Security Update October 2017

wi-fi.org/security-update-october-2017

Search form
View Wi-Fi CERTIFIED™ products by category

Wi-Fi Alliance® provides trusted security to billions of Wi-Fi® devices

and continues to support Wi-Fi users
As with any technology, the robust security research necessary to remain ahead of
emerging threats will occasionally uncover new vulnerabilities. Security researchers
identified vulnerabilities in some Wi-Fi devices and immediately brought their discovery to
the Wi-Fi industry. There is no evidence of the vulnerability being used against Wi-Fi users
maliciously, and Wi-Fi Alliance has taken immediate steps to ensure users can continue to
count on Wi-Fi to deliver strong security protections.

Wi-Fi Alliance now requires testing for this vulnerability within our global certification
lab network
Wi-Fi Alliance has provided a vulnerability detection tool for use by any Wi-Fi Alliance
member
Wi-Fi Alliance is broadly communicating details on this vulnerability and remedies to
device vendors and encouraging them to work with their solution providers to rapidly
integrate any necessary patches

This issue can be resolved through a straightforward software update – a process much like
the software updates Wi-Fi users regularly perform on their mobile devices – and major
platform providers have already started deploying these patches. The software updates do
not require any changes that affect interoperability between Wi-Fi devices. Users can refer
to their device vendors’ websites for more information.

As always, Wi-Fi users should ensure they have installed the latest recommended
updates from device manufacturers. Security is a dynamic endeavor, and Wi-Fi Alliance will
continue to maintain strong security protections for Wi-Fi users.

Relevant Identifiers:

CERT case ID: VU#228519

CVE-2017-13077
CVE-2017-13078

1/3
 CVE-2017-13079
CVE-2017-13080
CVE-2017-13081
CVE-2017-13082
CVE-2017-13084
CVE-2017-13086
CVE-2017-13087
CVE-2017-13088

Relevant research:

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2

Research website

Wi-Fi Alliance members may download the vulnerability detection tool here.

krack

Wi-Fi Alliance News

Wi-Fi Alliance® security update

Frequently Asked Questions

What is the potential impact of this vulnerability on consumers?
There is no evidence that the vulnerability has been exploited maliciously, and
consumers should expect an orderly update cycle for affected devices. We recommend
all users install the latest recommended updates from end-device and network
equipment manufacturers. It is important to note, that many consumer routers are
not affected by this vulnerability, so consumers may not see an update available for
their particular router. For those devices that have been affected, many vendors have
already issued patches or will issue them shortly. Wi-Fi Alliance recommends checking
the vendor’s website for information on specific vendor updates. Users can expect all
their Wi-Fi devices, whether patched or unpatched, to continue working well together.

What will Wi-Fi Alliance do to prevent these types of issues moving forward?
Events like this are rare, but security is never static. Maintaining strong security
protections will always be an ongoing effort. Wi-Fi Alliance encourages responsible
disclosure of any discovered security vulnerabilities, as was the case with this
particular scenario, to ensure the best possible outcome.

2/3
How will I know if my device is affected?
Users should refer to their Wi-Fi device vendor’s website or security advisories to
determine if their device has been affected and has an update available. As always,
Wi-Fi users should ensure they have installed the latest recommended updates from
device manufacturers.

Will the vulnerability detection tool be made available for non-Wi-Fi Alliance member
companies?
Wi-Fi Alliance is making its vulnerability detection tool available exclusively to Wi-Fi
Alliance members in the interest of protecting Wi-Fi users. Similar to the concept of
responsible disclosure, it is important to give vendors an opportunity to distribute
patches before tools for detecting the vulnerability become readily available. Wi-Fi
Alliance may consider making the tool available to non-members after a reasonable
period of time.

Will the fixes to address this vulnerability create interoperability issues between Wi-Fi
devices?
The software updates do not require any changes that affect interoperability between
Wi-Fi devices. Users can expect all their Wi-Fi devices, whether patched or unpatched,
to continue working well together.

How will vulnerabilities in existing devices be fixed?

The issue can be resolved with a straightforward software update – much like users
regularly perform on their Wi-Fi devices already. Major platform vendors have already
started distributing updates to their users, and updates will continue in the coming
weeks. Wi-Fi Alliance now requires testing for this vulnerability within our global
certification lab network and has provided a vulnerability detection tool for use by any
Wi-Fi Alliance member.

Is the identified vulnerability a WPA2™ protocol issue or on issue related to specific

device implementations?
When considering the question of whether a vulnerability is a protocol or
implementation issue, the purpose is often to determine the vulnerability’s broader
implications, such as the pervasiveness of the vulnerability, the ease of addressing the
vulnerability, and the ability to maintain interoperability between patched and
unpatched devices. In this instance, the issue can be resolved through straightforward
software updates that retain interoperability across Wi-Fi devices. Major device and
platform providers, including major operating systems, have already started deploying
updates, protecting a substantial number of affected devices. The Wi-Fi industry is
evaluating whether additional clarity or guidance on implementing the protocol is
necessary in the standard.

3/3