Apple addresses KRACK exploits in iOS and macOS updates

News by Robert Abel

Apple has finally addressed the KRACK vulnerabilities in its latest macOS High Sierra, Sierra, El Capitan, iOS 11.1, tvOS and watchOS.


Apple has finally addressed the KRACK vulnerabilities in its latest macOS High Sierra, Sierra, El Capitan, iOS 11.1, tvOS and watchOS.

Discovered last month, KRACK (Key Reinstallation AttaCKs) is a series of related vulnerabilities that affect every device using WPA2 encryption which could allow nearby attackers to intercept and steal data transmitted across a Wi-Fi network.

The latest iOS update includes patches for 13 bugs in Webkit, and other fixes in the kernel, iMessages, Siri, UIKit, StreamingZip, and CoreText. The MacOS updates included several kernel patches and nearly 90 CVE vulnerabilities were addressed with tcpdump.

Apple also released updates for Cloud for Windows 7.1, iTunes 12.7.1 for Windows, and Safari 11.1.

An attacker would need to be within Wi-Fi range in order to compromise a client as the vulnerability and US-CERT encourages users and administrators to review Apple security pages for affected products and apply the necessary updates.

In an email to SC Media UK, Paul Blore, MD at Netmetix, commented, that with KRACK being a relatively niche risk for users, businesses need to start looking at the overall bigger picture in terms of how they protect their business and the security measures they have in place. He commented, "WiFi still remains vulnerable but the majority of businesses think that simply because they're using encryption on their WiFi network, that it makes it secure – it doesn't.

"Whilst unnerving for businesses, the recent KRACK flaw within the design of WPA2 wireless protocol has exposed a very specific risk that would allow a hacker to effectively decrypt the WiFi encryption, it doesn't necessarily present a significant risk to users. 

"Any secure websites such as banking, or online retailing, use an additional browser encryption layer over and above the WiFi WPA2 encryption and this has been unaffected by the exposed vulnerability.

I"t is highly likely that the IT security industry has known about this vulnerability for some time and we can expect to see software patches and updates from the manufacturers to address the problem in the coming days. 

"What presents a much bigger and immediate threat for WiFi users are the more general vulnerabilities that are inherent with WiFi communications, such as ‘man in the middle' attacks, whereby a hacker sits in the vicinity of the wireless network to masquerade as a legitimate wireless access point and then eavesdrop on those unsecured connections – also known as ‘drive-by attacks'. The tools required to launch a man-in-the-middle attack are readily and cheaply available off the internet and don't require specialist skills to use.

Blore concludes, "A key issue is that many businesses still see IT as a tactical overhead rather than a strategic decision that is vital to the success of their business. SMEs in particular, can often feel they are too smaller fish to fry for hackers to target but fundamentally, if data is valuable to a business, then it's going to be valuable to the hackers. Cost effective measures are available to foil the vast majority of attacks and cloud computing can be a very significant and cost-effective weapon in your armoury."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews