143

Following on from this question, I am unclear on which of the following steps are sufficient to protect a WPA2-based wifi connection from the KRACK flaw:

  1. Patching the AP (e.g. router)
  2. Patching the client (e.g. mobile device)
  3. Patching the AP and the client

The currently most upvoted answer, citing https://www.krackattacks.com states:

Both clients and access points are listed in the paper as being vulnerable.

and:

implementations can be patched in a backwards-compatible manner [...] To prevent the attack, users must update affected products as soon as security updates become available. [...] a patched client can still communicate with an unpatched access point, and vice versa.

But this seems to leave open the question of which combination(s) of patches would be an effective fix. It's clear for example that if I were to patch my phone, it would still be able to communicate with an unpatched AP, but would that communication be secure?

This is an important question, because while it is relatively easy to make sure my clients are patched once the patch is available (since the number of OS vendors are relatively small), ensuring all routers are patched (particularly in public wifi APs) seems like a much harder task due to the number and size of the vendors, and the lack of control over third party hardware.

Jon Bentley
  • 2,001
  • 2
  • 14
  • 16
  • Another way of protecting without patching is using VPN. See https://security.stackexchange.com/q/171431/22488 Make sure you use a proper VPN solution like OpenVPN to home, or F-Secure Freedome, and not one of the many that insert javascript or install certificates. – SPRBRN Oct 18 '17 at 12:04

9 Answers9

86

To fully protect your network, both the device and the access point will need to be patched:

Source: https://www.krackattacks.com/#faq

Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!

Citricguy
  • 785
  • 4
  • 5
  • This quote gives a one way implication. If does not tell if patching the client only is sufficient. If not, everyone is screwed and we can close all wifis. You can't check the routers in the local eduroam or other networks at your workplace. – Vladimir F Героям слава Oct 17 '17 at 14:04
  • 13
    @VladimirF It sounds pretty explicit to me: "both the client and AP must be patched to defend against all attacks" – Jeff Alyanak Oct 17 '17 at 15:31
  • 13
    Patching the router is only needed if the router works as client too, i.e. when being a repeater or supporting roaming. The the same FAQ only later: *"What if there are no security updates for my router? ... it might be that your router does not require security updates."*. – Steffen Ullrich Oct 17 '17 at 18:52
  • 1
    BTW, the quote in this answer was not on krackattacks.com when I read through the site yesterday and made my post. I still have the un-refreshed page loaded in a browser tab. Was wondering how I missed seeing it... – mobill Oct 17 '17 at 19:30
  • 8
    It is important to note that AP patching protects against the 802.11r FT attack which is typically only used on enterprise networks with multiple APs in a single location and roaming. I am not sure if the typical home/office AP or router even supports 802.11r, but it could be disabled without loss of functionality instead of patching the router/AP. If the router/AP is also a client (e.g. in some type of extender or mesh configuration), then patching the router/AP as a client will still be necessary. – NetMage Oct 17 '17 at 23:52
  • @JeffAlyanak It does look like that, but at the same time https://security.stackexchange.com/a/171549/52150 – Vladimir F Героям слава Oct 18 '17 at 18:50
  • @Vladimir F I think what that answer is saying in that response is that sometimes the AP can act as a client too and because this is an attack on the client, in some cases the AP will need an update as well. Thus, "Both the client and the AP must be patched to defend against ALL attacks". Not always... but sometimes. Ultimately, "we're all screwed, some of the time" – Citricguy Oct 19 '17 at 10:03
  • @VladimirF, but that answer says "not always". How about we just stay on the safe side and always patch the client, and always patch the router? – NH. Oct 19 '17 at 16:37
  • 1
    @NH. At home and at your work sure. At the airport? Or on a train? How are you gonna check they are patched? And even at home the router often belongs to and is administered by the ISP. – Vladimir F Героям слава Oct 19 '17 at 17:52
  • 1
    @VladimirF, you cant. But you can and should use https everywhere, and avoid sharing files and devices when at airports (why would you, anyways?). – NH. Oct 19 '17 at 20:12
  • @NH I mentioned router owned by the ISP (**very** common), not just airport... – Vladimir F Героям слава Oct 23 '17 at 07:23
50

TL;DR: It is often (but not always) enough to properly patch the WiFi client.
You need to also patch the router it it works as WiFi client too (e.g., a repeater) or has fast roaming (802.11r) enabled.

The essential part of the attacks is that the client accepts message 3 of the 4-way handshake again which causes the client to re-install the same encryption key and to reset nonce and replay protection - this way making replay and sometimes even injection possible.

This means if the client is patched to not accept a message 3 which contains the same key as already installed it will not reinstall the key and not reset nonce and replay protection. This should be sufficient to thwart the attack, no matter if the server is patched or not.

Also, directly taken from the https://www.krackattacks.com:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Captain Man
  • 207
  • 1
  • 5
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
28

According to this IBM XForce post:

[...] Attacks must be within range of the access point and client. Both the client and access point have to be patched in order to be protected from these attacks. If the access point is patched, but not the client, exploitation is still possible.

