Amcrest products and KRACK vulnerability

[Neptune]

While I feel your pain, I'd say over 80% of the devices are still vulnerable. Andriods are NOT safe. Apple is in BETA. ASUS has released nothing. If you're that concerned, stop using all your wifi devices. No one isreally protected yet.

Both Google and Apple have released statements about addressing the issue, and it would satisfy me for now if Amcrest did the same. My Android phone uses LineageOS which has been patched as of this morning along with many other Linux based devices. I am aware of which devices I own that have not been conclusively patched and they are turned off, so yeah... I'm that concerned. My Amcrest cameras are among those turned off devices, which is why I am here.

[rdkls]

While I feel your pain, I'd say over 80% of the devices are still vulnerable. Andriods are NOT safe. Apple is in BETA. ASUS has released nothing. If you're that concerned, stop using all your wifi devices. No one isreally protected yet.

Both Google and Apple have released statements about addressing the issue, and it would satisfy me for now if Amcrest did the same. My Android phone uses LineageOS which has been patched as of this morning along with many other Linux based devices. I am aware of which devices I own that have not been conclusively patched and they are turned off, so yeah... I'm that concerned. My Amcrest cameras are among those turned off devices, which is why I am here.

To mirror what @Neptune said; the difference is that those companies have specifically called out and addressed the issue at hand, whereas Amcrest has yet to even acknowledge it publicly.

For now, wireless functionality has been disabled on any unpatched device within my control.

[zeb]

Hi all,

Please ensure that the cameras' firmware is updated to the latest version. Also set up a strong password atleast 8 characters. We will periodically release updates against security threats.

Hi Melvin. Although this advice is certainly correct, it is still irrelevant to the issue at stake. Unless you can confirm the latest firmware has been patched against this vulnerability, the length of the password has no effect on KRACK. Can you please return to the developer team and let us know if the latest firmware versions (e.g. for the IP2M-841 V2.520.AC00.18.R) have been patched already, and if not, how long this will take before they are, since this is a critical vulnerability. Thanks in advance.

[rdkls]

Received another response from "R&D".

[svd]

I am too waiting for an official statement for this grave issue. I need to shutdown my wireless cameras until this is resolved, rtsp streams are unencrypted and relied on the wpa2 encryption. Need to look for a secure aware brand to replace my cameras if no statement will be made.

[Neptune]

It is quite concerning how little awareness Amcrest has shown regarding this issue in the responses that have been provided. the KRACK vulnerability is mainly a client-side issue, and only impact routers that are acting as bridges and thus need to act as a client to another router. Yes, the handshaking between the client and the router is the source of the issue, but the attack operates by tricking the client into connecting to a fake access point. It is dangerous for a security oriented company to be making completely false statements like "If customers updated the firmware of their router, then I think they will be definitely safe." Every client needs to be patched even if the router has been, since it is the client that is vulnerable.

[t84a]

Buy a Fingbox and it will alert you if someone tries to create a fake network. Right now, every attempt to block ths threat is in beta or nonexistent. Also understand, someone has to be physically in range of your wifi to do this.

[Neptune]

Buy a Fingbox and it will alert you if someone tries to create a fake network. Right now, every attempt to block ths threat is in beta or nonexistent. Also understand, someone has to be physically in range of your wifi to do this.

You can block the threat by patching your client devices against the vulnerability and many devices have already been patched, some even before KRACK was announced publicly. If device manufacturers take security seriously and provide updated firmware, there is no need for a third-party device. I do not think anyone posting here is unaware of the proximity required for KRACK. I lock the door to my house even though only someone who is "physically in range" of the doorknob could open it if it was unlocked.

[t84a]

Well, androids are not protected nor are the majority of devices.

[markplewis]

Melvin, please don't do this. Amcrest has not addressed this vulnerability and you know that. Yet you post something here that suggests updating to the latest firmware will protect us. Why would you do that, buddy? Really, just why?

Oh, and please give Adam Ravat a call and tell him we're still waiting for this fix:

Amcrest staff member, Jun 27, 2015:

"Because our plugins were developed utilizing NPAPI, we are affected by this in addition to hundreds, if not thousands of other developers who utilized NPAPI for their plugins.We are currently in development of plugins that will work on Chrome's newest versions, without NPAPI. The scheduled timeline for this to be available has been stated to be September."