Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

Discussion in ' News Discussion' started by MacRumors, Oct 16, 2017.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.

    The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

    A KRACK attack proof-of-concept from security researcher Mathy Vanhoef

    Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.

    Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

    Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.

    Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.

    Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.

    Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.

    Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.

    Article Link: Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas
  2. bookwormsy macrumors 6502

    Jul 7, 2010
    Are they going to release a security update for devices that can't run iOS 11?
  3. maverick2007 macrumors member

    Sep 18, 2014
  4. BittenApple macrumors 6502a


    Nov 29, 2008
  5. Derekeys macrumors regular

    Sep 17, 2012
    Philadelphia, PA
    I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?
  6. iapplelove macrumors 68040


    Nov 22, 2011
    East Coast USA
    This is why I keep my devices updated, its worth dealing with a few bugs.
  7. alembic macrumors regular

    Oct 13, 2005
  8. Cesar Battistini macrumors member

    Cesar Battistini

    May 16, 2017
  9. SeaFox macrumors 68020


    Jul 22, 2003
    Somewhere Else
    I foresee having to buy a new router really. Devices tend to last longer than manufactures want to support them for.
    --- Post Merged, Oct 16, 2017 ---
    Sierra is only one step behind in Apple's OS chain, so it should get patched, too. Apple tends to support security updates for at least the previous version of macOS, if not further back.
  10. chucker23n1 macrumors 65816


    Dec 7, 2014
    It's mostly about the clients.

  11. dan9700 macrumors 65816


    May 28, 2015
  12. vmachiel macrumors 68000

    Feb 15, 2011
    That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.
  13. jclo Editor


    Staff Member

    Dec 7, 2012
    It's both, really. Pretty much everything will need a firmware update.
  14. KrisLord macrumors 65816

    Sep 12, 2008
    Northumberland, UK
    It’s a bug in the WPA2 specification that impacts the client device side, (ie your phone or laptop) rather than your router. The bug lets data sent by your device to the router be read.

    (It’s ridiculously more complex than these 2 sentences can explain, but this the main risk)
  15. Dwalls90 macrumors 601


    Feb 5, 2009
    Sorry but that is a complete separate complaint.
  16. Derekeys macrumors regular

    Sep 17, 2012
    Philadelphia, PA
    Thank you! Classic case of skimming the article.
  17. CaTOAGU macrumors 6502a

    Jul 15, 2008
    Manchester, UK
    Anything that can run Sierra can run high Sierra.
  18. Analog Kid macrumors 601

    Analog Kid

    Mar 4, 2003
    How does avoiding public WiFi help? I thought the whole point was this allows an attacker into your private WiFi?
  19. rcalderoni macrumors member

    Jun 21, 2011
    They already did it was called iPhone 5s.
  20. belvdr, Oct 16, 2017
    Last edited: Oct 16, 2017

    belvdr macrumors 603

    Aug 15, 2005
    It's a key reinstallation attack, as it is forcing a client to reuse a key that was already used in the past.
    It does not decrypt the WiFi password. It allows the attacker to send packets and possibly receive them from an attacked client.

    You're right, though. Avoiding (a usually unencrypted) public WiFi doesn't help. The traffic there is already readable. Also, SSL VPNs may not help you anyway, based on other attacks that have been done in the past.
    Modifying the WiFi toggle won't help this issue at all. It currently disconnects you from the AP, which is enough for this attack to be mitigated.
    That's great, but some of us cannot upgrade to High Sierra until our applications are supported. The WiFi firmware should be updated on Sierra too.
  21. macTW Suspended

    Oct 17, 2016
  22. Wolfpup macrumors 68030

    Sep 7, 2006
    No, you have to keep your OS up to date.

    Lame, but it's WAY better than the Android situation, where 99% of Android devices ship insecure, and never get timely updates if they get them at all.
  23. steve123 macrumors 6502

    Aug 26, 2007
    Apple has known about this since Aug 28. How come a security update was not pushed on Friday?
  24. jclo Editor


    Staff Member

    Dec 7, 2012
    It's not likely someone is going to be using this exploit on your home WiFi, but a crowded airport to sniff out credit cards or passwords? Maybe more likely. Also, a lot of newer public networks use WPA2 and aren't completely open.
  25. Roadstar macrumors 65816


    Sep 24, 2006
    Vantaa, Finland
    I wouldn't count on it. At least my old iPhone 4 that was stuck on iOS 7 didn't get a fix for a nasty Safari vulnerability that was fixed in iOS 8. While I recall seeing a couple of security updates for older iOS versions some years ago, nowadays Apple seems to abandon an iOS release as soon as the next one is out.

Share This Page