Prior to Tuesday @ 2017-10-17 10:42a CDT: IBM said:

[...] if even only one of the devices (client or access point) has been patched, the pair are not vulnerable to this form of attack.

I left the original text for historical purposes.

Mark Booth
  • 284
  • 4
  • 15
mobill
  • 441
  • 3
  • 7
  • To try and further explain, my understanding is that the attack relies on the "re"-installation of a key that is known by the attacker (specifically, the key is 0). The AP and station need the same key to communicate. If the key is only changed on one in the pair, they won't be able to communicate thus there would be no communications for the attacker to intercept. – multithr3at3d Oct 17 '17 at 00:12
  • 12
    This is at odds with [krackattacks.com](https://www.krackattacks.com/#faq), which states: *Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!* – Will Vousden Oct 17 '17 at 08:20
  • 23
    Look at this commit: https://github.com/vanhoefm/krackattacks/commit/1b32c02dd7371dbbd09912f1b3159c02b4c6ee61. This was made to clarify the b***** of IBM XForce post. – solsTiCe Oct 17 '17 at 08:59
  • 4
    This answer has most of up votes, but it is wrong and it is misleading people, so that should be clarified. – Mirsad Oct 17 '17 at 12:05
  • @WillVousden That quote gives a one way implication. If does not tell if patching the client only is sufficient. If not, everyone is screwed and we can close all wifis. You can't check the routers in the local eduroam or other networks at your workplace. – Vladimir F Героям слава Oct 17 '17 at 14:03
  • @VladimirF I guess it's ambiguous; it's not clear whether it means that for a given (device, AP) pair, security is only achieved when both are patched, or that for all devices and APs to be secure, they must all be patched (which is not a very helpful piece of advice). To me the first interpretation makes more sense. – Will Vousden Oct 17 '17 at 14:32
  • 1
    @WillVousden It does not say even that. It says if AP is patched and the client not, it is vulnerable. It does not say anything about an unpatched AP and an unpatched client. – Vladimir F Героям слава Oct 17 '17 at 14:37
  • 4
    Here's how I parse it: 1) patched AP can still connect to unpatched device. 2) (and vice versa) patched device can still connect to an unpatched AP. 3) To defend against the full set of vulnerabilities, the AP AND the device must be patched. Given that a patched AP/unpatched device is vulnerable to some subset of the vulnerabilities AND a patched device/unpatched AP is vulnerable to a (possibly) different subset. – mobill Oct 17 '17 at 15:03
  • @mobill That's my understanding as well. – Will Vousden Oct 17 '17 at 21:07
  • It seems to me that it should be possible to mitigate unpatched client vulnerabilities with the right changes on the AP side, such as noticing an extra Message 3 ACK (for a packet not re-sent) and/or rejecting an extra Message 4 (reply to 3?). – NetMage Oct 17 '17 at 23:56
  • 2
    @mobill: It would be great if you could reword your answer with *first* a TL;DR, and then only the historical perspective. The TL;DR at the start would ensure that no-one accidentally misinterpret your answer, while the historical perspective helps people who heard prior statements understand those were mistaken (editing in the link to the patch in response to IBM statement would be a plus, as comments are ephemeral). – Matthieu M. Oct 18 '17 at 09:12
10

I hear things both ways, it's hard to tell. The paper mentioning both clients and APs sounds like there is at least something to be done on both sides. This comment makes sense to me: "most access points will be fine, but those performing client functions (eg repeaters) will need updating."

Sorry that I cannot give a definitive answer, I'll update if I find one. Hope this helped at least.

Luc
  • 31,973
  • 8
  • 71
  • 135
  • 2
    I think it also depends what feature(s) of WPA2 you are using. "When attacking the Fast BSS Transition (FT) handshake, we can decrypt (and forge) packets sent *towards* the client" (https://www.krackattacks.com/). – Nemo Oct 16 '17 at 19:53
4

One point that may be forgotten is repeaters. If your setup is computer <-> repeater <-> router <-> broadband line, and repeater / router are both unpatched and connected through WiFi, then any traffic between router and repeater could be sniffed indirectly, including anything that your computer sends or receives.

In that situation, if just the repeater is patched, everything is safe. If not, then computer and router must be patched because they both connect to the unpatched repeater.

gnasher729
  • 1,823
  • 10
  • 14
  • I thought it was computer and repeater because both accept the third step of the handshake. – wizzwizz4 Oct 21 '17 at 13:44
  • I assume that you start with a broadband modem or other modem, which is connect to a router (no WiFi, and often the modem is inside the router), which has a WiFi connection to the repeater, so one of router or repeater must be patched, and the repeater has a WiFi connection to the client, so either repeater or client must be patched. – gnasher729 Oct 21 '17 at 15:29
  • By my understanding, it's not "one of" - the attacker sends a duplicate of the third step to the client and this puts the client into an unexpected state -> attacker wins. A patched _connectee_ wouldn't fix this. – wizzwizz4 Oct 21 '17 at 16:23
  • The "unexpected state" is supposed to create a connection with an encryption that the attacker can attack. If the other side then just refuses the connection, it doesn't matter how confused the connectee is. There won't be a connection. – gnasher729 Oct 21 '17 at 20:20
3

The official krackattacks.com website now has this FAQ entry:

Is it sufficient to patch only the access point? Or to patch only clients?

Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable.

That said, we are working on access points modifications that do prevent attacks against vulnerable clients. These modifications are different from the security patches for vulnerable access points! So unless your access point vendor explicitly mentions that their patches prevent attacks against clients, you must also patch clients.

This explains why there's been so much confusion surrounding this question, both here and elsewhere on the web.

Technically speaking, only the clients (including access points that act as a client, such as repeaters) and access points that support the Fast BSS Transition handshake are vulnerable and need to be fixed.

However, it's possible to modify access points in a way that prevents attacks against clients even if the clients are vulnerable (though the access point itself is not). This modification is completely different from the modification needed to "fix" vulnerable access points (those acting as a repeater or supporting Fast BSS Transitions), so a patch for your access points may or may not prevent attacks against vulnerable clients depending on exactly what type of "fix" the patch contains.

So depending on the capabilities of your access point and which type of patches are available for it, at a minimum you may need to patch only your access point, only your clients, or both in order to defend against this attack. Obviously in the ideal scenario, all vulnerable devices should be patched, regardless of what extra mitigations have been implemented on the access point.

Ajedi32
  • 4,637
  • 2
  • 26
  • 60
  • 1
    +1, nice catch of the update to the situation. However, I will also point out that just because there is work on an update that will protect clients as well doesn't mean that such work is going to be successful or if successful apply to all clients. Combined with the fact that most wireless devices will connect to multiple wireless networks in their lifetime, and the client patching should still be considered a priority. – YLearn Oct 24 '17 at 16:44
  • @YLearn Such an update does already exist for some devices: https://w1.fi/cgit/hostap/commit/?id=6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 I agree though, obviously patching everything is ideal, regardless of what work-arounds have been implemented on the access point. – Ajedi32 Oct 24 '17 at 16:47
  • 1
    Since there are nine client side CVEs, fixing five of them is not fixing the client side vulnerability, even if it does mitigate the worst of them. – YLearn Oct 24 '17 at 16:51
2

In response to whether patching the AP alone is sufficient:

Reference: WIP patch in 'wpa_supplicant' used in most Linux distros

According to the above commit - it seems possible to prevent the attack by patching only the AP:

This option can be used to work around key reinstallation attacks on the station (supplicant) side in cases those station devices cannot be updated for some reason. By removing the retransmissions the attacker cannot cause key reinstallation with a delayed frame transmission. This is related to the station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, and CVE-2017-13081.

However this is optional, a default build of this module may not have this option enabled.

Based on the other related commits / comments, it appears the best option is to patch the client.

javaPhobic
  • 123
  • 6
  • Possible to prevent most of the vulnerabilities, not all. Same as patching a client prevents most of the vulnerabilities, but not all. – YLearn Oct 24 '17 at 16:49
1

Patching the AP is only needed if the AP acts like a client.

For example:

  1. If it supports fast roaming (802.11r).

  2. Is part of a mesh (mesh leaf) like in fortinet products

  3. Can act like a repeater

  4. Supports station-to-station traffic

In these cases the AP should also be patched.

BUT... Patching the AP will also mitigate the attack on unpatched clients that are connecting to this AP (by not sending a zeroed Msg3), so maybe you need to patch the AP in order to protect your clients.

Peter Mortensen
  • 877
  • 5
  • 10
Wagde Zabit
  • 11
  • 2
  • 802.11r is not the AP acting as a client. Additionally, even in STA to STA traffic, the AP is still acting as an AP to both clients, it is not acting as a client in that case. – YLearn Oct 24 '17 at 16:47
0

Mathy Vanhoef, the researcher who discovered the KRACK vulnerability and therefore the most authoritative source available on this subject, removed any ambiguity in a video interview for Tech News Weekly:

As a home user, if you've done update on your Windows, and your IOS devices, in that case I would say you're secure.

When you connect to a more enterprise or a more business network, for example a University or a company that has a lot of access points, so a lot of places were the wireless technology is being broadcasted, then there could still be a perk in the equipment that they use.

But, for your home network, if you just update your Windows, or your laptops and your smartphones, then you're already safe.

Moreover, he later added:

Most KRACK attacks against vulnerable clients can be prevented by modifying the router/access point. This may even be possible through AP configuration changes only (without updates). Example is Cisco workarounds. Though this may affect the reliability of handshakes in certain edge cases (e.g. with slow clients or unreliable connections).

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104