Mike Wuerthele
AppleInsider has learned that Apple has rectified the "KRACK Attack" Wi-Fi WPA-2 exploit in "recent" macOS, iOS, tvOS, and watchOS betas — but was unable to confirm that a patch is coming for the AirPort series of routers.
Sources inside Apple not authorized to speak on behalf of the company has told AppleInsider that the patch to remove hardware susceptibility was included in a "previous" beta of the current range of operating systems — meaning a release before Monday's batch. However, our source specifically noted that AirPort hardware, including the Time Machine, AirPort Extreme base station, and AirPort Express does not have a patch available — and was not certain if one was in progress.
The last firmware update for the AirPort family of hardware was in Dec. 2016 — well before the May disclosure of the vulnerability. It is not clear at this time if a patch for the KRACK exploit will be issued for the AirPort.
AppleInsider has reached out to Apple for more information regarding the AirPort family of devices, and to find out specifically which beta versions implement the KRACK patch.
Both a router and a client device must be susceptible to the KRACK Attack vector for the assault to succeed. If either are patched, then no data can be gleaned from the man-in-the-middle method publicized on Monday morning.
The exploit takes advantage of a four-way handshake between a router and a connecting device to establish the encryption key. Properly executed, the third step can be compromised, resulting in the re-use of an encryption key — or in some cases in Android and Linux, the establishment of a null key.
The researchers claim that the attack vector completely opens up an Android 6.0 and later devices. Other operating systems, including iOS and macOS are less impacted, but "a large number of packets" can still be decrypted from all.
The attack uses one or more of 10 different exploits. The details of the exploit were submitted for review on May 19, and a conference presentation will be delivered on Nov. 1.
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
William Gallagher
22 Comments
Can The OP or author post a link from Apple.com with this confirmation?
Yet another one of those vulnerabilities that, while serious on the face of it, will probably have little impact in the real world. Every time one these flaws is discovered we have the obligatory paranoid response from security freaks with the also obligatory, “This is finally the one that WILL kill us all!” pronouncement. Apparently already patched in upcoming releases but that won’t stop the hand wringing, the paranoia, the freaking out, the recriminations. And as for the Android Apocalypse that is sure to come, well, there have been many of those in the past and I haven’t so far read about millions upon millions of Android users who have had their bank accounts emptied out.
So to sum up, it is a serious flaw apparently. Will it mean the end of all life online? Not a chance. Will it turn into the usual Android vs iOS pissing contest? No doubt.
Apple shutdown the airport team a while back, since this hack is about clients and the airport express probably is mostly used in client mode it would be a shame if this is never fixed. Which is likely given Apple were given a warning in July same as all the other companies.