Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

[Yvan256]

Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.

Alright, I want to upgrade from a 2010 Mac mini running Mac OS X 10.9.5 - now I know I can upgrade the OS, however I really hate the new flat, hard-to-read pastel UI and I've read the old Core 2 Duo is too slow for the latest OS versions.

So, I could buy a new Mac mini? Or a MacBook Air? Oh wait, Apple are still using CPUs that are three generations old and have increased their price in Canada. I hate all-in-one computers like the iMac, the MacBook Pro are even more expensive, the latest Macbook keyboards just plain suck and the Mac Pro, while it would more than fit my needs, is worth more than my old car.

So if Apple doesn't patch 10.9.5, my only option is to install Windows, Linux, FreeBSD?

 

[Wolfpup]

Should I be worried about my Wi-Fi printer (does it need any kind of update)? I use my printer at home and it’s connected to the WiFi created by my Airport Time Capsule.

Yep. This is not the first huge problem, won't be the last, and really shows what a disaster sticking wireless radios in everything is. Supported iOS devices will get updates, but everything else? Printers and all those other gadgets aren't getting updates. These companies just don't care about security.

 

[angelofioren]

So it's great hearing that Apple's already got updates coming soon, but what about for Airport products?

Is the newest Airport Extreme, which is still being sold, actually being supported or not? Last update was in December, which is suspicious in and of itself...

I'm thinking of changing over to Google's Onhub/Wifi if Apple's abandoned the Airport, as the consumer router companies just do not care about security. (Or maybe Symantec/Norton's router...)

According to Rene Ritchie it looks like the AirPort products are not affected: https://www.imore.com/krack-wpa2-wi-fi-exploit-already-fixed-ios-macos-tvos-watchos-betas

 

[eoblaed]

Are they going to release a security update for devices that can't run iOS 11?

Any iPhone that can't run iOS 11 is at least half a decade old. If it's an iPad, it's at least 6 years old. Eventually, hardware just gets to the point that it won't be able to receive updates.

Continue to exercise good wifi safety and wait for the majority of the access points out there to be patched.

Or...

They already did it was called iPhone 5s.

^^^^^

 

[Uaaerospace2]

ESPECIALLY cars. Those guys are one and done. This is why I was hoping AppleCar would be better implemented. That way updates come straight from Apple, instead of the lazy scrubs at Ford.

My Ford has had two updates just in the last 4 months. Hardly "one and done."

 

[OldSchoolMacGuy]

I read an interesting discussion on distrowatch.com about 32-bit support. I was surprised to learn that many 32-bit Linux distributions still exist and there are quite a few companies recycling old gear, so 32-bit is not dead yet.

Desktop vs mobile are two totally different animals. Linux keeps 32-bit support around because many server setups are built on them. A server setup is designed for different reasons than a personal smartphone.

Mobile devices have a far shorter lifespan than desktop, especially in the server environment.

As far as smartphones are concerned, 32-bit is dead (on the Android and iOS side both).

 

[Ghost31]

This is entirely why I’ve always told people “even if you don’t give a damn another the new features, just update to the newest os as long as your device supports it”. But did anyone listen? No. They just sit back all stubborn until something terrible happens

 

[manu chao]

Support for 32-bit has ended. The newest 32-bit device was released in 2013. Sorry, but supporting devices that are over 4 years old just doesn't make sense.

Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.

Apple has a two-level support scheme for Macs in that a given Mac might not run the latest OS but still receives security updates as those are issued for the previous OS version as well. There is a distinction between saying that iOS 11 should run on the iPhone 5 and 5c and that they should still receive security updates.

 

[Roadstar]

If it's an iPad, it's at least 6 years old.

Actually, the iPad 3 was released 5 and half years ago and iOS 11 is the second update it didn't get. That one's stuck at iOS 9, so its lifespan was just a bit over 4 years.

 

[manu chao]

This is entirely why I’ve always told people “even if you don’t give a damn another the new features, just update to the newest os as long as your device supports it”. But did anyone listen? No. They just sit back all stubborn until something terrible happens

Yeah, all those 5c owners are stubbornly sitting back and refuse to update to iOS 11.

 

[deanthedev]

Another issue that highlights the superiority of iOS being able to get updates out to users to fix a security flaw.

Google has stated they're going to fix this in Android as well. Trouble is most Android devices won’t get the update (outside of Nexus/Pixel and people with a recent flagship).

 

[alex0002]

What about for 32 bit devices ?

Might pay to wait and see, but if security is important, you could switch to linux for those older devices. Debian linux patches are out now and other linux distributions will follow if they haven't already.

http://seclists.org/bugtraq/2017/Oct/25

Here is a more complete list of updated devices and operating systems.
https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it

 

[Binarymix]

Any WiFi client should be updated, including smart bulbs, thermostats, toasters, and refrigerators.

