All we need is an easy explanation of the problem, so here it is.
In the Tools section of www.krackattacks.com it states:
We remark that the reliability of our proof-of-concept script may depend on how close the victim is to the real network. If the victim is very close to the real network, the script may fail because the victim will always directly communicate with the real network, even if the victim is (forced) onto a different Wi-Fi channel than this network.
This appears to infer that the attacker has to rely on ‘overcoming’ the access point’s signal strength in some way for the attack to be successful.
If we assume that only standards compliant antennae are used for the attack is there a practical distance or rule that can be applied to determine whether an attack is likely to be successful (assuming the connection is susceptible)?
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
There are too many variable factors to create a reliable formula.
If we assume that only standards compliant antennae are used for the attack
The antennae is not the main issue. By default the signal strength (TX strength) on a lot of NICs is set to ~20dBm. This is a legal requirement, each country has a different cap on signal strength.
You can find out more here: https://w.wol.ph/2015/08/28/maximum-wifi-transmission-power-country/
It is trivial however to crank your TX strength up, in fact it is usually an important step in getting a successful WiFi Evil Twin/MiTM. I very much doubt anyone actually trying to use this attack will be sticking to standards compliance.
They might not be setting up in your local coffee shop with a 20ft Yagi antenna, but you can bet they will be cranking up their TX strength to at least 30dBm, which will be enough to over come many short range strength issues if the target is physically closer to the original AP.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