Apple confirms KRACK Wi-Fi WPA-2 attack vector patched in iOS, tvOS, watchOS, macOS betas

Posted:
in General Discussion edited October 2017
AppleInsider has learned that Apple has rectified the "KRACK Attack" Wi-Fi WPA-2 exploit in "recent" macOS, iOS, tvOS, and watchOS betas -- but was unable to confirm that a patch is coming for the AirPort series of routers.




Sources inside Apple not authorized to speak on behalf of the company has told AppleInsider that the patch to remove hardware susceptibility was included in a "previous" beta of the current range of operating systems -- meaning a release before Monday's batch. However, our source specifically noted that AirPort hardware, including the Time Machine, AirPort Extreme base station, and AirPort Express does not have a patch available -- and was not certain if one was in progress.

The last firmware update for the AirPort family of hardware was in Dec. 2016 -- well before the May disclosure of the vulnerability. It is not clear at this time if a patch for the KRACK exploit will be issued for the AirPort.

AppleInsider has reached out to Apple for more information regarding the AirPort family of devices, and to find out specifically which beta versions implement the KRACK patch.

Both a router and a client device must be susceptible to the KRACK Attack vector for the assault to succeed. If either are patched, then no data can be gleaned from the man-in-the-middle method publicized on Monday morning.

The exploit takes advantage of a four-way handshake between a router and a connecting device to establish the encryption key. Properly executed, the third step can be compromised, resulting in the re-use of an encryption key -- or in some cases in Android and Linux, the establishment of a null key.

The researchers claim that the attack vector completely opens up an Android 6.0 and later devices. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.

The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.
awfulcitizenwellinator
«1

Comments

  • Reply 1 of 22
    Can The OP or author post a link from Apple.com with this confirmation?
  • Reply 2 of 22
    lkrupplkrupp Posts: 6,002member
    Yet another one of those vulnerabilities that, while serious on the face of it, will probably have little impact in the real world. Every time one these flaws is discovered we have the obligatory paranoid response from security freaks with the also obligatory, “This is finally the one that WILL kill us all!” pronouncement. Apparently already patched in upcoming releases but that won’t stop the hand wringing, the paranoia, the freaking out, the recriminations. And as for the Android Apocalypse that is sure to come, well, there have been many of those in the past and I haven’t so far read about millions upon millions of Android users who have had their bank accounts emptied out.

    So to sum up, it is a serious flaw apparently. Will it mean the end of all life online? Not a chance. Will it turn into the usual Android vs iOS pissing contest? No doubt.
    gatorguypropod
  • Reply 3 of 22
    JanNLJanNL Posts: 226member
    Can The OP or author post a link from Apple.com with this confirmation?
    "Sources inside Apple not authorized to speak on behalf of the company has told AppleInsider". So I don't think so...
    chiacornchipanton zuykovdaven
  • Reply 4 of 22
    jabohnjabohn Posts: 523member
    Can The OP or author post a link from Apple.com with this confirmation?
    Did you read the article? Apple wasn't the source, and they have reached out to Apple with no official response.
    cornchip
  • Reply 5 of 22
    Apple shutdown the airport team a while back, since this hack is about clients and the airport express probably is mostly used in client mode it would be a shame if this is never fixed. Which is likely given Apple were given a warning in July same as all the other companies.
    edited October 2017 cornchip
  • Reply 6 of 22
    sergiozsergioz Posts: 201member
    I hope that Apple will update legacy Time Capsules. 
    edited October 2017
  • Reply 7 of 22
    The AirPort devices shouldn't need patching for this vulnerability. Access points should only need patching if they support 802.11r "fast roaming," and Apple's AirPort line never included support for that protocol.

    The vulnerability affects the last step in a four-way handshake. Normally, that last step is performed by the Wi-Fi client. When 802.11r is enabled, and a client roams from one access point to another, it can be the access point that performs the last step.

    802.11r is a feature you'd be more likely to find in mesh Wi-Fi or enterprise-grade Wi-Fi systems.
    cornchip
  • Reply 8 of 22
    Mike WuertheleMike Wuerthele Posts: 2,697administrator
    macwhiz said:
    The AirPort devices shouldn't need patching for this vulnerability. Access points should only need patching if they support 802.11r "fast roaming," and Apple's AirPort line never included support for that protocol.

    The vulnerability affects the last step in a four-way handshake. Normally, that last step is performed by the Wi-Fi client. When 802.11r is enabled, and a client roams from one access point to another, it can be the access point that performs the last step.

    802.11r is a feature you'd be more likely to find in mesh Wi-Fi or enterprise-grade Wi-Fi systems.
    They may or may not. There's a difference between "demands" an update, "needs," and "should get." 802.11r devices demand a patch. 

    I'd like to see an AirPort Extreme router patch, if for no other reason that Apple is probably not going to go back and retroactively patch older operating systems. Apple gear lasts a really long time, and only the client or the router needs to be patched for security. Deal with the old gear in one swoop with an AP patch.
    chia
  • Reply 10 of 22
    Mike WuertheleMike Wuerthele Posts: 2,697administrator
    iMore's assumption about AirPorts being unaffected is wrong -- and the researchers say so in the white paper.

    Either a client or a router needs to be patched for a connection to be secure. If every client ever is patched, then no router will need to be, and the converse is true.

