Quote:
Originally Posted by DNSB
Not quite sure what you mean by the router being in a client mode unless you are referring to an AP being used in bridge mode. The KRACK vulnerability hijacks the 4 way handshake and appears to require that both sides allow recycling transmit and receive packet numbers (aka nonces) by the man in the middle. So the client/station/whatever and the AP/master must both be vulnerable for this to work as described in the original paper to allow eavesdropping on a wireless session. With the vulnerability on one side only, the results are not as useful to an attacker (not my opinion, I'm quoting from a Palo Alto engineer who has a heck of a lot more experience with network security than I).
To quote from the krackattacks.com website:
Currently, all vulnerable devices should be patched. In other words, patching the AP will not prevent attacks against vulnerable clients. Similarly, patching all clients will not prevent attacks against vulnerable access points. Note that only access points that support the Fast BSS Transition handshake (802.11r) can be vulnerable.
That said, it is possible to modify the access point such that vulnerable clients (when connected to this AP) cannot be attacked. However, these modifications are different from the normal security patches that are being released for vulnerable access points! So unless your access point vendor explicitly mentions that their patches prevent attacks against clients, you must also patch clients.
The first paragraph is why we have disabled Fast BSS Transitions on our corporate network.
|
Correct, I had meant bridged mode. Bad wording on my part.
I've heard back and forth about whether both sides need to be patched or just one (like the router). So I'm assuming the client should be patched, especially Linux-based devices using the 2.4 / 2.5 wpa_supplicant which again I'm not sure how susceptible the Kobo's actually are.