Mimosa WPA2 KRACK Attack


In light of the recent WPA2 key reinstallation vulnerability announcement, does Mimosa have any official statement on the matter? It appears that wpa_supplicant follows the RFC advice to clear the key from memory and effectively allows an all-zero key to be installed during the replay attack.

Mikrotik has already addressed this as of last week.

News on the KRACK Attack:


Mimosa Devices & KRACK Vulnerability

We are looking into this, and will provide updates on this thread.


Just to follow up on this particular problem, There have been a number of CERT releases related to this (ten so far) and from just about every major company. Since the kernel of the mimosa is basically a linux kernel and just about every linux release has this problem, I’m assuming that Mimosa has it too. They just aren’t big enough to yet warrant someone going out and filing a CERT against them yet.

In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks.

In addition, Android 6.x onward also has been affected. Oh joy!



Our company and our clients are awaiting a response with an ETA of a FW patch. I subscribed to this thread in hopes to hear about ti as quick as possible.


The WPA 2 vulnerability known as KRACK is a vulnerability to all Wifi networks that use WPA 2 to protect data transmitted over Wifi connected devices. The vulnerability exploits the 4-way handshake used by the WPA2 protocol by manipulating and replaying the handshake messages between access point and station (client).

Mimosa is actively working on a solution with our technology suppliers to fix this industry wide vulnerability, and anticipate providing a patch release for our A, B and C series products in approximately 2 weeks.

We understand the concerns surrounding this vulnerability, but also want to provide information regarding its applicability to deployed Mimosa equipment. The KRACK vulnerability impacts Wi-Fi stations or clients, not Wi-Fi access points. Mimosa point to point products, and point to multipoint running in SRS mode, while susceptible to KRACK at the station/client side, gain additional protection from the proprietary nature of the proprietary TDMA protocol which a hacker additionally would need to deconstruct to view any unsecured transferred internet traffic. If possible, until a fix exists, we recommend using TDMA on point to multipoint systems instead of the Wi-Fi interop (CSMA) mode.


Still planning to have a new patch in the near future (I know it is just barely 14 days and you said approx 2 week)?


There is a fix for the KRACK vulnerability in the newly release 2.4.0, which is available for the A5/C5. There will also be a fix for the KRACK vulnerability the upcoming 1.4.7 release for the B5/B5c, B11, and B5 Lite.


What is the timeline for 1.4.7 coming out?


What about the G2 product? They are impacted as well.


The KRACK vulnerability can only be exploited from an 802.11 or Wifi station device, and the G2 can only operate as an AP when it is router mode. In repeater mode, the G2 don’t use the 4 way handshake for authentication. Thus the G2 is not vulnerability to the KRACK vulnerability.


We are now in March and Mimosa still has not pushed out a fix for this, and no release information of ver 1.4.7 (B5). As a first time user of Mimosa I must admit that your development and turn around in resolving firmware specific features and fixes leaves a lot to be desired. Your products are exceptionally expensive to those of us here in South African especially. Mimosa has such potential, but currently I fear you guys are losing the plot in such a dynamic and fast paced industry. This is such a great shame and I hope will not be to your eventual detriment. Then those of us whom have literally invested a great fortune in you products will most certainly lose out! Come on guys, get cracking!!!


We have mentioned previously that KRACK is a vulnerability that only impacts Wifi/802.11 stations. While Mimosa backhaul products leverage aspects of 802.11, they also run proprietary TDMA protocol which one would also have to breach in order to exploit the KRACK vulnerability.

We are expecting to have a GA release of 1.4.7 within the next couple weeks. It contains a fix for the KRACK vulnerability. If anyone needs a more immediate fix, please join our live chat line at http://support.mimosa.co, and request a pre-release version 1.4.7