Information Security, Top News

Apple fills the KRACK on iPhones – at last



Remember KRACK, short for Key Reinstallation Attack?

Nearly two months ago, it was all over the news – what we jocularly call a BWAIN, short for “bug with an impressive name” – because it exposed a cryptographic weakness in WPA, the Wi-Fi encryption protocol that is used to secure most of the world’s wireless networks.

Very greatly simplified, KRACK involved tricking a wireless access point into sending the first two packets of a session scrambled with the same encryption key, with the result that if you knew the content of one of the packets, you could figure out the other.

KRACK wasn’t the end of the world as we know it (we happily reported that Wi-Fi was still safe to use), but it was worth patching against – encrypted Wi-Fi connections aren’t supposed to leak any data, and that’s that.

Apple, amongst others, put out a patch pretty quickly for iPhone users, as we reported in early November 2017…

…but there was a twist in the fix, because it wasn’t for everyone:

According to Apple’s official support documentation, the [02 November 2017] KRACK fix only applies to iPhone 7s, iPad Pro 9.7 (early 2016) and later.

We don’t know why the KRACK patch is only being made available for newer iDevices only – it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined that these older versions aren’t vulnerable to KRACK at all.



Either way, if you’re a pre-7 iPhone user, keep your eyes peeled for an update from Apple just in case.

Well, the wait is now over, because Apple’s latest round of updates includes iOS 11.2, and that officially (and at last) includes KRACK-related patches for the devices that were left out last time:

Wi-Fi.

Available for: iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation. (Released for iPhone 7 and later and iPad Pro 9.7-inch (early 2016) and later in iOS 11.1.)

Impact: An attacker in Wi-Fi range may force nonce reuse in WPA multicast/GTK clients (Key Reinstallation Attacks – KRACK)

As it happens, numerous other security holes were closed in the iOS 11.2 update, including four vulnerabilities listed as “may be able to execute arbitrary code with kernel privileges”, which is about as close to “good for a full jailbreak and takeover” as you’re likely to hear from Apple.

By the way, macOS goes to High Sierra 10.13.2 in the same tranche of updates, with three “may be able to execute arbitrary code with kernel privileges” fixed for Mac users, too.

Get ’em as soon as you can.

Use Settings | General | Software Update on an iPhone, and Apple Menu | About This Mac | Software Update... on a Mac.




Source : Naked Security



Previous ArticleNext Article

Founder and Editor-in-Chief of ‘Professional Hackers India’. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Leave a Reply