CVE-2017-13082 WPA2 Vulnerability and Airports

Apple is now being quoted by several tech websites saying they have a patch in beta that will be released in the next few weeks for Apple Watch, iOS, OS X and Apple TV. The AirPort and Time Capsules are not affected by this potential flaw.

Source:

KRACK attack: How Apple, Google, others are responding - CNET

Source

https://www.imore.com/krack

Wolfpup wrote:

...What we DON'T know is whether the Airport/Timecapsule are getting patched, hence the point of this thread. As the last updates were from last December, it's unclear whether they're even still supported...although surely they are given Apple's still selling them.

Use the feedback link or call Apple, those are your two and only choices at this time on this forum.

Apple has not officially stated anything at this time, and all we have is unsubstantiated quotes on tech sites and now twitter claiming they are coming from Apple, therefore we have no real proof.

Until then; if-and-when Apple does offer clarity on this subject then we can discuss it here ad nauseam, but since that has not happened you are asking for an answer that can not be answered here, at least at this time.

Hi Forrest,

I was reading the KRACK attack web page for more details. It seems like you can mitigate this problem by ensuring your wifi clients (phones, video players, laptops, computers) are patched. In fact, patching on the client side might be more important in the short term, because the video shows the attack happening by forcing the client to reconnect to a rogue / cloned access point.

The overall patch situation seems messy, though, because wifi clients will include all manner of devices like Roku players, AppleTVs, security cameras, Raspberry Pi's, and whatever else anyone can put a wifi chip onto. In an academic environment, I would also be concerned about Apple devices using wifi and older versions of the OS that might not receive the patch.

Ideally, both wifi routers (and presumably, anything that can share wifi) and clients would be updated.

Personally, I understand your concern and I hope Apple does release a fix for all of their devices. I also submitted feedback through the product link.

Forrest wrote:

I provided them feedback, with our business contact information (thank you). Hopefully they will respond directly; I work in a large *.edu environment, where we use a lot of Apple products.

Apple doesn't respond to feedback given on the feedback page. They're pretty clear about that. If you need to speak to Apple directly, use the Contact Support link at the top right of every page.

Okay, but that has nothing to do with this issue. At present, there's no evidence Apple's made any comment about the Airport, and there's no reason to believe it's not vulnerable, since this is a fundamental problem with WPA2 itself.

Ergo I'm not taking the word of that guy on that one site who claims it with no evidence.

Well it's not really "rumor or speculation" that Apple's supported devices are getting patched quickly

What's unknown is when or if the routers are getting patched.

The claim that they don't need to be updated seems dubious and is outsourced. IMO it's unlikely they don't need patches, and worrying that there's been no mention from Apple along with their other products.

We already know because the companies have already told us that Windows was patched last week, ahead of the announcment, and MacOS, iOS, WatchOS, TVOS all already have patches in the current public betas, so will be coming soon.

What we DON'T know is whether the Airport/Timecapsule are getting patched, hence the point of this thread. As the last updates were from last December, it's unclear whether they're even still supported...although surely they are given Apple's still selling them.

Yeah, I heard that about Apple's router team too, and it's left me confused as to whether they're actually supporting it or not...and then the last update was in December.

Regarding Google's Wifi/Onhub, it's been getting updates roughly bimonthly. No idea how long they'll support it for, since it seems like these companies randomly dumb products, but for now it's probably among the most secure there is. Android of course is a disaster since (unless you buy a Pixel, which makes up <1% of the market) you're never getting timely security updates if you get them at all. EVERY other Android device SHOULD get 0/10 from every review site. People don't understand the issue, which drives me nuts.

I've seen numerous posts from users complaining about functionalities or asking for new features, and the common response is, "this is a user-to-user forum. Don't complain here. Tell Apple directly."

Maybe I'm misstating it - "Tell Apple you are concerned about this issue by using the feedback form."

Whether or not Apple responds to individuals through the feedback form is one matter. Whether or not they receive a lot of feedback expressing concern over a topic is another matter.

Otherwise, all of those "this is a user form, don't complain here, tell Apple directly" posts are all bogus.

sparks212 wrote:

...Otherwise, all of those "this is a user form, don't complain here, tell Apple directly" posts are all bogus.

Thats so incorrect it's seriously laughable. Outside of hosting this site; unless you are one of the hundred of random posts that a community specialist offering a boiler plate Apple.Com link, or your post is reported as a violation the TOS and edited/deleted that is the extent of what "Apple" listens to here.

Apple has a URL to tell them directly, it's apple.com/feedback

but don't waste other peoples time by claiming this is where to do it or that feedback site is bogus because Apple does not respond.

I have been told numerous times by Apple employees that Apple does read the feedback despite not responding to it but you can choose to believe that or not, but that will not make it true or false.

Apple developers will respond directly on developer.apple.com, but this is for bug reporting, not general securities flaw updates.

If sites can not post definite posts directly from Apple then we can not pursue guessing or commenting on Apple policy here without violating the TOS we all agreed to when we signed up to use support.apple.com

There are plenty of other forums on the internet that would welcome those points, but this is not the one to pursue it.

Apple Support Communities Use Agreement

Please let us know when Apple responds to your latest feedback.

I understand the issue has been fixed in beta releases of MacOS, tvOS, iOS, watchOS; but, that Airport Extremes/Time Capsules may not be vulnerable to the attack

And that "information" is based on what someone else claims that they understood when they talked to someone at Apple that they cannot identify.

When Apple provides an official statement, we'll all know. In the meantime, you are working from rumor and speculation. In the meantime, you can certainly believe what you wish.

Bob,

Take a look upthread to Jimmy who posted the statement from the iMore article that says Airport routers are not affected.

My previous post, which was censored because of "speculative" content, specifically addresses how the iMore statement is, itself, speculative.

On these grounds, Jimmy's post should be removed as well, because a tiny bit of research shows that the quoted statement is also without any official statement from Apple.

Wolfpup wrote:

Okay, but that has nothing to do with this issue. At present, there's no evidence Apple's made any comment about the Airport, and there's no reason to believe it's not vulnerable, since this is a fundamental problem with WPA2 itself.

Ergo I'm not taking the word of that guy on that one site who claims it with no evidence.

and I would not expect you to, but from what I've been reading on a number of tech sites if this proof of concept attack suddenly goes wild then Android can expect the bulk of it's wrath.

It's possible current versions of OS and OS X are already patched but I'm only offering this as Apple is intentionally vague descriptions their securities patch features. If they did patch they might not be inclined to tell us, and that is not dragging their policy before a judge, it is historically how they roll them out.