Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

iapplelove said:
This is why I keep my devices updated, its worth dealing with a few bugs.
Click to expand...
It shouldn't be either-or. They routinely release macOS security updates for the not-most-recent OS, sometimes going back several versions. It should be the same for iOS. There are very valid reasons to continue running older versions of iOS, and we should not be forced into updates for security purposes.
 
xpxp2002 said:
Not exactly. That's actually one of the important takeaways from this entire vulnerability disclosure: PTKs are uniquely established for each client (supplicant) per session. You do possess a shared secret (PMK) that could be used to help you derive the PTK for a specific client and would enable you to receive the GTK from an AP.

But this is what is concerning about this vulnerabiliity -- without knowledge of the PMK, it is possible to use this attack to decrypt and/or replay protected traffic.
Click to expand...

No. What you're describing is more how WPA2-Enterprise works.

WPA2-PSK works differently. Yes, you have a pre-shared key, from that a group key is derived and rotated regularly (like every hour); however, all clients use the same group key. WPA2-Enterprise works differently in that clients authenticate by logging in with user credentials and the access points checks with a RADIUS server. The RADIUS servers gives an "okay" or "no". "Okay" includes a key from which an encryption key is derived and that is rotated with the client. But each client gets their own unique key to generate that.

If you have a phone and laptop on a WPA2-PSK access point they can packet sniff and read the contents of said packets as though they were not encrypted. On a WPA2-Enterprise access point clients can packet sniff but only get encrypted content.

The problem with this (and why it affects both implementations) is that the handshaking is broken and allows for a replay attack so the attacker can force the same (temporary) key use and thereby get onto the network with the same encryption without actually knowing the "master" key (shared in PSK, or client in Enterprise)
 
[doublepost=1508186439][/doublepost]
Dave-Z said:
No. What you're describing is more how WPA2-Enterprise works.

WPA2-PSK works differently. Yes, you have a pre-shared key, from that a group key is derived and rotated regularly (like every hour); however, all clients use the same group key. WPA2-Enterprise works differently in that clients authenticate by logging in with user credentials and the access points checks with a RADIUS server. The RADIUS servers gives an "okay" or "no". "Okay" includes a key from which an encryption key is derived and that is rotated with the client. But each client gets their own unique key to generate that.

If you have a phone and laptop on a WPA2-PSK access point they can packet sniff and read the contents of said packets as though they were not encrypted. On a WPA2-Enterprise access point clients can packet sniff but only get encrypted content.

The problem with this (and why it affects both implementations) is that the handshaking is broken and allows for a replay attack so the attacker can force the same (temporary) key use and thereby get onto the network with the same encryption without actually knowing the "master" key (shared in PSK, or client in Enterprise)
Click to expand...

You confirm the original KRACK researchers stating that it's a flaw in the WPA2 protocol, so there is nothing to patch but no reason to believe that Apple products are protected either...
 
Bacillus said:
You confirm the original KRACK researchers stating that it's a flaw in the WPA2 protocol, so there is nothing to patch but no reason to believe that Apple products are protected either...
Click to expand...

Flaw in the WPA2 protocol, yes. Definitely something to patch. The concern is that WPA2 has been used for a long time and by a lot of devices. Most Internet of Things (TVs, Printers, etc.) are unlikely to be patched. Cheap routers as well. Apple devices are affected for sure. We can trust Apple to issue a patch for their current line of devices but I'd be surprised if their old Airports get the same treatment.
 
QCassidy352 said:
It shouldn't be either-or. They routinely release macOS security updates for the not-most-recent OS, sometimes going back several versions. It should be the same for iOS. There are very valid reasons to continue running older versions of iOS, and we should not be forced into updates for security purposes.
Click to expand...

It’s a new world. It just is what it is. Be happy things get patched as quick as they do.
 
Dave-Z said:
Flaw in the WPA2 protocol, yes. Definitely something to patch. The concern is that WPA2 has been used for a long time and by a lot of devices. Most Internet of Things (TVs, Printers, etc.) are unlikely to be patched. Cheap routers as well. Apple devices are affected for sure. We can trust Apple to issue a patch for their current line of devices but I'd be surprised if their old Airports get the same treatment.
Click to expand...
Apart from Airports, would all devices need a patch? Is that about a more robust handshake ? What about netw printers (AppleTVs, scanners, legacy fileservers) ?
 
OldSchoolMacGuy said:
Support for 32-bit has ended. The newest 32-bit device was released in 2013. Sorry, but supporting devices that are over 4 years old just doesn't make sense.

Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.
Click to expand...

That's a very dismissive attitude. So if my 87 year old grandma is perfectly happy with her iPhone 5, she should be forced to buy a new one so as to have access to a software security patch? And if a few hundred bucks is not in her budget as a retired person then "tough luck, hope you don't get hacked"? Apple is one of the biggest and wealthiest companies in the world. I think they can and should see their way clear to coding a security update for 32 bit devices.

And yes, I do acknowledge that support must be cut off at *some* point. I don't expect a patch for the original iPhone on iOS 3. But I don't think it's unreasonable to expect a patch for A6-based devices, which were sold *new* as late as fall 2015.

Ghost31 said:
This is entirely why I’ve always told people “even if you don’t give a damn another the new features, just update to the newest os as long as your device supports it”. But did anyone listen? No. They just sit back all stubborn until something terrible happens
Click to expand...

It's weighing the possibility of something terrible happening against the certainty of subsequent updates slowing my device to a frustrating crawl (see: A5 devices on iOS 9). Not a choice I believe we should have to make. They release security updates for older macOS versions and should do the same for iOS, in my opinion.
 
