2

From the official FAQ on the vulnerability (emphasis mine):

So again, update all your devices once security updates are available. Finally, although an unpatched client can still connect to a patched AP, and vice versa, both the client and AP must be patched to defend against all attacks!

Does this mean that a subset of the collection of attacks discovered can be prevented even if only 1 end of the connection has been repaired?

This image from Arstechnica, apparently a screen capture from the initial presentation, shows various platform implementations being subject to different KRACK attacks. This implies that at least part of the problem can be fixed from only the client side.

enter image description here

It's not clear what, or how much, client side only fixes can address. Do these represent 6 different ways to do the same attack? 6 different ways to tamper with a compromised connection? Something else? A combination of the previous?

Dan Is Fiddling By Firelight
  • 1,382
  • 10
  • 14
  • duplicate? https://security.stackexchange.com/questions/171402/to-sufficiently-protect-against-krack-is-patching-the-client-the-ap-or-both-r – schroeder Oct 17 '17 at 18:01
  • Possible duplicate of [To sufficiently protect against KRACK is patching the client, the AP, or both, required?](https://security.stackexchange.com/questions/171402/to-sufficiently-protect-against-krack-is-patching-the-client-the-ap-or-both-r) – Steffen Ullrich Oct 17 '17 at 18:03
  • The top answer to that question doesn't address mine. It says that complete protection needs both to be patched. But there are a number of sub-attacks under the overall KRACK header. My question is if any of them can be addressed from only a single end of the connection. – Dan Is Fiddling By Firelight Oct 17 '17 at 18:07

1 Answers1

6

TL;TR: It is often (but not always) enough to properly patch the WiFi client. You need to patch the AP to if it provides client functionality (i.e. router) or has fast roaming (802.11r) enabled.

From my understanding it is essential for all the attacks that the client accepts message 3 of the 4-way handshake again and then reinstalls the same encryption key and resets nonce and replay protection.
This means if the client is patched to not accept a message 3 which contains the same key as already installed it will not reinstall the key and not reset nonce and replay protection. This should be sufficient to thwart the attack, no matter if the server is patched or not.

Also, directly taken from the https://www.krackattacks.com:

What if there are no security updates for my router?

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Note that you could in theory also patch the AP to not retransmit message 3 of the handshake in case it did not receive message 4. This can be helpful in cases where patching the client is impossible.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Regarding patching the AP to not retransmit, I'm not sure that would be effective: "We show that **an attacker can force these nonce resets by collecting and replaying retransmissions of message 3 of the 4-way handshake.**" from [krackattacks.com](https://www.krackattacks.com/). The wording "replaying retransmissions" seems a little weird to me, does that mean a retransmission specifically has to be replayed, or is it enough to replay the initial transmission? – AndrolGenhald Oct 17 '17 at 19:07
  • I'm not sure I understand the AP retransmit solution you propose here either. The retransmission is done by the client, not the AP. – Polynomial Oct 17 '17 at 19:51
  • @Polynomial: The attacker makes sure that message 4 does not reach the AP so that the AP will retransmit message 3 (not an exact duplicate, but with changed replay counter) to the client. – Steffen Ullrich Oct 17 '17 at 20:27
  • @AndrolGenhald: From what I understand the first message 3 will cause a state change in the client and it will send message 4 which is then blocked by the attacker. The AP will then resend message 3 (with different replay counter) until it gets message 4. The attacker could capture and block these retransmits and replay these later to the client. But, if the AP does not retransmit message 3 in the first place the attacker cannot collect these retransmits. – Steffen Ullrich Oct 17 '17 at 20:32