Why do lightbulbs, toasters, and fridges need to be updated? Do you purchase things with your CC through them? maybe it would be a concern if it's handshaking with a password and account you use for everything. Or maybe I just don't understand the impact of these vunerabilities.

 

[chucker23n1]

Why do lightbulbs, toasters, and fridges need to be updated?

If they're smart devices, and if they use Wi-Fi (rather than ZigBee, etc.).

 

[LotusLord]

Are they going to release a security update for devices that can't run iOS 11?

Highly doubtful. At newest you're looking at 5 year old devices. How far back do you expect them to go? I'm hoping this is good enough reason to get my dad who refuses to replace his 4S and my mom on a 5C to upgrade.

 

[OldSchoolMacGuy]

Alright, I want to upgrade from a 2010 Mac mini running Mac OS X 10.9.5 - now I know I can upgrade the OS, however I really hate the new flat, hard-to-read pastel UI and I've read the old Core 2 Duo is too slow for the latest OS versions.

So, I could buy a new Mac mini? Or a MacBook Air? Oh wait, Apple are still using CPUs that are three generations old and have increased their price in Canada. I hate all-in-one computers like the iMac, the MacBook Pro are even more expensive, the latest Macbook keyboards just plain suck and the Mac Pro, while it would more than fit my needs, is worth more than my old car.

So if Apple doesn't patch 10.9.5, my only option is to install Windows, Linux, FreeBSD?

Apple isn't for everyone. I'd suggest exploring other options if their current offerings don't suit your needs.
[doublepost=1508184904][/doublepost]

Apple has a two-level support scheme for Macs in that a given Mac might not run the latest OS but still receives security updates as those are issued for the previous OS version as well. There is a distinction between saying that iOS 11 should run on the iPhone 5 and 5c and that they should still receive security updates.

They do cut off even security updates after a point. It remains to be seen if older devices get a security update but it's very likely that only devices that can run iOS 10 will see such an update. If you're on iOS 9, tough luck.

 

[KvR]

"Apple says.." based on a tweet from a journalist. That's a bit thin. When it comes to security a bit less rumor, would be welcome.

 

[xpxp2002]

If they do use encryption, and it's a pre-shared key, everyone is using the exact same key anyway so if you're on the network you can see others' packets.

Not exactly. That's actually one of the important takeaways from this entire vulnerability disclosure: PTKs are uniquely established for each client (supplicant) per session. You do possess a shared secret (PMK) that could be used to help you derive the PTK for a specific client and would enable you to receive the GTK from an AP.

But this is what is concerning about this vulnerabiliity -- without knowledge of the PMK, it is possible to use this attack to decrypt and/or replay protected traffic.

 

[chucker23n1]

"Apple says.." based on a tweet from a journalist. That's a bit thin.

No it isn't. Rene Ritchie‏ isn't going to make up a press statement.

 

[parseckadet]

Why do lightbulbs, toasters, and fridges need to be updated? Do you purchase things with your CC through them? maybe it would be a concern if it's handshaking with a password and account you use for everything. Or maybe I just don't understand the impact of these vunerabilities.

The point is they can be used to gain access to the network, then a hacker could listen to all traffic on that network, not just the compromised device.

 

[KvR]

No it isn't. Rene Ritchie‏ isn't going to make up a press statement.

Ritchie might be a respected journalist, but as fas as I know there hasn't been a press statement. The only thing we have is the tweet:

Apple has confirmed to me that #wpa2 #KRACK exploit has already been patched in iOS, tvOS, watchOS, macOS betas. Deeper dive to follow.

Please share if you have anything more. I'd be thrilled to see an actually statement by Apple. So far it's just a tweet by a journalist. No more, no less. For me that's thin..

 

[ivan86]

I think my neigbours just hacked my Wi-Fi.

 

[chucker23n1]

Ritchie might be a respected journalist, but as fas as I know there hasn't been a press statement.

Not to the public, no.

Please share if you have anything more. I'd be thrilled to see an actually statement by Apple. So far it's just a tweet by a journalist. No more, no less. For me that's thin..

Given that these are pre-releases, there isn't really anything to say to the public. Once 10.1, 10.13.1, etc. are publicly released, the security updates page will mention it.

 

[discuit]

Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.

Technically, with this exploit, there's not really a threat difference between passworded public Wi-Fi networks that are using WPA2 with AES and a private network using the same. The practical difference is that public networks are more likely to be proximate to public places that could contain a malicious actors. If your Wi-Fi network is in a secluded cabin in the woods, there's no issue.

The most important and effective advice isn't listed in the post. The key is to make sure you're using HTTPS as much as possible. Even this exploit can't bypass an encrypted site on a unsecured network without tricking you into visiting an HTTP version of a website instead. Consider using a browser add-on such as HTTPS Everywhere.

 

[CmdrLaForge]

What about Sierra? How about a patch?