Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Page 4 of 9 FirstFirst ... 2 3 4 5 6 ... LastLast
Results 46 to 60 of 124
  1. #46
    The DecoM5 ist listed to be vulnerable in post #1.
    Since the mesh design is a bit more complex and does not transparently allow for deactivation of WDS, bridgeing an Co. (at least not for the backhaul) I am wondering under which cicumstances the DecoM5 is vulnerable - and of course when a fix will be availible fo this top of e line product.

  2. #47
    I've read TP-Link's latest updates, and some of them are hard to reconcile with the information on the linked krack info page. It explicitly states that most wifi-using devices are vulnerable, not just clients (even though clients are the main focus of the attack):

    The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected.
    Most other mainstream router vendors have already either released patches or announced plans to patch this. It may be that TP-Link's devices don't need to be updated, but as every device using the WPA2 protocol is affected, that would be a little surprising. Could you please explain what's different about TP-Link's implementation of the WPA2 protocol that would eliminate the need to address it? And are there any other non-standard protocol implementations we should be aware of?

  3. #48
    Junior Member juergen is on a distinguished road
    Join Date
    Oct 2017
    Posts
    1

    Angry Switched to DD-WRT Firmware ...

    .. because DD-WRT has immediatly fixed the KRACK vulnarability and I can't wait for weeks until TP-Link doing the same.

  4. #49
    I suppose we are all speculating and tplink are the only ones that know for sure what the impact is to their products (for now). as with any public vulnrability,many people are developing exploit kits.

    when those are tested against tplink patched devices and devices deemed not to require a patch, we will know for sure. at that time if it is discovered that tplink did not patch a device it should have, it will look far worse then this poor response.

    I will reserve judgment until then and assume tplink will do the right thing.


  5. #50
    Members jgu is on a distinguished road
    Join Date
    Aug 2017
    Posts
    15
    So, today we have learnt that:

    1. TP-Link do not have the technical competency to understand the KRACK vulnerability paper. If they did, they would understand that patching clients AND APs is required to fully mitigate risk.
    2. TP-Link do not care about the network security of their customers - they are content to leave unpatched TP-Link APs and state that network security is the responsibility of the client only
    3. TP-Link do not understand the nature of the technological landscape in which they operate. If they did, they would understand that many client devices won't get patched in a timely fashion, or at all (old Android devices, IoT devices etc), and they would understand that the best thing they could do for their customers would be to ensure all APs are patched.

    I'm literally done with TP-Link after this. I will be recommending all businesses, friends and family members replace any TP-Link devices ASAP.

  6. #51
    Quote Originally Posted by jgu View Post
    So, today we have learnt that:

    1. TP-Link do not have the technical competency to understand the KRACK vulnerability paper. If they did, they would understand that patching clients AND APs is required to fully mitigate risk.
    2. TP-Link do not care about the network security of their customers - they are content to leave unpatched TP-Link APs and state that network security is the responsibility of the client only
    3. TP-Link do not understand the nature of the technological landscape in which they operate. If they did, they would understand that many client devices won't get patched in a timely fashion, or at all (old Android devices, IoT devices etc), and they would understand that the best thing they could do for their customers would be to ensure all APs are patched.

    I'm literally done with TP-Link after this. I will be recommending all businesses, friends and family members replace any TP-Link devices ASAP.

    I think the biggest failing is lack of a security incident response process to address this issue in a timely manner and proper communication to customers. I posted similar points and received responses saying it's only a client side issue. As I mentioned, I will reserve judgment until I can test with an exploit kit. Now that they have released the list of effected devices, we can test on the other products that are not effected.

    Security is a shared responsibility between end users and all of the manufactures of various devices. If there is a security issue, it needs to be addressed by everyone. This is my last post on this issue until I can test exploit kits against my tplink router.

    Just published:

    https://github.com/vanhoefm/krackattacks-test-ap-ft



  7. #52
    What a pile on top of TP-Link. Netgear has the same issue and they are 10 times the size of TP-Link and were notified well over a month ago and still don't have fixes. To all the people who will be dumping TP-Link, what manufacturer are you going to go to? I ask this because most of the comparable manufactures have the same issue. Maybe people should calm down and wait for fix instead of demanding something that is not an easy repair. Hell, Google is not going to release a fix for android or chrome devices until November. How many 100s of millions of Android phones are affected but Google will take it time? jump on their heads!
    Last edited by Sitedrifter; 10-18-2017 at 18:33.

  8. #53
    About Android... LineageOS is already fixed in same day. About routers... Probably time to switch to Mikrotik.

  9. #54
    Do you realize how obscure LineageOS is in regards to the 100s of millions of Android users? I would bet < .01 percent of the Android users do anything but use the OEM OS. My point being LineageOS is not a good comparison to make TP-Link look like they are sitting on their asses.
    Last edited by Sitedrifter; 10-18-2017 at 19:08.

  10. #55
    Quote Originally Posted by dimon222 View Post
    About Android... LineageOS is already fixed in same day. About routers... Probably time to switch to Mikrotik.
    unfamiliar with Mikrotik... why the recommendation? plz

  11. #56
    Mikrotik had a list of affected products and patch out on day 1. Their router OS is supposed to offer a lot of options for power users, too.

  12. #57
    Quote Originally Posted by is2017 View Post
    I think the biggest failing is lack of a security incident response process to address this issue in a timely manner and proper communication to customers. I posted similar points and received responses saying it's only a client side issue. As I mentioned, I will reserve judgment until I can test with an exploit kit. Now that they have released the list of effected devices, we can test on the other products that are not effected.

    Security is a shared responsibility between end users and all of the manufactures of various devices. If there is a security issue, it needs to be addressed by everyone. This is my last post on this issue until I can test exploit kits against my tplink router.

    Just published:

    https://github.com/vanhoefm/krackattacks-test-ap-ft


    Due to the published link, APs are only vulnerable to the attacks of key reinstallation in the Fast BSS transition (FT) handshake implemented by 802.11r.
    As far as I known, tplink routers don't support the 802.11r roaming protocol. Thus how can you attack against your tplink router?

  13. #58
    Junior Member Kolbeinn is on a distinguished road
    Join Date
    Oct 2017
    Posts
    2
    Thank you for sharing this useful post

  14. #59
    Is the access point ap500 affected of this problem? Can’t find anything on the support page. Please help. Thx

  15. #60
    Junior Member vladdt is on a distinguished road
    Join Date
    Oct 2017
    Posts
    1
    This is the last TP-LINK device I will buy. They have a good hardware, but software is shit. My Archer VR900 v1 even not in the list. Thank you TP-LINK also for hidden shh server inside, we have no access. I understand, that you need to spy on everyone, but please - sell your devices only in China.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.