On October 15, 2017, security researcher Mathy Vanhoef announced the discovery of KrackAttacks, a serious flaw in the WPA2 encryption protocol that encrypts most WiFi connections. Using this method, an attacker can decrypt traffic from almost any wireless access point (WAP) and clients. Every WiFi access point will need to be upgraded with patch that prevents this attack.
Ubiquiti has already released a patch for UniFi access points that addresses this vulnerability. However, the upgrade process may not be straightforward, depending on the age of your access points. The following process will ensure that you are running a safe version of the firmware (188.8.131.5237 or later). Note that any upgrade will result in downtime for each access point as it is upgraded, so you will want to perform a rolling upgrade if you have multiple devices that will be upgraded while people are using them.
Conventional Upgrade Procedure
First, see if a conventional upgrade will work for your WAPs.
- Launch the UniFi Controller software and connect to your access point.
- Go to Devices and select the access point. Note the version number. You may see an “Upgrade” button under Actions on the far right side of the screen.
- Press the Upgrade button, or perform a rolling upgrade.
- Verify that the new firmware is 184.108.40.20637 or newer.
If That Didn’t Work…
If you have an old version of the UniFi controller and an old firmware (say, 3.2.x) on the access point, the conventional upgrade procedure will leave you at an older, vulnerable version.
- Download and install the latest UniFi controller software
- The “Upgrade” action button should be available again. Press it, and wait for the WAP to upgrade.
- Check the version. This upgrade may not get you all the way to a secure version (probably 3.8.x as of 17 October 2017).
- If you still didn’t get a secure version, select the access point and the expand “Manage Device” pane on the right-hand side of the screen. Copy the appropriate firmware URL from this article and paste it into the “Custom Upgrade” box. For extra security, download the firmware, verify the MD5 sum, and then enter the local URL into the Custom Upgrade box. The WAP will go offline for a few minutes.
- Verify that the WAP is running 220.127.116.1137 or newer. Note that the Upgrade action will be available again, but it won’t actually upgrade to a newer version. It may even downgrade to the latest release (3.8.x).