not all routers are supported by LEDE. Search for your router here to verify support.

If your router is suported, click View/Edit data in the Device Techdata column. Download the Firmware LEDE Install URL firmware.

If your router is running another custom firmware, properly revert to the factory firmware first. DD-WRT, for example, provide a reversion binary to return to factory firmware (on a per-router basis).

Exercise caution when flashing custom router firmware. It's possible to brick your router if you flash incorrect firmware. Do not power off the router during the flashing process. It's also a safe idea to not reboot the router for 20-30 minutes after flashing. Do not reboot the router from the power source (do so via the GUI, or SSH).

By default, LEDE uses the local IP address 192.168.1.1. The router GUI will be available via this address after successfully flashing the firmware.

The default username is root, and the default password is blank (as in an empty string). Set a password.


2. Verifying LEDE is not vulnerable to KRACK.

LEDE itself is patched against KRACK since version 17.01.4. If you flashed a verison equal to, or newer than, this version - you are secure.

You can manually verify (and upgrade) wpad via opkg.


SSH into the router

ssh root@192.168.1.1

In Windows, you'll need to use PuTTY.

Check the current version of wpad (or wpad-mini in many releases).

opkg info wpad-mini

wpad is patched against KRACK since version 2016-12-19-ad02e79d-5.

Also check the current version of hostapd-common.

opkg info hostapd-common

hostapd-common is patched against KRACK since version 2016-12-19-ad02e79d-5.

Upgrade packages using opkg.

opkg update

List all upgradable packages.

opkg list-upgradable

To upgrade a package, use opkg upgrade.

This command will upgrade wpad-mini and hostapd-common. You can safely upgrade all upgradable packages.

opkg upgrade wpad-mini hostapd-common

Finally, reboot the router.

reboot


3. You are done.

When configuring WiFi in LEDE, use WPA2-PSK as the Encryption algorithm and Force CCMP (AES) as the Cipher.

LEDE, since version 17.01.4, provides a GUI option to complicate attacks like KRACK - this can optionally be enabled.



Comments are provided by Disqus. To respect user privacy, Disqus is only loaded on user prompt.

I recommend uBlock Origin to protect against Disqus tracking and advertising.