Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

MacRumors

macrumors bot
Original poster
Apr 12, 2001
50,443
11,833



Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.

The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

A KRACK attack proof-of-concept from security researcher Mathy Vanhoef

Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.

Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.

Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.

Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.

Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.

Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.

Article Link: Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas
 

SeaFox

macrumors 68030
Jul 22, 2003
2,560
837
Somewhere Else
I foresee having to buy a new router really. Devices tend to last longer than manufactures want to support them for.
[doublepost=1508179975][/doublepost]
What about support for Sierra?

Sierra is only one step behind in Apple's OS chain, so it should get patched, too. Apple tends to support security updates for at least the previous version of macOS, if not further back.
 
Comment

chucker23n1

macrumors 601
Dec 7, 2014
4,637
5,827
I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?

It's mostly about the clients.

What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. [..] For ordinary home users, your priority should be updating clients such as laptops and smartphones.
 
Comment

KrisLord

macrumors 68000
Sep 12, 2008
1,577
1,165
Northumberland, UK
I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?

It’s a bug in the WPA2 specification that impacts the client device side, (ie your phone or laptop) rather than your router. The bug lets data sent by your device to the router be read.

(It’s ridiculously more complex than these 2 sentences can explain, but this the main risk)
 
  • Like
Reactions: Ntombi
Comment

Analog Kid

macrumors 603
Mar 4, 2003
5,542
3,968
Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.
How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?
 
  • Like
Reactions: jagooch and richhh
Comment

belvdr

macrumors 603
Aug 15, 2005
5,657
1,024
No longer logging into MR
Using a key installation attack,

It's a key reinstallation attack, as it is forcing a client to reuse a key that was already used in the past.
How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?
It does not decrypt the WiFi password. It allows the attacker to send packets and possibly receive them from an attacked client.

You're right, though. Avoiding (a usually unencrypted) public WiFi doesn't help. The traffic there is already readable. Also, SSL VPNs may not help you anyway, based on other attacks that have been done in the past.
That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.
Modifying the WiFi toggle won't help this issue at all. It currently disconnects you from the AP, which is enough for this attack to be mitigated.
Anything that can run Sierra can run high Sierra.
That's great, but some of us cannot upgrade to High Sierra until our applications are supported. The WiFi firmware should be updated on Sierra too.
 
Last edited:
Comment

jclo

Editor
Staff member
Dec 7, 2012
1,675
3,356
California
How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?

It's not likely someone is going to be using this exploit on your home WiFi, but a crowded airport to sniff out credit cards or passwords? Maybe more likely. Also, a lot of newer public networks use WPA2 and aren't completely open.
 
Comment

Roadstar

macrumors 68000
Sep 24, 2006
1,571
1,887
Vantaa, Finland
Are they going to release a security update for devices that can't run iOS 11?
I wouldn't count on it. At least my old iPhone 4 that was stuck on iOS 7 didn't get a fix for a nasty Safari vulnerability that was fixed in iOS 8. While I recall seeing a couple of security updates for older iOS versions some years ago, nowadays Apple seems to abandon an iOS release as soon as the next one is out.
 
  • Like
Reactions: bcubed9
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.