  • Like
Reactions: mijail, strawbale, S G and 9 others
Oh well, i'm still sticking with iOS 10.3.3 ... and I'm not allowed to upgrade to High Sierra yet
 
Bacillus said:
Apart from Airports, would all devices need a patch? Is that about a more robust handshake ? What about netw printers (AppleTVs, scanners, legacy fileservers) ?
Click to expand...

Regretably, everything. The protocol itself is flawed so anything using it (which is just about every device out there today) will need a patch; if it doesn't get one you're out of luck.

The only saving grace is that it appears only ONE side of the connection needs the patch, so if you can get it on your router you should be okay.
 
  • Like
Reactions: NewPilgrim
steve123 said:
Apple has known about this since Aug 28. How come a security update was not pushed on Friday?
Click to expand...

Embargo - all companies agree not to release their patch any sooner than anyone else. If one did, that starts the clock running on public exploits. It gives everyone the same amount of time to do their patch. Even the simple release note sentence "fixed wifi security problem" would get the blackhats running at it full blaze.
 
  • Like
Reactions: Agent2015, gnasher729 and Dave-Z
iOS 11 doesn't help my iPad 2, iPod 3rd Gen, or my iPhone 4S. Apple as a ethical responsibility to provide patches to all of these devices.
 
  • Like
Reactions: jamesrick80
Dave-Z said:
Regretably, everything. The protocol itself is flawed so anything using it (which is just about every device out there today) will need a patch; if it doesn't get one you're out of luck.

The only saving grace is that it appears only ONE side of the connection needs the patch, so if you can get it on your router you should be okay.
Click to expand...
Thx. But would that imply that unpatcheable legacy devices cannot logon anymore on pached routers ?
 
  • Like
Reactions: NewPilgrim
DeanLubaki said:
No. The reason why it only disconnects the Wi-Fi connection instead of turning off the Wi-Fi is because Wi-Fi is needed for a lot of other things like Geofencing. Most of the time users want to only disconnect it from the current network. Besides, Wi-Fi's battery usage is insignificant.
Click to expand...

What else is it needed? I've had bluetooth off for 8 years and wifi off as necessary and never suffered.

I told two people this weekend about this stupid change and they were pissed that turning off bluetooth in iOS 11 doesnt really nor does it do wifi. They dont want the battery loss for bluetooth even if it is minimal. Why have it on if you have no use for it at all? They both immediately dug into settings to turn off bluetooth properly.

It's a stupid functional change. Off should be off, not some pseudo state. What's the big deal about displaying a message like it had for the last 10 years instructing user to turn on bluetooth or wifi when it needs it??
 
  • Like
Reactions: DCIFRTHS
Bacillus said:
Thx. But would that imply that unpatcheable legacy devices cannot logon anymore on pached routers ?
Click to expand...

No. It should be backwards compatible. It's just the handshake process, as long as one half is patched you should be fine. But with respect to legacy devices, yes it is still a concern. I'll be removing unpatched stuff from my network because I don't want to forget about them down the road and use them elsewhere where it might not be secure.
[doublepost=1508188522][/doublepost]
xpxp2002 said:
Not exactly. That's actually one of the important takeaways from this entire vulnerability disclosure: PTKs are uniquely established for each client (supplicant) per session. You do possess a shared secret (PMK) that could be used to help you derive the PTK for a specific client and would enable you to receive the GTK from an AP.

But this is what is concerning about this vulnerabiliity -- without knowledge of the PMK, it is possible to use this attack to decrypt and/or replay protected traffic.
Click to expand...

Just to clarify my previous post, yes on WPA2-PSK there are unique sessions with clients, but the formula is fixed so once you know the pre-shared key, there's really nothing left to guess if you want to eavesdrop. With Enterprise the "pre-shared key" is actually unique (per client) and unique (per connection)--it's randomly generated by the RADIUS server during the authentication process--so other clients have really no way of knowing what other users' "pre-shared key" is.
 
  • Like
Reactions: NewPilgrim
QCassidy352 said:
It shouldn't be either-or. They routinely release macOS security updates for the not-most-recent OS, sometimes going back several versions. It should be the same for iOS. There are very valid reasons to continue running older versions of iOS, and we should not be forced into updates for security purposes.
Click to expand...
Let's hope they continue the fashion of releasing security updates for older OS versions, as they have always done. But I'm not 100% sure about this, because Apple is pushing too much for getting us installing the versions they want us to install.
 
Here is what mitigation you can take until patches arrive or for devices which will likely never get a patch.
1. Use wired LAN connections where possible.
2. Use a random SSID and disable broadcast. The initial attack vector requires knowledge of the SSID to be cloned.
3. Unrelated to this specific vulnerability, never ever use public wifi.
 
  • Like
Reactions: Tech198 and NewPilgrim
I have a TON of devices that can't (as a practical matter) be updated. Printers, network cameras, TVs, older Apple TVs, even a smart scale.
 
Last edited:
  • Like
Reactions: NewPilgrim
QCassidy352 said:
That's a very dismissive attitude. So if my 87 year old grandma is perfectly happy with her iPhone 5, she should be forced to buy a new one so as to have access to a software security patch? And if a few hundred bucks is not in her budget as a retired person then "tough luck, hope you don't get hacked"? Apple is one of the biggest and wealthiest companies in the world. I think they can and should see their way clear to coding a security update for 32 bit devices.

And yes, I do acknowledge that support must be cut off at *some* point. I don't expect a patch for the original iPhone on iOS 3. But I don't think it's unreasonable to expect a patch for A6-based devices, which were sold *new* as late as fall 2015.
Click to expand...

So you have an expectation that a company should pour money and resources into a product forever? At what point do you think it's fair to stop supporting an older device? These devices are already over 4 years old. A what time can they stop dumping money into a product they get nothing in return from?
 
  • Like
Reactions: Agent2015 and Xirian
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back