How can I protect myself or my clients against KRACK patch?
I am unclear on which of the following steps are sufficient to protect a WPA2-based wifi connection from the KRACK flaw:
Patching the AP (e.g. router)
Patching the client (e.g. mobile device)
Patching the AP and the client
The currently most upvoted answer, citing https://www.krackattacks.com states: Both clients and access points are listed in the paper as being vulnerable.
and:
implementations can be patched in a backwards-compatible manner [...] To prevent the attack, users must update affected products as soon as security updates become available. [...] a patched client can still communicate with an unpatched access point, and vice versa.
But this seems to leave open the question of which combination(s) of patches would be an effective fix. It's clear for example that if I were to patch my phone, it would still be able to communicate with an unpatched AP, but would that communication be secure?
This is an important question, because while it is relatively easy to make sure my clients are patched once the patch is available (since the number of OS vendors are relatively small), ensuring all routers are patched (particularly in public wifi APs) seems like a much harder task due to the number and size of the vendors, and the lack of control over third party hardware.
Regarding the krack patch -
It is often (but not always) enough to properly patch the WiFi client. You need to also patch the router if it works as a WiFi client too (e.g., a repeater) or has fast roaming (802.11r) enabled. The essential part of the attacks is that the client accepts message 3 of the 4-way handshake again which causes the client to re-install the same encryption key and to reset nonce and replay protection - this way making replay and sometimes even injection possible. This means if the client is patched to not accept a message 3 which contains the same key as already installed it will not reinstall the key and not reset nonce and replay protection. This should be sufficient to thwart the attack, no matter if the server is patched or not. What if there are no security updates for my router? Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming). For ordinary home users, your priority should be updating clients such as laptops and smartphones.