What difference does the attacker’s proximity to target / access point make to KRACK susceptibility?

The question:

In the Tools section of www.krackattacks.com it states:

We remark that the reliability of our proof-of-concept script may depend on how close the victim is to the real network. If the victim is very close to the real network, the script may fail because the victim will always directly communicate with the real network, even if the victim is (forced) onto a different Wi-Fi channel than this network.

This appears to infer that the attacker has to rely on ‘overcoming’ the access point’s signal strength in some way for the attack to be successful.

If we assume that only standards compliant antennae are used for the attack is there a practical distance or rule that can be applied to determine whether an attack is likely to be successful (assuming the connection is susceptible)?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

There are too many variable factors to create a reliable formula.

If we assume that only standards compliant antennae are used for the attack

The antennae is not the main issue. By default the signal strength (TX strength) on a lot of NICs is set to ~20dBm. This is a legal requirement, each country has a different cap on signal strength.

You can find out more here: https://w.wol.ph/2015/08/28/maximum-wifi-transmission-power-country/

It is trivial however to crank your TX strength up, in fact it is usually an important step in getting a successful WiFi Evil Twin/MiTM. I very much doubt anyone actually trying to use this attack will be sticking to standards compliance.

They might not be setting up in your local coffee shop with a 20ft Yagi antenna, but you can bet they will be cranking up their TX strength to at least 30dBm, which will be enough to over come many short range strength issues if the target is physically closer to the original AP.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment