Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

[MacRumors]

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.

The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

A KRACK attack proof-of-concept from security researcher Mathy Vanhoef​

Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.

Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.

Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.

Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.

Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.

Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.

Article Link: Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

 

[bookwormsy]

Are they going to release a security update for devices that can't run iOS 11?

 

[maverick2007]

Eddy Cue is innovating a lot! See the output

 

[BittenApple]

What about for 32 bit devices ?

 

[Derekeys]

I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?

 

[iapplelove]

This is why I keep my devices updated, its worth dealing with a few bugs.

 

[alembic]

What about support for Sierra?

 

[Cesar Battistini]

Thank you again Apple.

 

[SeaFox]

I foresee having to buy a new router really. Devices tend to last longer than manufactures want to support them for.
[doublepost=1508179975][/doublepost]

What about support for Sierra?

Sierra is only one step behind in Apple's OS chain, so it should get patched, too. Apple tends to support security updates for at least the previous version of macOS, if not further back.

 

[chucker23n1]

I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?

It's mostly about the clients.

What if there are no security updates for my router?
Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. [..] For ordinary home users, your priority should be updating clients such as laptops and smartphones.

 

[dan9700]

New high sierra beta isnt out tho today

 

[vmachiel]

That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.

 

[jclo]

I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?

It's both, really. Pretty much everything will need a firmware update.

 

[KrisLord]

I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?

It’s a bug in the WPA2 specification that impacts the client device side, (ie your phone or laptop) rather than your router. The bug lets data sent by your device to the router be read.

(It’s ridiculously more complex than these 2 sentences can explain, but this the main risk)

 

[Dwalls90]

That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.

Sorry but that is a complete separate complaint.

 

[Derekeys]

It's mostly about the clients.

Thank you! Classic case of skimming the article.

 

[CaTOAGU]

What about support for Sierra?

Anything that can run Sierra can run high Sierra.

 

[Analog Kid]

Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.

How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?

 

[rcalderoni]

Are they going to release a security update for devices that can't run iOS 11?

They already did it was called iPhone 5s.

 

[belvdr]

Using a key installation attack,

It's a key reinstallation attack, as it is forcing a client to reuse a key that was already used in the past.

How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?

It does not decrypt the WiFi password. It allows the attacker to send packets and possibly receive them from an attacked client.

You're right, though. Avoiding (a usually unencrypted) public WiFi doesn't help. The traffic there is already readable. Also, SSL VPNs may not help you anyway, based on other attacks that have been done in the past.

That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.

Modifying the WiFi toggle won't help this issue at all. It currently disconnects you from the AP, which is enough for this attack to be mitigated.

Anything that can run Sierra can run high Sierra.

That's great, but some of us cannot upgrade to High Sierra until our applications are supported. The WiFi firmware should be updated on Sierra too.

 

[macTW]

Apple truly values security. Take my money.

 

[Wolfpup]

Are they going to release a security update for devices that can't run iOS 11?

No, you have to keep your OS up to date.

Lame, but it's WAY better than the Android situation, where 99% of Android devices ship insecure, and never get timely updates if they get them at all.

 

[steve123]

Apple has known about this since Aug 28. How come a security update was not pushed on Friday?

 

[jclo]

How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?

It's not likely someone is going to be using this exploit on your home WiFi, but a crowded airport to sniff out credit cards or passwords? Maybe more likely. Also, a lot of newer public networks use WPA2 and aren't completely open.

 

[Roadstar]

Are they going to release a security update for devices that can't run iOS 11?

I wouldn't count on it. At least my old iPhone 4 that was stuck on iOS 7 didn't get a fix for a nasty Safari vulnerability that was fixed in iOS 8. While I recall seeing a couple of security updates for older iOS versions some years ago, nowadays Apple seems to abandon an iOS release as soon as the next one is out.