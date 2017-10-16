Apple has already patched the KRACK attack WPA2 Wi-Fi vulnerability in the developer and public betas for iOS, watchOS, tvOS, and macOS.
KRACK is an exploit that attacks the way WPA2 protects Wi-Fi access points. While it's bad, there are a are a few factors that prevent it from being truly damaging to the state of modern wireless networking:
- It can be patched. We don't need a new standard like we did when WEP was broken and everyone had to move to WPA2.
- That means if your iPhone, iPad, or Mac is patched, it's safe to use on any wireless access point, even if that access point (router, modem, etc.) hasn't been patched. Likewise, if you patch your access point, any device used on it will likewise be secured.
- In many cases, access points won't need to be updated. For example, Apple's AirPorts, including Express, Extreme, and Time Capsule don't seem be affected, even if using one as a bridge.
- Apple has confirmed to me that the KRACK exploit has already been patched in iOS, tvOS, watchOS, and macOS betas.
As soon as the updates leave beta, they'll be pushed out to everyone. We'll have to wait and see how fast other manufacturers are to respond, and how many of our connected devices receive updates.
I'm diving deeper into the specific now and will update with more info soon.
Reader comments
KRACK WPA2 Wi-Fi exploit already fixed in iOS, macOS, tvOS, watchOS betas
I look forward to more details, such as will they release a security update for macOS Sierra? Also would like to know for a fact the the AirPorts (I have both types) do not need updating. I would like to have my access points protected to protect the WiFi devices that likely will not get patched such as older printers, etc. I am happy to know that my family's iPhones, iPads, and MacBooks will get updates soon.
From what I’ve read point 2 above is incorrect. Patching your Wi-Fi access point does not protect devices on that network. The issue is on the client side, so devices need to be patched.
That will happen pretty soon with iOS and other major computing platforms. Not so quickly probably with you WiFi lightbulbs and other IoT devices.
> The issue is on the client side
That's what I was thinking. As I understood it, an attacker can collect wifi data sent and received from a vulnerable client device and then generate a token of some sort to access the wifi router (though they don't get the actual passcode.).
References below. Patching only ONE end will secure against this attack on THAT CONNECTION. Patching only the router will therefore secure against attacking any of its client connections.
BUT. To secure against attacks when connecting your mobile or computer to some OTHER network, you'll need to patch them specifically.
Reference: XFORCE.IBM via stackexchange
> Likewise, if you patch your access point, any device used on it will likewise be secured.
I'm pretty sure that's wrong; the issue is client-side, and there's nothing access points can do to fix it that don't break compatibility with unpatched devices. With that said, there are still access points that act as clients to other access points, and those access points might need to be patched.
But my airport will also need a fix. The whole chain has to be patched, yes?
As usual, the unnecessary wringing of hands and recriminations. Nothing will come of this for normal users. You don't have to worry about being hacked. The issue is already patched in Windows and will be soon for iOS and macOS, watchOS, and tvOS. Remember this, it’s the stuff we DON’T know about that will get you. Of all the doomsday flaws revealed in that last few years, NONE of them have materialized or caused havoc in the general population. Our privacy and personal data is much more vulnerable because of big data hacks like Equifax and Yahoo than it is from some loser next door trying to listen in on your Wi-Fi connection. So chill out and enjoy life.