How to Fix: WPA2 Vulnerability using DD-WRT Firmware

Dennis Faas's picture

Infopackets Reader Paul E. writes:

" Dear Dennis,

I read with interest John Lister's article on the WPA2 exploit (KRACKs), which explains how hackers can break into any WiFi network. I have 4 TPLink routers in my home that I use as 'hot spots' in various locations. As per your suggestion, I have visited TPLink's website for firmware updates for my routers, but there are none available. I am worried that someone is going to break into my network and steal my financial information. What can I do? "

My response:

I own a few TP Link routers as well and what I've done is flashed the routers using the "dd-wrt" firmware as these are patched against the WPA2 security exploits. Theoretically you could do the same providing that your router is supported - however there are some caveats you should be aware of.

Updating to the dd-wrt firmware include risks such as: (a) voiding your router warranty, (b) limited support, as the firmware is third-party, (c) bugs in the firmware, (d) bricking the router due to a bad flash, and (e) losing certain functionality (my WPS buttons don't work after the dd-wrt flash).

On the other hand, there are some positive points to using the dd-wrt firmware - namely: the dd-wrt firmware releases have been around for quite some time, are open source, is based on a large community, is built on Linux and Linksys router firmware, and most important: is updated regularly, which means it usually includes vulnerability fixes like the WPA2 vulnerability this article is discussing.

How to Fix: WPA2 Vulnerability using DD-WRT Firmware

If you own a router with WiFi capability and you are concerned about the WPA2 exploit, you have two choices:

  1. Fix the WPA2 vulnerability using new router firmware from the manufacturer (if one ever becomes available), or
     
  2. Fix the WPA2 vulnerability using open source dd-wrt firmware. There are risks involved - explained below.

Option #1: Fix the WPA2 vulnerability using new router firmware from the manufacturer

This is the easiest option - but only if a router firmware is available. Some router manufacturers only focus on their newest models, so if you have an old router, there may never be an update. To check if there is a firmware available for your router, do the following:

(a) Look up your router model # and hardware revision #; this may be listed on the underside of the router itself. If not, it should be listed in the router web administration page. Since each router configuration is different I cannot explain how to do this - refer to your router manual. If you can't find it, you should be able to find the router manual online.

(b) Visit the manufacturer's website to locate the specific firmware model number - with respect to the hardware revision to see if there is a firmware update. Any firmware that is newer than October 20, 2017 (or so) will likely fix the exploit - but you will have to look specifically at the firmware description to see if it makes mention of the WPA2 vulnerability fix.

(c) If the WPA2 vulnerability fix is available, download the firmware and flash it using a wired connection (not wireless).

If no firmware is available, you can try Option #2.

Option #2: Fix the WPA2 vulnerability using open source dd-wrt firmware

If you accept the risks I've outlined above and are willing to flash your router using the dd-wrt firmware, you can do the following:

(a) Login to your router's web administration page and look up the hardware revision and firmware number of the router. Since each router configuration is different I cannot explain how to do this - refer to your router manual. If you can't find it, you should be able to find one online.

(b) Once you know your router model # and hardware revision, go to the dd-wrt website via the router database page and search for your router. If you don't see your model number, try searching again with a shorter model number. For example, my TPLink router is the "TP-Link TL-WR841ND v9", but searching for "WR841N" also brought up results.

(c) If you find your router model number but the router database search does not match your hardware revision (as was my case), you can also search the beta firmware releases. Please note that beta firmware is exactly how it sounds - it's beta - which means it's likely got bugs (likely in the user interface) but most of it should function. You can search the beta firmware using the 'other downloads -> beta' link. Once there, click this year's directory, then click the folder with the second or third latest dd-wrt release.

Note: I suggest using the second or third latest release because some of the absolute 'latest' releases may have bugs that could potentially brick your router. Oftentimes these severe bugs are caught by the community after a few routers have been ruined, and the firmware is fixed later. As such, using an older beta release is considered a safer option.

(d) Once you are in the beta directory -> year -> second or third latest dd-wrt release, press CTRL + F on your keyboard to bring up the browser 'search' feature. Next, type in part of the name of your router model number (example: if your model is the "TP-Link TL-WR841ND v9", search for "WR841N") and press enter to perform a search. When you find your router, click the link with your hardware number.

(e) Now that you have located the appropriate firmware, you'll notice that there are two firmware files in the directory: factory-to-ddwrt.bin, and xxx-webflash.bin. Download both files to your computer and hook up your router using a wired connection to port #1 (not the "WAN" or "Internet" port).

You will need to use your router's administration page to flash "factory-to-ddwrt.bin" first; this will put the 'bare bones' dd-wrt firmware on your router. Once that is completed, it will reset and the new router admin page will be available at 192.168.1.1. Go to the new admin page and set your admin user name and password, then go to the "Administration" -> "Firmware Upgrade" to flash the xxx-webflash.bin to flash the router to the xxx-webflash.bin you downloaded.

Once that is complete, set up the router as your normally would with your Internet Service Provider (ISP)'s login details if required, and also choose WPA2 for your WiFi security, SSID name, etc.

You can watch a full video explaining what I just mentioned here.

I hope that helps!

Additional 1-on-1 Support: From Dennis

If all of this is over your head, or if you need additional support flashing your router to the dd-wrt firmware in order to protect yourself against the WPA2 KRACKs exploit - I can assist using my remote desktop support service. Simply contact me, briefly describing the issue and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing -- please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.3 (3 votes)

Comments

rwells78's picture

Dennis, Are there other options in addition to dd-wrt? If so do you recommend dd-wrt because of the wide range of routers covered, ease of installation or based on your use of this specific product?

Dennis Faas's picture

I have not researched this but I believe dd-wrt is probably the only viable third-party firmware option available. Typically the ONLY firmware you flash in a device is the one that is offered by the manufacturer.