Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Major Wi-Fi Vulnerabilities Uncovered Put Millions of Devices at Risk, Including Macs and iPhones
- Thread starter MacRumors
- Start date
- Sort by reaction score
95% of public WiFi in places like Starbucks and hotels is unencrypted anyway, so they are vulnerable by DEFAULT and always have been.
You should assume whenever you use public WiFi that every single packet you send and receive is being intercepted. Only use sites and services that implement HTTPS/SSL, and make sure that SSL is active when you use the sites (look for the lock icon in Safari).
All the major banking apps use SSL, but it's probably still safest to turn off WiFi and use cellular for these services. The basic rule for anything financial is, if you have doubts about who runs the network, don't use it there.
It's possible that the device manufacturers have already developed and possibly released the necessary updates, (depending upon the complexity of the fix). How many updates have we seen from Apple since July alone? They don't always announce "Hey! We just patched a major WiFi flaw that potentially affects billions of devices" right when they do it for the same reason that the folks who discover the vulnerabilities wait before going public.
Because they already have you money from the product you purchased so they don't care?
People need to use brands that stay of top of this sort of thing: Ubiquity, Asus, MicroTik, etc. The cheap, practically off-brand, models aren't great for this very reason. Of course, non-tech people won't be able to use the aforementioned routers because they're too complicated to setup.
In this case the vulnerability is pretty significant so proper disclosure was done: Quietly inform vendors and allow them to PREPARE the patch for their products. Then disclose publicly on a specified date so all vendors can release their patches at the same time. This prevents reverse engineering a patch to find the exploit because everyone already has the patch.
As for public wifi, as others have stated, people need to operate from the premise that all public wifi is compromised and eavesdropped. So use a VPN when you connect to them.
It will be interesting to see if Apple updates their routers. I have a few that I keep on hand for various things, if Apple doesn't patch them I guess they're basically useless.
I’m not exactly sure of the connection yet, but this is probably Apples fault. 
Interesting that the BSD base of Mac and iOS are not as vulnerable as are Linux devices. If it is part of the Wi-Fi standard to suggest clearing the encryption key from memory, I am curious as to why Darwin BSD, Windows, and other Os’s don’t follow that?
Is that an elective portion of the standard, or is there something else going on?
Is that an elective portion of the standard, or is there something else going on?
Most public Wifis don't have any password encryption anyway.
So, everyone who can pick up my Wifi can know what I'm doing.. Thanks to Google every marketing company knows what I'm doing.. Thanks to the terrorist threat, every government seems to know what I'm doing..
I seem to be the only one who doesn't have any idea what I'm doing.
I seem to be the only one who doesn't have any idea what I'm doing.
A few device manufactures have pushed out updates for some devices, but it's not widespread given the potential damage here. In all of the patches that have gone public -- one from Netgear at the end of Sep -- did state in the update notes that it fixed a WPA2 handshake flaw. As for Apple, at least for Airport, there haven't been any updates for sometime. I checked this AM and nothing appears of now either so, no, Apple did not silently patch this.
ultimately nothing is secure and nothing is private
you think vulnerabilities like these haven't been known to the nsa or cia already? think again
you think vulnerabilities like these haven't been known to the nsa or cia already? think again
Yes. Way too many people are glossing over this. It is the clients, e.g., Macs, iPads, and iPhones that need to be updated. Not the routers. For example, Microsoft has already confirmed that this is patched in the latest update to Windows 10.
Frankly, this is a silver lining. I trust Apple to update iOS and macOS in a timely manner a whole lot more than I trust Netgear to update their firmware ever.
EDIT: I was being unfair to Netgear - they release security updates for my router, R7000, regularly and promptly.
Well, as with any product, they have your money for the past product, but they want your money for the next. If a manufacturer burns its goodwill then consumers will not buy that company's products again, so yes, coming out with a security patch as quick as possible, is important.
If I am reading it correctly, one side can be patched to help prevent the issue, which can assist in increasing security. With that, iOS / Android and other systems can be updated to help resist the vulnerability, even if the base station you are using isn’t fully patched.
I am curious if iOS / Windows, etc have had a partial patch installed. One that prevents them from being vulnerable from the all zero encryption key.
You probably read this already, but just in case...
They updated the original paper (May 2017) to clarify, "attacking macOS and OpenBSD is significantly easier than discussed in the paper."
"We have follow-up work making our attacks (against for example macOS and OpenBSD) significantly more general and easier to execute. So although we agree that some of the attack scenarios in the paper are rather impractical, do not let this fool you into believing key reinstallation attacks cannot be abused in practice."
That's exactly what happened. This was discovered in July, it's public now because vendors have had since then to prepare the patch and release it (sometime today or shortly after). The entire thing is orchestrated so the most number of users can be protected at the same time.
Just an FYI from the Crackattacks.com (posted by the people who discovered the vulnerability):
Clear, but in a way "clear as mud" since it really doesn't explain when a router needs or doesn't need an update. Of course all clients need an update.
Hopefully Apple will issue a press release soon to given users guidance as to what has been done, what will be done, along with some sort of time line.
Clear, but in a way "clear as mud" since it really doesn't explain when a router needs or doesn't need an update. Of course all clients need an update.
Hopefully Apple will issue a press release soon to given users guidance as to what has been done, what will be done, along with some sort of time line.
That’s why long ago I have decided to only use LTE or a verified XFinity access point.
I wouldn’t be surprise if many of those ‘open’ Xfinity access points are fake, and ready to capture your packets.
There’s no 100% secure anything, at least not yet. There’s always a backdoor or a way to break in.
I wonder how the market is going to react to this, considering how easily it panics at news like this one.
I hear you. And that's the philosophy of the good companies, but the ones that just want money now don't operate like that.