Has the WiFi KRACK vulnerability been patched for iOS?
There is a new vulnerability in WPA2 called KRACK (short for Key Reinstallation Attack), as described in The Guardian article: 'All WiFi networks' are vulnerable to hacking, security expert discovers'
According to the article:
The vulnerability affects a number of operating systems and devices, the report said, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys and others.
Have there been any security releases for iOS fixing this?
Updates released 31 October 2017
Apple has released updates that include a fix for the KRACK vulnerability for macOS, iOS, tvOS and watchOS. To get the updates:
-
macOS High Sierra 10.13.1 and security updates for Sierra & El Capitan -
Launch the App Store and select the Updates tab. -
iOS 11.1 -
Go to Settings > General > Software Update -
watchOS 4.1 -
Launch the Watch app on your iPhone, then go to General > Software Update -
tvOS 11.1 -
For Apple TV 4 (and 4K) go to Settings > System > Software Updates and Select Update Software.
For Apple TV (2nd/3rd generation) go to Settings > General > Update Software
It's Apple's policy to not comment on security vulnerabilities until they are patched, and even when they do, they are often quite vague about it.
About Apple security updates
For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the Apple security updates page.
However, with a little detective work, we can gain some insight. Looking at the CVEs assigned to this particular vulnerability,* we can get listing of the issues that should be addressed by Apple when they decide to issue a security patch:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Also, this ZDNet Article - Here's every patch for KRACK Wi-Fi vulnerability available right now (Oct. 16, 2017) indicates that vendors are responding quickly and Apple has confirmed that patches are in beta.
Apple confirmed it has a fix in beta for iOS, MacOS, WatchOS and TVOS, and will be rolling it out in a software update in a few weeks.
*Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cyber security vulnerabilities. Use of "CVE Identifiers (CVE IDs)," which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cyber security automation.
Rene Ritchie, the editor in chief of iMore, reports that this vulnerability is fixed in all current macOS, watchOS, tvOS and iOS betas.
Until the updates ship, many security blogs recommend to use VPN and sites protected with SSL to safeguard any information transmitted over Wi-Fi.
While SSL does not guarantee data safety from a KRACK attack, it makes it significantly harder. However, KRACK gains access deep enough to possibly access data prior to encryption.