Amcrest products and KRACK vulnerability

[entresec]

Bump. Still waiting on a response for one or more of these:

1) Was Krack patched in the latest round of firmware updates? If so, which ones specifically?
2) If not, when can we expect a response as to when you'll know more, or when a fix will be issued?

For reference, here is the link to the disclosure, which talks about this mainly being a client side attack (i.e. Amcrest Camera):

https://www.krackattacks.com/

[Melvin]

Hello all,

The KRACK mainly aim at the routers, hackers utilize this flaw to create a fake AP to be disguised as your WiFi. And then they build Phishing website to steal your account or credit card information. Basically, the flaw exists during the handshaking i.e. authenticating process, so your password of the router is safe.

Hacker must be around your location to fake your WiFi; Information is not encrypted so they can steal them via package capturing or Phishing sites.

For our device, the account credentials are encrypted by the MD5 algorithm so it cannot be cracked that easily. And our video stream is also secured.

[entresec]

Hello all,

The KRACK mainly aim at the routers, hackers utilize this flaw to create a fake AP to be disguised as your WiFi. And then they build Phishing website to steal your account or credit card information. Basically, the flaw exists during the handshaking i.e. authenticating process, so your password of the router is safe.

Hi Melvin,

The above information is inaccurate. Please see the link I posted. Here are excerpts taken from said link, whose author is the person who published this vulnerability.

"During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks."

Me: Apple and Windows do not make routers. This attack affects clients as well. A full ist of known devices is available here, which includes more then just routers: https://www.kb.cert.org/vuls/byvendor?s ... rchOrder=4

"As a proof-of-concept we executed a key reinstallation attack against an Android smartphone."

Me: Again, not a router.

"Our main attack is against the 4-way handshake of the WPA2 protocol. This handshake is executed when a client wants to join a protected Wi-Fi network, and is used to confirm that both the client and access point possess the correct credentials (e.g. the pre-shared password of the network)."

Me: Note the reference to client here. This is not the router.

(Under the FAQ) "Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable."

Me: See above where it says "patching the AP will not prevent attacks against vulnerable clients"

Back to my original question, when will we know when a patch will come out for our cameras? Clearly now, the answer is that the existing firmware did not patch this issue. (Me reading between the lines from your last response)

[samsf28]

Hi Melvin, when can we expect to get firmware updates that patches this vulnerability? From all the articles about it, they all mention it as a client side issue too.

[Melvin]

Hello entresec,

Thank you for the detailed post. This issue is already under the review of our R&D team. We hope to come up with a fix pretty soon. We will keep you updated on the status.

[Neptune]

Hello entresec,

Thank you for the detailed post. This issue is already under the review of our R&D team. We hope to come up with a fix pretty soon. We will keep you updated on the status.

Wow. We are five pages into this thread that was started October 16th and multiple people have discussed this issue in detail. Today you give a word-for-word duplicate response that was given to rdkis on October 19th (second page of the thread) saying that this is not a problem and your customers are safe, but now we will get a fix "pretty soon." This is just absurd. Yeah, I'd like a fix... and you should have given us this response weeks ago instead of pretending that you understand the issue and ignoring users that are ceasing use of your product because of your failure to take this seriously.

[entresec]

Hello entresec,

Thank you for the detailed post. This issue is already under the review of our R&D team. We hope to come up with a fix pretty soon. We will keep you updated on the status.

Thanks Melvin. Please ask your Dev team to consider this a critical vulnerability, which generally means resolution within <30 days. I look forward to your updates.

[svd]

Hopefully a patch will be available soon.


Following information is also incorrect

Hello all,
For our device, the account credentials are encrypted by the MD5 algorithm so it cannot be cracked that easily. And our video stream is also secured.

md5 can be relatively easily be cracked nowadays. And please explain how an rtsp stream is secured from snooping? I am pretty sure it is not.

[Neptune]

You're right, it isn't. And I would be shocked if Melvin knew that. All he did was copy-paste a response that someone else made three weeks ago (taken from a reply by rdkis):

[dynostatic]

MD5 for password hashes? I almost spit out my coffee. I wouldn't be bragging about that on a public forum. Hey Amcrest, we love your hardware, but you're going to have to do a little better. This is a big deal, and your response needs to match. I don't want to worry about my neighbor's teenage kid learning about this on 4chan and trying to hack the neighborhood with a pringles can.

Every wireless product you have ever made that supports WPA needs a patch, and that needs to be on a timetable and publicly posted.