Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

[Wolfpup]

So it's great hearing that Apple's already got updates coming soon, but what about for Airport products?

Is the newest Airport Extreme, which is still being sold, actually being supported or not? Last update was in December, which is suspicious in and of itself...

I'm thinking of changing over to Google's Onhub/Wifi if Apple's abandoned the Airport, as the consumer router companies just do not care about security. (Or maybe Symantec/Norton's router...)

 

[jclo]

It's a key reinstallation attack, as it is forcing a client to reuse a key that was already used in the past.

Typo. Thanks for the heads up. I've fixed it.

 

[Magor34]

Anything that can run Sierra can run high Sierra.

True. It's very likely though a separate patch for this vulnerability will be released on several older macOS versions

 

[Wolfpup]

It's not likely someone is going to be using this exploit on your home WiFi, but a crowded airport to sniff out credit cards or passwords? Maybe more likely. Also, a lot of newer public networks use WPA2 and aren't completely open.

But that won't protect you from this. Plus there's already vulnerabilities to both the bluetooth and Wifi radios themselves, that affected almost all mobile devices. Apple updated them, for devices that get updates, but...

 

[sbailey4]

So it's great hearing that Apple's already got updates coming soon, but what about for Airport products?

Is the newest Airport Extreme, which is still being sold, actually being supported or not? Last update was in December, which is suspicious in and of itself...

I'm thinking of changing over to Google's Onhub/Wifi if Apple's abandoned the Airport, as the consumer router companies just do not care about security. (Or maybe Symantec/Norton's router...)

Not entirely true. ASUS supports older routers for quite some time. And is typically pretty quick with security updates.

 

[Razeus]

RIP Android users.

What a mess they have over there.

 

[jclo]

But that won't protect you from this. Plus there's already vulnerabilities to both the bluetooth and Wifi radios themselves, that affected almost all mobile devices. Apple updated them, for devices that get updates, but...

Yep. Just explaining why I mentioned avoiding public WiFi and/or using a VPN.

 

[chucker23n1]

RIP Android users.

What a mess they have over there.

The even bigger mess is going to be smart devices. Your lightswitch? Fitness tracker? TV? Car? Good luck getting updates for those.

 

[DeanL]

That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.

No. The reason why it only disconnects the Wi-Fi connection instead of turning off the Wi-Fi is because Wi-Fi is needed for a lot of other things like Geofencing. Most of the time users want to only disconnect it from the current network.
Besides, Wi-Fi's battery usage is insignificant.

 

[manu chao]

No, you have to keep your OS up to date.

The question was about devices that cannot be updated to iOS 11, for example the iPhone 5 and 5c (the latter was sold until 2015).

 

[JosephAW]

What about WRT?

 

[Razeus]

The even bigger mess is going to be smart devices. Your lightswitch? Fitness tracker? TV? Car? Good luck getting updates for those.

ESPECIALLY cars. Those guys are one and done. This is why I was hoping AppleCar would be better implemented. That way updates come straight from Apple, instead of the lazy scrubs at Ford.

 

[OldSchoolMacGuy]

What about for 32 bit devices ?

Support for 32-bit has ended. The newest 32-bit device was released in 2013. Sorry, but supporting devices that are over 4 years old just doesn't make sense.

Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.

 

[teknikal90]

It’s a bug in the WPA2 specification that impacts the client device side, (ie your phone or laptop) rather than your router. The bug lets data sent by your device to the router be read.

(It’s ridiculously more complex than these 2 sentences can explain, but this the main risk)

Thanks for this.
An added step, what if the router acts as a repeater? Ie. In our office and we use airport expresses in corner hallways to extend the coverage to other areas of the office.

I understand it's early, but what do you suggest we do? We just made a switch from wired to wireless too on all our networking........

 

[Michaelgtrusa]

I hope they are right.

 

[Menel]

Are they going to release a security update for devices that can't run iOS 11?

Possibly. They've done it before, releasing some minor patches for devices even when they don't qualify for newer releases.

But it's been awhile, was shocked to see they haven't done this, but maybe haven't felt hte need since iOS6.

6.1.5 10B400 T4 November 14, 2013; 3 years ago iPod Touch (4th generation) only
Bug fix

• Fixes an issue that causes FaceTime calls to fail for some users on the iPod Touch (4th generation).

6.1.6 10B500 P3 T4 05.16.08 P3 February 21, 2014; 3 years ago iPhone 3GS and iPod Touch (4th generation) only
Final release supported on iPhone 3GS, and iPod Touch (4th generation)

• Fix CVE-2014-1266, a bug in Secure Transport that can cause it to fail to properly authenticate a SSL/TLS connection. This bug also occurred in iOS 7, and was caused by a duplicate goto fail; statement in the source code that caused critical parts of the certificate verification code to become unreachable code. This bug is informally known as the goto fail bug as a result.

