This is also true. However I still stand by the idea, it’s better to update than not. I wait about 24 hours after a fresh update is released then I download.
Way too many security patches not to update imo.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is also true. However I still stand by the idea, it’s better to update than not. I wait about 24 hours after a fresh update is released then I download.
Way too many security patches not to update imo.
Apple told these folks their routers appear not to be vulnerable,
https://www.imore.com/krack
"Update: Apple has told iMore that KRACK has already been fixed in the beta versions of iOS, macOS, watchOS, and tvOS, and that AirPort routers and Time Capusules don't appear to be vulnerable too the exploit."
According to the highly technical discussions I've been reading on Ars this is untrue. The fixes for routers address a specific client mode vulnerability in some routers, but will do nothing to protect clients that remain unpatched.
Apparently the AirPort Extreme doesn't support the specific client mode vulnerable to this attack, so that's why they have been able to tell iMore the device doesn't require patching. But obviously that doesn't mean all the client devices connecting to an AirPort Extreme are safe. Which is why Apple is working on patches for the clients.
Bottom line - you will have to upgrade to iOS 11 now. Apple will not allow iOS 11 compatible devices to update to a patched 10.3.4, assuming they even issue a patch for older iOS 10 only devices.
Still not going to upgrade to iOS 11 on my old 6+. I'm ok with the risk as the hack is hardly simple. Additionally, where i use Wifi the signal barely propagates it's so populated,wifi i use is mostly Airport Extremes (not vulnerable), or at work with professional grade Wifi which will also be patched.
I'll second this. (i do network security and wifi; see my twitter and linkedin info to confirm). Wherever your web browser is using "https" (where you see that lock icon), you're ok. Banking and credit card transmissions are ok. This is protected by a higher level function (HTTPS, SSL, TLS), so even if your WiFi stuff may be intercepted, the higher level traffic is still secured by another arrangement of trusted communications.
(I'm being generic for the "gramma" above; and to that Gramma, I'm impressed that you're involved and paying attention to all this, and you should be proud of yourself! Folks like you make me hopeful for our future.)
May I ask of some of you who understand this, is it right to assume that an attacker needs to be within effective wifi range of my home router to accomplish anything, and that in public with my iPhone, if I am not actively connected to a wifi network then there is also no risk? Until all this is patched...? And that even if I do connect to a public wifi network with my iPhone, if I am not doing anything that relates to passwords, card numbers, etc, then there is still no risk of loss of anything other than perhaps a bit of privacy...?
Yes and yes.
Most public Wifi networks don't use WPA2 encryption anyway, and even if they do, you don't know what happens to the data behind the access point. So they are as unsafe as ever and KRACK doesn't really change anything.
I think there are also a couple of additional Broadcom WiFi problems not addressed in 10.3.3. We need 10.3.4!
Feenician is incorrect in saying that a VPN cannot protect against the KRACK exploit. A quick Internet search using "KRACK VPN" turns up multiple sources that confirm that a VPN is one of the easiest ways to protect yourself. Nothing that I have read about KRACK states that the exploit is capable of decrypting encrypted data streams. If Feenician knows something that everyone else does not, he/she should provide links to reputable sources.
We should all be using a VPN whenever we are online, as it prevents an ISP from logging online activities and selling the data. There are other benefits but that one alone should be enough to convince anyone that a VPN is a low-cost no-brainer.
I recommend Witopia.net. Private Internet Access is the one to use if you want as close to zero logging as possible. Both companies have inexpensive annual subscriptions for OS and iOS devices.
When exactly do you want to turn off wifi and Bluetooth but not cellular? I am more inclined to turn off cellular and keep BT/wifi connected than the other way around.
There are many misinformation out there, but this much seems to be true.
From Wi-Fi Security Flaw Not As Bad As It’s KRACKed Up To Be:
Conversations with a few security experts made it clear that while the Wi-Fi access point side of the equation isn’t at fault for these negotiation flaws, even consumer-scale access points could be updated to block, resist, or report KRACKs. (There’s one exception: corporate-scale access points that support “fast handoff” act a little bit like a client in that mode, and routers with that feature have to be patched, too.)
So while it's the client devices themselves that are at risk (unless multiple routers are meshed with fast handoff, aka 802.11r), a good router can prevent KRACK altogether.
AirPort Extreme and Time Capsule are not prone to KRACK themselves. But it is not known whether they can resist KRACK from affecting unpatched client devices.
The CERT website shows Red Hat patched their stuff Oct 4. Many others patched before the announcement. There is still no patch from Apple.
[doublepost=1508291885][/doublepost]
Yeah, their response on this seems odd.
Last edited:
I wouldn't be relying on tidbits for security advice. They are good people, but there are far better sources of information when it comes to this kind of thing.
The researchers behind KRACK make it very clear both client and AP needs to be patched. They have published an FAQ that confirms it. It is the client that is most important to be patched and most vulnerable. I have not seen one shred of credible evidence that suggests this threat can be mitigated by patching only the AP.
They should be rolling out the same security updates for prior major versions, in my opinion. It shouldn't be necessary to upgrade to a new major version, and risk breaking compatibility with applications and other systems, just to remain secure.
I do wish Apple would stop changing things!
Windows, Linux and LineageOS Android have already been updated. So much for controlling both hardware and software.
If we don't like both the software and the hardware, we're supposed to just pack our bags and go elsewhere? That's what's insane about being a Mac user. Wait until Apple makes decisions that affect you and you'll change your tune.
Only iOS 11.1 beta so far. If you’re not going to update to iOS 11, you’re most likely going to remain vulnerable as it seems like Apple stops caring about older iOS versions the minute a newer version is released.