3

According to Draytek on their website,

When DrayTek wireless products, such as wireless routers and access points, are used as wireless base stations, they are not affected by the KRACK (Key Reinstallation AttaCK) vulnerability; therefore patches or updates are not required.

I found this quite surprising. There is no further information explaining how they reached this conclusion, but at this stage I have to be inclined to believe it - it surely would have be signed off by various legal and engineering teams.

My question is, how would this be possible? Had they already discovered the flaw and mitigated against it (which would raise questions about them not publicly disclosing it)? Did they simply not implement the WPA2 standard correctly and this is happy coincidence?

I appreciate that it's possible that no one can conclusively answer this without inside information, but it will be interesting to see if more vendors claim not to be affected.

Darren
  • 194
  • 7

2 Answers2

4

The Key Reinstallition AttaCK attacks the client - not the access point. As they state clients connecting to their devices can be affected.

*Further to @Darrens point this may not answer the question. Whilst the attack is based on re-transmitting a message to the client since the problem is in the protocol and both ends can detect the attack arguably both should be fixed.

**Reading further there appear to be additional attacks attacking the AP. Reading up further now. Its possible Draytech don't use these features.

From the main release page

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details.

***Having re-read the entire release I can't see anything that suggests an attack targeting the AP directly. So I believe the view Draytek is taking is that since the attack is targeting clients the patch should be here. Whether that is the correct view is arguable either way.

Community
  • 1
Hector
  • 10,893
  • 3
  • 41
  • 44
  • I disagree. As per [the faq](https://www.krackattacks.com/#faq), "both the client and AP must be patched to defend against all attacks!" Also see [this question](https://security.stackexchange.com/questions/171402/to-sufficiently-protect-against-krack-is-patching-the-client-the-ap-or-both-r) and its answers. – Darren Oct 17 '17 at 13:01
  • Fair point. The AP can detect the duplicate key/nonce and reject it. It is possible they are doing this already (whether deliberately or accidentally through misinterpretation of the spec or a bug when initially implementing it). – Hector Oct 17 '17 at 13:11
  • Which was exactly my question! – Darren Oct 17 '17 at 13:12
  • Updated my answer. Its also possible they have decided since the issue exists in how the client handles the false message the client is where it should be patched. I'm not certain why they suggest the AP *must* be patched. Unless i'm missing something its just a way to protect unpatched clients. – Hector Oct 17 '17 at 13:18
2

KRACK is a vulnerability in the protocol. Every device or manufacturer can/will have a different implementation of the protocol.

Because it is a flaw in the protocol it affects a very wide range of devices. However whether through accident or design some devices will not be vulnerable as their implementation is different.

ste-fu
  • 1,092
  • 6
  • 9
  • 3
    i.e., *wrong!* Marketing thinks "proprietary" is secret sauce; Engineering knows it's a liability. In this case, it's not bug-compatible, so they win. But they probably have other, *proprietary* bugs! – docwebhead Oct 17 '17 at 16:16
  • 2
    If their implementation is different its a bug - because the device doesn't implement the prototcol it claims to! – Hector Oct 17 '17 at 16:23