Wow, the way I read them it seems like I still have multiple vulnerable iDevices despite them receiving seemingly latest updates. This includes devices such as iPhone 6, iPad Air 2, Apple TV 4th gen, and the Apple Watch Series 0. Either they weren't vulnerable in the first place or Apple just hasn't patched them. The latter option would suck and pretty much negate the update advantage iOS has had.Security updates
https://support.apple.com/kb/HT201222
For macOS
WiFi: for macOS High Sierra 10.13, macOS Sierra 10.12.6, OS X El Capitan 10.11.6
Impact: an attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)
https://support.apple.com/kb/HT208221
For watchOS 4.1
WiFi: for Apple Watch Series 1 and Apple Watch Series 2
Impact: an attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)
https://support.apple.com/kb/HT208220
For tvOS 11.1
WiFi: for Apple TV 4K
Impact: an attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)
https://support.apple.com/kb/HT208219
For iOS 11.1
https://support.apple.com/kb/HT208222
WiFi: for iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later
Impact: an attacker in Wi-Fi range may force nonce reuse in WPA clients (Key Reinstallation Attacks - KRACK)
Not sure if there is anything for iPhone 6 or earlier.
Wow, the way I read them it seems like I still have multiple vulnerable iDevices despite them receiving seemingly latest updates. This includes devices such as iPhone 6, iPad Air 2, Apple TV 4th gen, and the Apple Watch Series 0. Either they weren't vulnerable in the first place or Apple just hasn't patched them. The latter option would suck and pretty much negate the update advantage iOS has had.
Perhaps a third option:
(i) not vulnerable in the first place
(ii) Apple just hasn't patched them, or
(iii) Apple didn't implement WPA2 according to specification and might be vulnerable to a modified attack, but not the original one.
Just like with the Airport devices, we don't really know until we get an official statement from Apple.
It looks like #3 is the likely answer, but that brings another question. Do older devices have correct implementation of WPA2 now?Perhaps a third option:
(i) not vulnerable in the first place
(ii) Apple just hasn't patched them, or
(iii) Apple didn't implement WPA2 according to specification and might be vulnerable to a modified attack, but not the original one.
Just like with the Airport devices, we don't really know until we get an official statement from Apple.
Wi-Fi
Available for: iPhone 8, iPhone 8 Plus, and iPhone X
Not impacted: iPhone 7, iPhone 7 Plus, iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, iPad Air and later, and iPod Touch 6th generation
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA unicast/PTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13077: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
CVE-2017-13078: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
Wi-Fi
Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later
Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks - KRACK)
Description: A logic issue existed in the handling of state transitions. This was addressed with improved state management.
CVE-2017-13080: Mathy Vanhoef of the imec-DistriNet group at KU Leuven
Entry updated November 3, 2017
It looks like #3 is the likely answer, but that brings another question. Do older devices have correct implementation of WPA2 now?
According to Apple's support document:
So the first type of KRACK attack does not impact older devices. But what about the second one?
Seems like they basically added another related but separate entry for something additional that was addressed related to KRACK for iPhone 8 and X line of phones in particular, which doesn't impact older devices.Thanks. They've updated the document since I first posted:
WiFi: Available for: iPhone 8, iPhone 8 Plus, and iPhone X
Not impacted: iPhone 7, iPhone 7 Plus, iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, iPad Air and later, and iPod Touch 6th generation
CVE-2017-13077 and CVE-2017-13078
WiFi: Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later
CVE-2017-13080
https://support.apple.com/kb/HT208222
So it seems reasonably clear for iOS that at least the known exploits are patched for iPhone SE, iPhone 5s, iPhone 6 and later. Still no official statements on some other devices. My Airport Express is quite new and can still be found for sale in the Apple store. Some sort of official statement is needed here.
But the second Wi-Fi KRACK issue does not say whether older iPhones and iPads are not impacted, which suggests the issue is not resolved.Thanks. They've updated the document since I first posted:
WiFi: Available for: iPhone 8, iPhone 8 Plus, and iPhone X
Not impacted: iPhone 7, iPhone 7 Plus, iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, iPad Air and later, and iPod Touch 6th generation
CVE-2017-13077 and CVE-2017-13078
WiFi: Available for: iPhone 7 and later, and iPad Pro 9.7-inch (early 2016) and later
CVE-2017-13080
https://support.apple.com/kb/HT208222
So it seems reasonably clear for iOS that at least the known exploits are patched (or not vulnerable) for iPhone SE, iPhone 5s, iPhone 6 and later. Still no official statements on some other devices. My Airport Express is quite new and can still be found for sale in the Apple store. Some sort of official statement is needed here.