    However, the reality is that there will be many macs, PCs, phones, and routers that will not get patched either because of age, or user inaction. Do you think Apple is going to patch Lion, for instance? It behooves everyone, users and companies alike, to patch as much gear as they can, as far as they can.
    edited October 2017 chiagunner1954
  • Reply 11 of 22
    rob53rob53 Posts: 1,867member

    Searching cve.mitre.org for each of these, https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-13077, does not yet contain any information. The new CVE-IDs have been reserved for when details have been released. When Apple releases software updates, they include the vulnerabilities patched using the CVE numbers. Look for the following when new versions are released.

    Assigned CVE identifiers

    The following Common Vulnerabilities and Exposures (CVE) identifiers were assigned to track which products are affected by specific instantiations of our key reinstallation attack:

    CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.

    CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.

    CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.

    CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.

    CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.

    CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.

    CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.

    CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.

    CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

    CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

    Note that each CVE identifier represents a specific instantiation of a key reinstallation attack. This means each CVE ID describes a specific protocol vulnerability, and therefore many vendors are affected by each individual CVE ID. You can also read vulnerability note VU#228519 of CERT/CC for additional details on which products are known to be affected.
  • Reply 12 of 22
    AmpliFi is on it. They issued a firmware update to fix this issue on their mesh WiFi routers earlier today. 
  • Reply 13 of 22
    sc_marktsc_markt Posts: 1,392member
    Did Maverick's get updated or did Apple leave it alone like they did with the recent keychain fix?...

  • Reply 14 of 22
    sc_markt said:
    Did Maverick's get updated or did Apple leave it alone like they did with the recent keychain fix?...

    You’re not going to see any patches for Mavericks or Yosemite going forward. They are both end of life now that High Sierra is out. Mavericks hasn’t been patched since Sierra was released. Sierra and El Capitan will continue to get security updates.
    cornchip
  • Reply 15 of 22
    cornchipcornchip Posts: 1,051member
    taugust04_ai said:


     Sierra and El Capitan will continue to get security updates.
    Whew! I'm still hanging' in there! 
    chia
  • Reply 16 of 22
    chiachia Posts: 679member
    sc_markt said:
    Did Maverick's get updated or did Apple leave it alone like they did with the recent keychain fix?...

    Yes they did, the latest update to Mavericks is OS X El Capitan. All Macs that were able to run Mavericks are able to run El Capitan.

    Mavericks was released four years ago; is there some software you’re using on Mavericks that can’t run on El Capitan? Otherwise there’s no  excuse for not keeping up to date with the OS and security.
  • Reply 17 of 22
    Mike WuertheleMike Wuerthele Posts: 2,697administrator
    chia said:
    sc_markt said:
    Did Maverick's get updated or did Apple leave it alone like they did with the recent keychain fix?...

    Yes they did, the latest update to Mavericks is OS X El Capitan. All Macs that were able to run Mavericks are able to run El Capitan.

    Mavericks was released four years ago; is there some software you’re using on Mavericks that can’t run on El Capitan? Otherwise there’s no  excuse for not keeping up to date with the OS and security.
    I believe he's talking about the patch for KRACK. 

    If that's the subject, then no, there is no Mavericks patch for it. At least, not at present.
    edited October 2017 gatorguy
  • Reply 18 of 22
    lkrupp said:
    Yet another one of those vulnerabilities that, while serious on the face of it, will probably have little impact in the real world. Every time one these flaws is discovered we have the obligatory paranoid response from security freaks with the also obligatory, “This is finally the one that WILL kill us all!” pronouncement. Apparently already patched in upcoming releases but that won’t stop the hand wringing, the paranoia, the freaking out, the recriminations. And as for the Android Apocalypse that is sure to come, well, there have been many of those in the past and I haven’t so far read about millions upon millions of Android users who have had their bank accounts emptied out.

    So to sum up, it is a serious flaw apparently. Will it mean the end of all life online? Not a chance. Will it turn into the usual Android vs iOS pissing contest? No doubt.

    I've not seen the hyperbolic responses you are claiming. Every credible source I've read has calmly stated that an attacker needs to be in range of your wireless network and that if your device is patched, then you need not worry about unpatched routers. That being said, I prefer over-communication so that I can make my own determination as to what my security posture should be. Also, non-technical users should be told to avoid public hotspots if at all possible until their devices are patched. This is not paranoia; it's just good advice.
  • Reply 19 of 22
    lkrupp said:
    Yet another one of those vulnerabilities that, while serious on the face of it, will probably have little impact in the real world. Every time one these flaws is discovered we have the obligatory paranoid response from security freaks with the also obligatory, “This is finally the one that WILL kill us all!” pronouncement. Apparently already patched in upcoming releases but that won’t stop the hand wringing, the paranoia, the freaking out, the recriminations. And as for the Android Apocalypse that is sure to come, well, there have been many of those in the past and I haven’t so far read about millions upon millions of Android users who have had their bank accounts emptied out.

    So to sum up, it is a serious flaw apparently. Will it mean the end of all life online? Not a chance. Will it turn into the usual Android vs iOS pissing contest? No doubt.
    Best post.
  • Reply 20 of 22
    coolfactorcoolfactor Posts: 1,246member
    AppleInsider, can you clean up your wording to clarify this?

    The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.

    So is it 10 exploits, or one exploit? Or should that be details "of the attack" of which there are 10 different possible ways to execute (exploit) it?
Sign In or Register to comment.