Redesigned iPhone with edge-to-edge OLED display and facial recognition launches November 3.
Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas
Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.
The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.
A KRACK attack proof-of-concept from security researcher Mathy Vanhoef
Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.
Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.
Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.
Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.
Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.
Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.
Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.
The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.
Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.
Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.
Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.
Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.
Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.
Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.
Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.
[ 129 comments ]
Top Rated Comments
(View all)
5 hours ago at 11:48 am
Are they going to release a security update for devices that can't run iOS 11?
5 hours ago at 11:49 am
This is why I keep my devices updated, its worth dealing with a few bugs.
5 hours ago at 11:53 am
That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.
5 hours ago at 11:53 am
I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?
It's both, really. Pretty much everything will need a firmware update.
5 hours ago at 11:49 am
I think I’m confused, is this about the clients (our devices...) or is this about the WiFi security itself? As in, does my AirPort Extreme need an update?
3 hours ago at 01:53 pm
Support for 32-bit has ended. The newest 32-bit device was released in 2013. Sorry, but supporting devices that are over 4 years old just doesn't make sense.
Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.
That's a very dismissive attitude. So if my 87 year old grandma is perfectly happy with her iPhone 5, she should be forced to buy a new one so as to have access to a software security patch? And if a few hundred bucks is not in her budget as a retired person then "tough luck, hope you don't get hacked"? Apple is one of the biggest and wealthiest companies in the world. I think they can and should see their way clear to coding a security update for 32 bit devices.
And yes, I do acknowledge that support must be cut off at *some* point. I don't expect a patch for the original iPhone on iOS 3. But I don't think it's unreasonable to expect a patch for A6-based devices, which were sold *new* as late as fall 2015.
This is entirely why I’ve always told people “even if you don’t give a damn another the new features, just update to the newest os as long as your device supports it”. But did anyone listen? No. They just sit back all stubborn until something terrible happens
It's weighing the possibility of something terrible happening against the certainty of subsequent updates slowing my device to a frustrating crawl (see: A5 devices on iOS 9). Not a choice I believe we should have to make. They release security updates for older macOS versions and should do the same for iOS, in my opinion.
5 hours ago at 11:55 am
That’s great. But still, Apple needs to change the WiFi toggle behavior in control center for these kinds of things.
Sorry but that is a complete separate complaint.
4 hours ago at 12:17 pm
What about for 32 bit devices ?
Support for 32-bit has ended. The newest 32-bit device was released in 2013. Sorry, but supporting devices that are over 4 years old just doesn't make sense.
Apple supports their devices FAR LONGER than the industry average. If you're concerned, it might be time to consider upgrading to something a bit newer.
5 hours ago at 11:51 am
I foresee having to buy a new router really. Devices tend to last longer than manufactures want to support them for.
[doublepost=1508179975][/doublepost]
Sierra is only one step behind in Apple's OS chain, so it should get patched, too. Apple tends to support security updates for at least the previous version of macOS, if not further back.
[doublepost=1508179975][/doublepost]
What about support for Sierra?
Sierra is only one step behind in Apple's OS chain, so it should get patched, too. Apple tends to support security updates for at least the previous version of macOS, if not further back.
[ Read All Comments ]
Best Buy this week has launched a sale on Apple's iPad mini 4, mirroring the $100 discount that Target placed on the 7.9-inch device late last week. You can get the 128GB iPad mini 4 from...
Apple today seeded the third beta of an upcoming tvOS 11.1 update to developers for testing purposes, a week after seeding the second tvOS 11.1 update and a month after releasing tvOS 11 to the...
Apple today seeded the third beta of an upcoming watchOS 4 update to developers for testing purposes, a week after releasing the second watchOS 4.1 beta and a month after releasing the new watchOS 4...
LEDVANCE today announced an expansion to its line of HomeKit-enabled Sylvania lights, introducing the Indoor Flex Strip Full Color and the Soft White A19 Bulb, both of which are joining the existing...
Microsoft has revealed a redesign coming to its Outlook apps for Mac and Windows platforms, which is described as aiming for a "simplified" user interface that falls in line with the Outlook...
DxO today announced a new update for its DxO One iPhone-connected camera accessory, introducing a new time-lapse option with exclusive "Auto Ramping" technology and multi-camera Facebook Live...
Apple recently added a new Bluetooth speaker to its retail and online stores, called the "SoundLink Micro" and created by Bose. Spotted by Japanese blog Mac Otakara [Google Translate], the...
Apple Maps has added public transit directions for Ireland, as pointed out by developer Steven Troughton-Smith on Twitter. With the updated directions, users in Ireland can now choose from a few...
