@bill888, unpatched clients are absolutely vulnerable; patching the access point won't serve as any sort of protection for unpatched client devices..

Please see my previous reply on this topic:

https://community.plus.net/t5/My-Router/Severe-flaw-in-WPA2-protocol-leaves-Wi-Fi-traffic-open-to/m-...

---

@DaveyH wrote:
Responsible disclosure as I said, i.e you find a bug, you report it to the affected parties and give them time to patch it before going public.

---

Yes I see what you mean.

Though the press love a good story when nothing else is going on, so it wouldn't surprise me if they paid someone off, to remain anonymous and reveal what has happened.

Did you read this part ?

Comes with https://w1.fi/cgit/hostap/commit/?id=a00e946c1c9a1f9cc65c72900d2a444ceb1f872e

To prevent krack attack fro unpatched clients

You have an option under wireless security settings in order to switch it on

Did you read this part ?

 

Comes with https://w1.fi/cgit/hostap/commit/?id=a00e946c1c9a1f9cc65c72900d2a444ceb1f872e 

To prevent krack attack fro unpatched clients 

You have an option under wireless security settings in order to switch it on

Yes I did, and this workaround has issues of its own.

For example, the LEDE project release notes posted by @bill888 also references this workaround, however the details published by hostap state:

# Workaround for key reinstallation attacks
#
# This parameter can be used to disable retransmission of EAPOL-Key frames that
# are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This
# is similar to setting wpa_group_update_count=1 and
# wpa_pairwise_update_count=1, but with no impact to message 1/4 and with
# extended timeout on the response to avoid causing issues with stations that
# may use aggressive power saving have very long time in replying to the
# EAPOL-Key messages.
#
# This option can be used to work around key reinstallation attacks on the
# station (supplicant) side in cases those station devices cannot be updated
# for some reason. By removing the retransmissions the attacker cannot cause
# key reinstallation with a delayed frame transmission. This is related to the
# station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
# CVE-2017-13080, and CVE-2017-13081.
#
# This workaround might cause interoperability issues and reduced robustness of
# key negotiation especially in environments with heavy traffic load due to the
# number of attempts to perform the key exchange is reduced significantly. As
# such, this workaround is disabled by default (unless overridden in build
# configuration). To enable this, set the parameter to 1.
#wpa_disable_eapol_key_retries=1

The LEDE project notes also states this in the summary:

As some client devices might never receive an update, an optional AP-side workaround was introduced in hostapd to complicate these attacks, slowing them down. Please note that this does not fully protect you from them, especially when running older versions of wpa_supplicant vulnerable to CVE-2017-13086, which the workaround does not address.

Using this workaround may be better than nothing, but all it will really give you is a false sense of security.

Hello Folks,

I am an end user who thinks that a patch is something to put on my jeans before going to a 70'S rock festival and a WPA2 protocol may be a pint of local ale. In plain English, please Plus Net, - should I be worried about Krack and is there anything I should be doing to mitigate any consequences? Have I missed a plain English bulletin or E - Mail from you? Thank you for your help.

I am almost as confused as you are. However, on Oct 16, 2017 "Microsoft today revealed that it quietly patched Windows last week against vulnerabilities in the Wi-Fi Protected Access II (WPA2) protocol used to secure wireless networks." Article here: Microsoft shuts down Krack with sneaky Windows update

I am still confused as to whether Plusnet needs to/will patch the routers they have supplied to their customers.

A little clarification by Plusnet would be very welcome.

Regards to all

Nimrod

@JonoH, would PlusNet consider sending out a newsletter of sorts with these details? Seems a lot of misinformation/incomplete information is flying around the web and there will be many users that simply won't be aware or may not take the right steps to mitigate the problem 😐

I'll certainly put the idea forward to the people who can make that decision

Jono H  Plusnet Community Manager

Thanks for your help thus far JonoH. O.K. then a couple of practical questions. 

1. My laptop is domiciled next to my Plus Net router. I have therefore disabled the WiFi on my laptop and connected a direct ("Ethysomething?") cable. Does this solve the problem short term please?
2. I have Norton and they are offering a VPN (?) type addition to my Norton Security package. Is this worth it ?
3. Presumably my I phone and Kindle Fire are still vulnerable - although they are little used for personal stuff. Is this correct? Maybe stick to playing Scrabble and reading the paper etc on these devices?

Thanks for your help folks. Perhaps ignorance is bliss in these matters. Perhaps these computer hacking rascals aren't interested in ordinary retired dudes like me. Who knows?

I'm getting very confused about the stories about this "flaw" (as, I suspect,are many others). A couple of simple Qs to those more in the know ,if you don't mind:-

1.  If the Windows 10 devices on my network are patched/updated ,are they not at risk EVEN IF unpatched Android devices are on the same network?

2.  Does anyone know if a Sky box needs to be updated?

3.  What about a Chromecast?

I have 3 oldish cheap Android devices running Android 4.xx and as oldjim said, the vendors aren't going to release any updates but I don't want to have to throw them away!

Further thought - presumably any new Android phone or tablet currently on sale ,will have this vulnerability?

With Sky, they just push out updates when they see fit. Not much you can do.

I would assume they need patching too. I don't use the On Demand stuff and when my internet went down and I did a factory reset on the router it reverted my WiFi password to the default - so my Sky box isn't even connected.

I think Sky don't give you the whole space of the HD, but reserve some of it for themselves so it automatically downloads stuff to their part of the HD, you might (not) want to watch.

To be honest, I would continue using your devices (that you like) and not to worry. Keep them updated if there are any available, but don't be alarmed if they're aren't.

No difference to using your debit/credit cards on-line, you always think the worst and "What if I am scammed?", but don't let it change your lifestyle and just deal with a problem if it occurs. Make sure the site is legit, etc.

Thanks for that Alex

As the "flaw" requires someone to be observing your network when a device connects I was just thinking geographically.

What if I physically reposition the router to the centre of the house? - then I suspect the signal will almost vanish outside.

Up to you if convenient to move it, I mean if the signal is sufficient in the house if you do.
Then if you have a WiFi mobile, test it outside to see that it you can't pick your network up. 

I think we need to look at the risk in perspective here.

The vulnerability exists during the phase where devices are connecting to your router/access point, so there's relatively little window of opportunity for a hacker to compromise your security.

During that short window of opportunity, a hacker would need to be within range of your network, so fairly close to the outside of your house, within your house, or perhaps in a neighbouring property.

And, they would have to care about the data you are transmitting on your network in order to go to the effort of bothering to hack.

What does this mean? Well, in reality, it means that the risk here is very small, and whilst it would give us all peace of mind to patch all our devices, and we should do that as and when patches are available, I don't think anyone should lose sleep in the meantime. Instead:

• don't transmit any sensitive data between devices over wifi; use a wired ethernet connection or other means (such as a memory stick) instead
• make sure that websites where you are entering passwords or dealing with sensitive data (such as online banking) are using secure HTTP (you can tell by looking at the web address: it should start with https://). That protocol encrypts the connection between your browser and the server on which the pages you access are located, so that even if it were intercepted by a hacker, it would be unreadable.