Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Oct 16, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.

    The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

    A KRACK attack proof-of-concept from security researcher Mathy Vanhoef

    Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.

    Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

    Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.

    Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.

    Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.

    Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.

    Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.

    Article Link: Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas
     
  2. bookwormsy macrumors 6502

    Joined:
    Jul 7, 2010
    #2
    Are they going to release a security update for devices that can't run iOS 11?
     
  3. maverick2007 macrumors regular

    Joined:
    Sep 18, 2014
  4. BittenApple macrumors 6502a

    BittenApple

    Joined:
    Nov 29, 2008
  5. Derekeys macrumors regular

    Joined:
    Sep 17, 2012
    Location:
    Philadelphia, PA
    #5
    I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?
     
  6. iapplelove macrumors 601

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #6
    This is why I keep my devices updated, its worth dealing with a few bugs.
     
  7. alembic macrumors regular

    Joined:
    Oct 13, 2005
  8. Cesar Battistini macrumors regular

    Cesar Battistini

    Joined:
    May 16, 2017
    Location:
    Brazil
  9. SeaFox macrumors 68020

    SeaFox

    Joined:
    Jul 22, 2003
    Location:
    Somewhere Else
    #9
    I foresee having to buy a new router really. Devices tend to last longer than manufactures want to support them for.
    --- Post Merged, Oct 16, 2017 ---
    Sierra is only one step behind in Apple's OS chain, so it should get patched, too. Apple tends to support security updates for at least the previous version of macOS, if not further back.
     
  10. chucker23n1 macrumors 68000

    chucker23n1

    Joined:
    Dec 7, 2014
    #10
    It's mostly about the clients.

     
  11. dan9700 macrumors 68020

    dan9700

    Joined:
    May 28, 2015
  12. vmachiel macrumors 68000

    Joined:
    Feb 15, 2011
    Location:
    Holland
    #12
    That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.
     
  13. jclo Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #13
    It's both, really. Pretty much everything will need a firmware update.
     
  14. KrisLord macrumors 65816

    Joined:
    Sep 12, 2008
    Location:
    Northumberland, UK
    #14
    It’s a bug in the WPA2 specification that impacts the client device side, (ie your phone or laptop) rather than your router. The bug lets data sent by your device to the router be read.

    (It’s ridiculously more complex than these 2 sentences can explain, but this the main risk)
     
  15. Dwalls90 macrumors 601

    Dwalls90

    Joined:
    Feb 5, 2009
    #15
    Sorry but that is a complete separate complaint.
     
  16. Derekeys macrumors regular

    Joined:
    Sep 17, 2012
    Location:
    Philadelphia, PA
    #16
    Thank you! Classic case of skimming the article.
     
  17. CaTOAGU macrumors 6502a

    Joined:
    Jul 15, 2008
    Location:
    Manchester, UK
    #17
    Anything that can run Sierra can run high Sierra.
     
  18. Analog Kid macrumors 601

    Analog Kid

    Joined:
    Mar 4, 2003
    #18
    How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?
     
  19. rcalderoni macrumors member

    Joined:
    Jun 21, 2011
    #19
    They already did it was called iPhone 5s.
     
  20. belvdr, Oct 16, 2017
    Last edited: Oct 16, 2017

    belvdr macrumors 603

    Joined:
    Aug 15, 2005
    Location:
    No longer logging into MR
    #20
    It's a key reinstallation attack, as it is forcing a client to reuse a key that was already used in the past.
    It does not decrypt the WiFi password. It allows the attacker to send packets and possibly receive them from an attacked client.

    You're right, though. Avoiding (a usually unencrypted) public WiFi doesn't help. The traffic there is already readable. Also, SSL VPNs may not help you anyway, based on other attacks that have been done in the past.
    Modifying the WiFi toggle won't help this issue at all. It currently disconnects you from the AP, which is enough for this attack to be mitigated.
    That's great, but some of us cannot upgrade to High Sierra until our applications are supported. The WiFi firmware should be updated on Sierra too.
     
  21. macTW Suspended

    Joined:
    Oct 17, 2016
  22. Wolfpup macrumors 68030

    Joined:
    Sep 7, 2006
    #22
    No, you have to keep your OS up to date.

    Lame, but it's WAY better than the Android situation, where 99% of Android devices ship insecure, and never get timely updates if they get them at all.
     
  23. steve123 macrumors 6502

    Joined:
    Aug 26, 2007
    #23
    Apple has known about this since Aug 28. How come a security update was not pushed on Friday?
     
  24. jclo Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #24
    It's not likely someone is going to be using this exploit on your home WiFi, but a crowded airport to sniff out credit cards or passwords? Maybe more likely. Also, a lot of newer public networks use WPA2 and aren't completely open.
     
  25. Roadstar macrumors 65816

    Roadstar

    Joined:
    Sep 24, 2006
    Location:
    Vantaa, Finland
    #25
    I wouldn't count on it. At least my old iPhone 4 that was stuck on iOS 7 didn't get a fix for a nasty Safari vulnerability that was fixed in iOS 8. While I recall seeing a couple of security updates for older iOS versions some years ago, nowadays Apple seems to abandon an iOS release as soon as the next one is out.
     

Share This Page