Yes, unless you connect the LAN port.
Only your iTunes account credentials.
See my previous post for other mitigation steps.
https://forums.macrumors.com/thread...s-and-tvos-betas.2078236/page-4#post-25231262
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yes, unless you connect the LAN port.
Only your iTunes account credentials.
See my previous post for other mitigation steps.
https://forums.macrumors.com/thread...s-and-tvos-betas.2078236/page-4#post-25231262
For those that use their devices for business, it does them no good either if core business functionality gets compromised instead.
The computer industry as a whole needs to do a much better job at security. They need to get it right the first time. Not rely on endless patching. Why? Because there are products out there that might not ever be updated, that a manufacturer has already moved on from. Old TV sets, old phones and operating systems that cannot be upgraded, smoke detectors, door locks, light bulbs, refrigerators,...wifi is used in just about everything now.
Got to get this stuff right to begin with. Too important not to.
Got to get this stuff right to begin with. Too important not to.
Anyone who uses public Wi-Fi while transmitting credit cards or passwords is asking ,no, begging for trouble. I stopped using public Wi-Fi some years ago in favor LTE exclusively. I don’t use any retail store’s “free” Wi-Fi. Just turn off Wi-Fi when you’re out in public and you’ll be fine.
Yeah, well Wi-Fi has been around for over ten years now and this flaw has just now been discovered. There is literally NO WAY to “get this stuff right to begin with.” Like I have posted once before I worked for AT&T for 34 years in a telephone central office. Digital telephone switches began to be installed in the 1980s and thirty years later those switches are still being patched almost daily. Software development just doesn’t work the way you are expecting it too. There has never been a piece of software released that didn’t require updating or patching. And there never will be.
My biggest concern is WiFi POS terminals at retailers and restaurants. If businesses don't disable SSID broadcast, the initial attack vector exists, thus vulnerable and the hackers gets my CC details.
Looks like obsolete routers with WPA2 are out of luck with updates. You may even say the "drive" are the exploits because that forces more people to buy newer stuff
Forced ob$olence is what drive$ the economy.
No, it's only patched in the latest iOS, macOS and tvOS betas.
10.3.3 hold outs definitely will have to upgrade now, or face the very real risk of handing over control of your bank accounts, email accounts, and other sensitive data to hackers.
In a way I'm delighted it means nobody can choose to stay on iOS 10 anymore.
[doublepost=1508191365][/doublepost]
Isn't it trivial to sniff out SSID's that aren't being broadcast?
They will sell external adapters / wifi adapter for 32bits old devices, only 99$ piece
Disabling SSID broadcast doesn't do anything. It's trivially easy to sniff the SSID of any Wifi network as long as there is any traffic, SSID broadcast disabled or not.
POS traffic has its own encryption and doesn't rely on Wifi encryption, BTW. I don't think that's a big concern. This primarily affects enterprise and home networks.
If Apple fixes this in iOS and MacOS, then your iOS and MacOS devices are safe. If you use an Android phone, or a Windows PC, then it may or may not be safe. In that case, _either_ your Android phone and Windows PC, _or_ your Airport Extreme needs an update.
Would it be safe if I leave the “unpatched” devices turned on but without connecting them to my home WiFi (the WiFi is from my Airport Time Capsule) ?
Last edited:
In other words, makes things more difficult for the user, since the SSID will need to be typed in.. I guess when you have "Auto join enabled" there would be no reason to broadcast. since the host already has it in Network.
I almost forwarded this article to a friend as a good news story. Until I re-read the headline. It's patched in the *betas*? Well that's good, and I'm happy for the beta testers. Now tell me something about the non-beta folk: when we will have our macOS, IOS, tvOS and watchOS patched? Hmm?
And yeah, to echo just about every other comment in here: what about the devices that can't run the latest operating system? Will they get patches too?
And yeah, to echo just about every other comment in here: what about the devices that can't run the latest operating system? Will they get patches too?
That's great news. Especially if you have two or more of them, with one acting as a repeater.
It is no barrier for anyone looking to exploit this. It takes seconds to find "hidden" SSID's. It is basically no slower than obtaining the broadcast SSID list.
I am very sure if anyone nearby is trying to exploit this, having your SSID set to not broadcast will do nothing to protect you. It may even make you a bigger target since someone going to trouble of trying to hide, most probably has something worth hiding the attacker might like to see. If I was the attacker, I think I'd probably start with the "hidden" SSID list.
It doesn't work like that. The hacker can only listen to the traffic between two vulnerable devices.
If you have a vulnerable router, and two vulnerable phones A and B, and two safe phones C and D, then the hacker can listen to conversation between router and A or B, and between A and B directly. Any connection involving C and D is safe.
[doublepost=1508193431][/doublepost]
No, they will work just fine and be safe as long as they are connected to a patched router. The problem happens when a hacker interrupts a logon that is half done, and the device try to continue from that half connected state. All the patched router needs to do is not allow this - when a logon is interrupted when it's half done, both sides have to start from scratch, and that is safe.