9.3.5 also got a bit of a last minute security update after everyone was migrating to iOS10.

9.3.5 13G36 04.12.09 S2C
3.0.04 S2D
10.01.00 P5 S4LS4D M1C
6.1.00 S3L S3D
6.0.00 P4S
6.02.00 P5C P5SS5L S5D M2C M3C
4.71.00 R1C P6P6P M4C
1.60.00 R2C P6SP6SP

August 25, 2016; 13 months ago Final release supported on iPhone 4S, iPad 2, iPad (3rd generation), iPod Touch (5th generation), and iPad Mini (1st generation)

• Fixes three zero-day vulnerabilities.[137] These vulnerabilities were chained together by the NSO Group into the Trident exploit chain.[137] Trident is composed of CVE-2016-4657, CVE-2016-4655, and CVE-2016-4656 and uses them in that order.[137] First, Trident's first stage uses CVE-2016-4657 to exploit WebKit, iOS's built-in web browser engine, via malicious JavaScript to cause WebKit to execute arbitrary Trident's second stage malware.[137] Trident's second stage then downloads the Pegasus spyware package, uses CVE-2016-4655 to locate the kernel, and uses CVE-2016-4656 to disable signature verification in order to allow unsigned code like Pegasus to execute.[137] The second stage malware then uses the previously discovered location of the kernel to install and load Pegasus with kernel privileges, allowing the attacker to steal all data on the phone and spy on the victim's conversations live.[137]

 

[belvdr]

Support for 32-bit has ended. The newest 32-bit device was released in 2013. Sorry, but supporting devices that are over 4 years old just doesn't make sense.

Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.

I read an interesting discussion on distrowatch.com about 32-bit support. I was surprised to learn that many 32-bit Linux distributions still exist and there are quite a few companies recycling old gear, so 32-bit is not dead yet.

 

[Wolfpup]

I read an interesting discussion on distrowatch.com about 32-bit support. I was surprised to learn that many 32-bit Linux distributions still exist and there are quite a few companies recycling old gear, so 32-bit is not dead yet.

Yeah, but they mean 32-bit iOS devices. I think the last new 32-bit CPU from Apple for iOS was 2012.

 

[belvdr]

Yeah, but they mean 32-bit iOS devices. I think the last new 32-bit CPU from Apple for iOS was 2012.

I knew that; I wanted to throw that in as an interesting sidenote.

 

[NewPilgrim]

Should I be worried about my Wi-Fi printer (does it need any kind of update)? I use my printer at home and it’s connected to the WiFi created by my Airport Time Capsule.

 

[belvdr]

Should I be worried about my Wi-Fi printer (does it need any kind of update)? I use my printer at home and it’s connected to the WiFi created by my Airport Time Capsule.

Any WiFi client should be updated, including smart bulbs, thermostats, toasters, and refrigerators.

 

[UL2RA]

That was quick.

 

[belvdr]

That was quick.

Considering vendors were notified in July...

 

[Dave-Z]

It’s a bug in the WPA2 specification that impacts the client device side, (ie your phone or laptop) rather than your router.

That is not true. Although it can be mitigated from a single side, the issue affects routers and connecting devices. Both sides should be updated as a matter of best practice.

Separately, I wish people would just drop the whole "public wifi" thing when talking about this. While it can impact public wifi people should be conducting themselves as if public wifi is always compromised. Many public routers use no encryption so there's no benefit there. If they do use encryption, and it's a pre-shared key, everyone is using the exact same key anyway so if you're on the network you can see others' packets. Unless a public wifi is using WPA2-Enterprise* (which I really doubt most are) this entire issue is moot for public wifi.

*WPA2-Enterprise is also affected, but I mention this because assuming a properly secure and working protocol, the Enterprise variant provides a unique key for each client so being on the encrypted network means a client cannot eavesdrop on other clients (which is not the case with WPA2-PSK).

 

[Roadstar]

Possibly. They've done it before, releasing some minor patches for devices even when they don't qualify for newer releases.

But it's been awhile, was shocked to see they haven't done this, but maybe haven't felt hte need since iOS6.


9.3.5 also got a bit of a last minute security update after everyone was migrating to iOS10.

They definitely should've supplied a security update to iOS 7. There was the issue where a maliciously crafted PDF file could execute pretty much any code if opened in Safari, but Apple chose to include that fix only in iOS 8, leaving e.g. iPhone 4 users at risk. The problem was made worse by the fact that you can't even chance the default browser, so you couldn't even effectively work around the issue by switching to Chrome. So the iPhone 4 more or less became useless after iOS 8 was released while a security update would've kept it usable for a bit longer.