How do I secure my home Wi-Fi network in light of KRACK?

Question

Now that KRACK has been discovered to exploit WPA2, is it still possible to secure my home Wi-Fi network? If so, what steps should I take to secure it against KRACK attacks? Will there now be a need for a new "WPA3" protocol?

The simple answer as shown in the question below is generally to patch it, but in this case, it appears there are no patches yet for certain devices, but it is unclear what devices do and don't have patches available. I am thinking, if there is a patch available, install it, but what do I do if there isn't?

I don't consider this a duplicate of the linked question below because this explores what to do where the patch is not available. There is some good discussion under the linked question as well, and I recommend checking it out:

To sufficiently protect against KRACK is patching the client, the AP, or both, required?

I consider this question a duplicate of [To sufficiently protect against KRACK is patching the client, the AP, or both, required?](https://security.stackexchange.com/questions/171402/to-sufficiently-protect-against-krack-is-patching-the-client-the-ap-or-both-r) and [Consequences of the WPA2 KRACK attack](https://security.stackexchange.com/questions/171356). If you feel that this is not a duplicate please adjust your question to explain in detail what part of your questions is not addressed by these other questions so that answers can focus on this part. — Steffen Ullrich, Oct 20 '17 at 17:41
*"...but it is unclear what devices do and don't have patches available."* - for which devices you have is KRACK relevant (i.e WPA clients, AP in repeater mode or using 802.11r) but where no information available about vulnerability and patches? *"..if there is a patch available, install it, but what do I do if there isn't?"* - if you have any of these devices be specific, if you don't have any then why care? — Steffen Ullrich, Oct 20 '17 at 17:47

score 1 · Answer 1 · answered Oct 20 '17 at 18:11

1

The answer is generally to patch, but in this case, a patch is not yet available for many devices.

While researching a particular device, the site basically said to update the firmware if the patch is available. Otherwise (from NETGEAR's site):

Until a firmware fix is available for your product, NETGEAR recommends that you follow these workaround procedures: For Wireless Routers in Bridge Mode: disable Bridge Mode or power off the bridge router.

I am not sure how broadly this workaround will apply.

answered Oct 20 '17 at 18:11

Jonathan

3,157
4
26
42

Looking for other answers as well, but this is something that could be helpful I came across. – Jonathan Oct 20 '17 at 18:11
1

To cite myself from my comment to your question: *"... for which devices you have is KRACK relevant (i.e WPA clients, AP in repeater mode or using 802.11r).."*. Thus, switching the repeater mode (or as they call it "bridge mode") off and having no 802.11r implemented means the AP is not vulnerable. But, the same information are already in [To sufficiently protect against KRACK is patching the client, the AP, or both, required?](https://security.stackexchange.com/a/171549/37315). – Steffen Ullrich Oct 20 '17 at 18:35

score 0 · Answer 2 · answered Oct 20 '17 at 21:28

0

Now that KRACK has been discovered to exploit WPA2

This is false, the main attack of the exploit is against the 4-way handshake of the WPA2 (He says main because it also affects other implementations like GCM or RC4-TKIP, etc.) a part of the specification of the WPA2 protocol. The WPA2 itself is safe, actually KRACK doesn't focus on "breaking" the WPA/2 or stealing the password.

Is it still possible to secure my home Wi-Fi network? If so, what steps should I take to secure it against KRACK attacks?

Yes, as stated by Matty Vanhoef himself (He who found the exploit) you need to patch both AP and clients. This will change the implementation of the four way handshake rendering useless the Key Re-installation attack (KRACK). One extra step you can do is to tunnel your traffic, a SOLID and well implemented VPN can achieve this. There are AP that can tunnel all traffic trough VPN like dd-wrt.

Will there now be a need for a new "WPA3" protocol?

No, WPA2 it's still good. It only needs a change of implementation.

...but what do I do if there isn't?

Yeah, mostly securing your devices trough a VPN network I think it's the most you can do now. The Tunneling Protocol in a more general term of a VPN.

Also you can lower the "power" (TX - Transmition Power) or your AP, since the KRACK attack needs physical access to your Wi-Fi, but this is a trade-off in the Easy-of-use vs Security in the "Ease of use, functionality, security triangle"

answered Oct 20 '17 at 21:28

Azteca

1,116
7
16

4

Do not lower the power of your AP. The attack is on the 802.11 client, not the infrastructure and the working examples of the exploit generally need to be "louder" than the AP at the client. Lowering the AP power will make it easier for attacking device to have a signal strength higher than the AP. – YLearn Oct 21 '17 at 01:25
@YLearn And how can you MITM if you can't hear the AP? Section 3.2 of the [KRACK PDF](https://papers.mathyvanhoef.com/ccs2017.pdf) *A second minor obstacle is that we must obtain a MitM position between the client and AP. This is not possible by setting up a rouge AP with a different MAC address, and then forwarding packets between the real AP and client* ... So... lowering the power of the AP is secure? Or you still think I should remove that? – Azteca Oct 24 '17 at 21:54
The only time lowering AP signal might work is when the client being attacked is at the extreme edge of the AP coverage and the attacker is further from the AP. However this is the one case it will help. If the client is any closer to the AP, then the attacker could still be in range. Or both the attacker and client could be at extreme range (say at 30 and 60 degrees) that allows them to be closer to each other than the AP. Or the attacker could be closer to the AP than the client. Lowering power too much may even allow attacker and client to be on opposite sides of the AP. – YLearn Oct 24 '17 at 22:38
Yeah, we all know how Wi-Fi signal works, but since the question it's about Home Wi-Fi network I really doubt someone will be on your closet or living room trying to KRACK attack you. Hence the suggestion. I agree with you but those are corner cases, and in general It's a good practice to have a Wi-Fi signal to the boundaries of your living place. – Azteca Oct 24 '17 at 22:52
Those aren't corner cases, they are all just as likely as the case where it might help. Further, reducing the signal strength to the boundaries of your living space also severely reduces the performance of the wireless network. You can't get the higher data rates on minimal signal. Lowering signal strength for one possible attack position among many and potentially opening up other attack positions is a bad idea overall. – YLearn Oct 24 '17 at 22:56

How do I secure my home Wi-Fi network in light of KRACK?

2 Answers2