KRACK WPA2 Wi-Fi exploit already fixed in iOS, macOS, tvOS, watchOS betas

Update: Apple sent me the following statement on the KRACK exploit, confirming the upcoming patches:

"Apple is deeply committed to protecting our customers' data. The fix for the KRACK WiFi vulnerability is currently in the betas of iOS, macOS, watchOS and tvOS and will soon be rolled out to customers."

KRACK is an exploit that attacks the way WPA2 protects Wi-Fi access points. While it's bad, there are a are a few factors that prevent it from being truly damaging to the state of modern wireless networking.

First, it can be patched. We don't need a new standard like we did when WEP was broken and everyone had to move to WPA2.

From the KRAK Q&A:

implementations can be patched in a backwards-compatible manner. This means a patched client can still communicate with an unpatched access point (AP), and vice versa. In other words, a patched client or access point sends exactly the same handshake messages as before, and at exactly the same moment in time.

Second, in some cases, access points won't need to be updated.

Our main attack is against the 4-way handshake, and does not exploit access points, but instead targets clients. So it might be that your router does not require security updates. We strongly advise you to contact your vendor for more details. In general though, you can try to mitigate attacks against routers and access points by disabling client functionality (which is for example used in repeater modes) and disabling 802.11r (fast roaming).

For example, it's my understanding that Apple's AirPorts, including Express, Extreme, and Time Capsule don't seem be vulnerable to the exploit, even if using one as a bridge.

If you're using a different router, we're maintaining a list of updates that you can consult as needed. If in doubt, contact your vendor directly.

For ordinary home users, your priority should be updating clients such as laptops and smartphones.

Third, Apple has confirmed to me that the KRACK exploit has already been patched in iOS, tvOS, watchOS, and macOS betas.

As soon as the updates leave beta, they'll be pushed out to everyone. We'll have to wait and see how fast other manufacturers are to respond, and how many of our connected devices receive updates.

KRAK attack: Everything you need to know

Updated to reflect the need for both client and point-of-access updates, if and when available.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • I look forward to more details, such as will they release a security update for macOS Sierra? Also would like to know for a fact the the AirPorts (I have both types) do not need updating. I would like to have my access points protected to protect the WiFi devices that likely will not get patched such as older printers, etc. I am happy to know that my family's iPhones, iPads, and MacBooks will get updates soon.
  • From what I’ve read point 2 above is incorrect. Patching your Wi-Fi access point does not protect devices on that network. The issue is on the client side, so devices need to be patched.
    That will happen pretty soon with iOS and other major computing platforms. Not so quickly probably with you WiFi lightbulbs and other IoT devices.
  • > The issue is on the client side That's what I was thinking. As I understood it, an attacker can collect wifi data sent and received from a vulnerable client device and then generate a token of some sort to access the wifi router (though they don't get the actual passcode.).
  • References below. Patching only ONE end will secure against this attack on THAT CONNECTION. Patching only the router will therefore secure against attacking any of its client connections. BUT. To secure against attacks when connecting your mobile or computer to some OTHER network, you'll need to patch them specifically. Reference: XFORCE.IBM via stackexchange
  • > Likewise, if you patch your access point, any device used on it will likewise be secured. I'm pretty sure that's wrong; the issue is client-side, and there's nothing access points can do to fix it that don't break compatibility with unpatched devices. With that said, there are still access points that act as clients to other access points, and those access points might need to be patched.
  • But my airport will also need a fix. The whole chain has to be patched, yes?
  • As usual, the unnecessary wringing of hands and recriminations. Nothing will come of this for normal users. You don't have to worry about being hacked. The issue is already patched in Windows and will be soon for iOS and macOS, watchOS, and tvOS. Remember this, it’s the stuff we DON’T know about that will get you. Of all the doomsday flaws revealed in that last few years, NONE of them have materialized or caused havoc in the general population. Our privacy and personal data is much more vulnerable because of big data hacks like Equifax and Yahoo than it is from some loser next door trying to listen in on your Wi-Fi connection. So chill out and enjoy life.
  • Apple should patch older versions of iOS too. Not everyone can run iOS 11 and it's dirty to leave them out in the cold. I get that they want to push everyone to the latest OS because it benefits Apple and its developers, but users should not be forced to upgrade to an OS that will slow their devices down dramatically when there is such a glaring security hole.
  • Let’s keep in mind, there’s a big difference in fixing the issue in beta versions versus providing a stand-alone patch (like an “iOS 11.0.4” release). If they plan to release 11.1 and the other OS betas as public releases in the next day or 2, then great. But I don’t want to wait 2 or more weeks to get a fix if iOS 11.1 and tvOS, macOS, and watchOS aren’t getting updated until then. Microsoft released their patches for Windows already today.
  • How nice (sarcasm) that Wi-Fi toggle in control centre has been messed up and it is now more inconvenient than ever to actually turn off Wi-Fi.
    And official Apple support page advises not to turn it off at all: "For the best experience on your iOS device, try to keep Wi-Fi and Bluetooth turned on.".
  • Any updates to this story? When will Apple be pushing a fix? Should we also expect to see updates to our Apple WIFI routers? What about all the devices we now have connected: Ring, Hue, etc. Are these folks pushing updates? Are updates necessary? Would love a comprehensive article on these issues. And, if necessary, an article on the optimal set up of a two Apple router configuration isolating wifi based internet of things equipment from my internal wifi network which allows me to do such things as airdrop and auto logon to my iMac with my apple watch. Apple has made us dependent on wifi, now what do we do to protect ourselves from this dependency without sacrificing convenience?