Apple Says ‘KRACK’ Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning.

The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon.

A KRACK attack proof-of-concept from security researcher Mathy Vanhoef

Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads.

Using a key installation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software.

Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue.

Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection.

Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability relies on a flaw that allows what's supposed to be a single-use encryption key to be resent and reused more than once, something the iOS operating system does not allow, but there's still a partial vulnerability.

Once patched, devices running iOS, macOS, tvOS, and watchOS will not be able to be exploited using the KRACK method even when connected to a router or access point that is still vulnerable. Still, consumers should watch for firmware updates for all of their devices, including routers.

Ahead of the release of the update that addresses the vulnerabilities, customers who are concerned about attacks should avoid public Wi-Fi networks, use Ethernet where possible, and use a VPN.


Discuss this article in our forums

Major Wi-Fi Vulnerabilities Uncovered Put Millions of Devices at Risk, Including Macs and iPhones

Mathy Vanhoef, a postdoctoral researcher at Belgian university KU Leuven, has discovered and disclosed major vulnerabilities in the WPA2 protocol that secures all modern protected Wi-Fi networks.


Vanhoef said an attacker within range of a victim can exploit these weaknesses using so-called KRACKs, or key reinstallation attacks, which can result in any data or information that the victim transmits being decrypted. Attackers can eavesdrop on network traffic on both private and public networks.

As explained by Ars Technica, the primary attack exploits a four-way handshake that is used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.

As a result, attackers can potentially intercept sensitive information, such as credit card numbers, passwords, emails, and photos. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.

Note that the attacks do not recover the password of any Wi-Fi network, according to Vanhoef. They also do not recover any parts of the fresh encryption key that is negotiated during the four-way handshake.

Websites properly configured with HTTPS have an additional layer of protection, as all communications between the browser and the website are encrypted, but Vanhoef warned many can still be bypassed.

Since the vulnerabilities exist in the Wi-Fi standard itself, nearly any router and device that supports Wi-Fi is likely affected, including Macs and iOS devices. Android and Linux devices are particularly vulnerable since they can be tricked into installing an all-zero encryption key instead of reinstalling the real key.
This vulnerability appears to be caused by a remark in the Wi-Fi standard that suggests to clear the encryption key from memory once it has been installed for the first time. When the client now receives a retransmitted message 3 of the 4-way handshake, it will reinstall the now-cleared encryption key, effectively installing an all-zero key.
As a proof-of-concept, Vanhoef executed a key reinstallation attack against an Android smartphone. In the video demonstration below, the attacker is able to decrypt all data that the victim transmits.


iOS devices are vulnerable to attacks against the group key handshake, but they are not vulnerable to the key reinstallation attack.

Fortunately, the vulnerabilities can be patched, and in a backwards-compatible manner. In other words, a patched client like a smartphone can still communicate with an un-patched access point like a router.

Vanhoef said he began disclosing the vulnerabilities to vendors in July. US-CERT, short for the United States Computer Emergency Readiness Team, sent out a broad notification to vendors in late August. It is now up to device and router manufacturers to release any necessary security or firmware updates.

Despite the vulnerabilities, Vanhoef says the public should still use WPA2 while waiting for patches. In the meantime, steps users can take to mitigate their threat level in the meantime include using a VPN, using a wired Ethernet connection where possible, and avoiding public Wi-Fi networks.

Vanhoef is presenting his research behind the attack at both the Black Hat Europe and Computer and Communications Security conferences in early November. His detailed research paper (PDF) is available today.


Discuss this article in our forums

Wi-Fi Mesh System Luma Launches $5/Month Service With VPN, Priority Tech Support, and More

Similar to devices like Eero and Google Wi-Fi, Luma is a Wi-Fi mesh system that launched in 2015, providing users with whole home Wi-Fi, parental controls, and network security scanning. Today, the company announced a new optional subscription model is coming to its mesh router, called "Luma Guardian," and it introduces a privacy VPN, antivirus software, ISP speed monitoring, and priority tech support for $5 per month.

According to Luma CEO Paul Judge, who spoke with TechCrunch, the reason behind the subscription service is related to all of the security issues that Luma discovered within its customers' networks over the years. Luma Guardian is a way for the company to dedicate time and resources to addressing those issues for the "thousands and thousands" of homes with its mesh Wi-Fi system.

It was also one of the earlier home networking devices to bake IoT security into its system, and as a result, the company spotted security problems in around two-thirds of the “thousands and thousands” of homes that currently sport a Luma.

“We’d been blocking them, and the next step was, how do we go to their devices and clean them up?” Judge tells TechCrunch. “How do we install antivirus and clean up the infections on those devices? For 15 years, we built networking and security equipment for companies. You can have the best equipment in the world, but at the end of the day, they had a team to manage it all. Having someone there who pays attention is key.”
Luma's system already comes with a few security measures, including anti-malware, IoT cyber security, and new device alerts that block potentially untrustworthy devices from connecting to your personal Wi-Fi, and Luma Guardian expands upon those features. This includes a "Stealth Mode" that's enabled through a virtual private network (VPN), allowing users to browse the web privately thanks to encrypted and anonymized web traffic sent between the Luma system, the cloud, and third-party websites.


Antivirus protection is allowed for up to three devices in the new subscription model, through a partnership with Webroot and its SecureAnywhere software, which performs regular scans of the devices to block viruses, malware, ransomware, and any suspicious files. Users will also be able to monitor the speed being granted to them by their internet service provider, with monthly reports in the iOS app to make sure they're getting the speeds they pay for.


Also within the app, users can directly chat with Luma's support staff for any tech-related questions they have about the router or its software. Luma Guardian subscribers also receive a priority support phone number so they can be moved to the front of the line when it comes to getting help from the company's United States-based tech experts on the phone.

Luma owners can sign up for Luma Guardian through the Luma iOS app [Direct Link], and there's a 30 day free trial offer for new subscribers. The Luma router itself is sold on the company's website in a one pack ($149), a two pack ($249), and a three pack ($349). Luma describes the subscription service price as an "introductory" offer of $5/month for the first year, but the company didn't detail how much it might increase by after that period.

Tags: wi-fi, Luma

Discuss this article in our forums

Eero Reveals 2nd Gen Router, Wi-Fi Extending ‘Beacon’, Internet Security Service, and iOS App Update

Whole-home Wi-Fi company eero today announced two new pieces of hardware, a refresh to its iOS app, and a new premium internet security service called "eero Plus."

The new, second-generation version of eero is the same size and form factor as the previous version, but includes twice the power according to the company. Simply called eero (2nd generation), the new router includes next-generation mesh network technology, which eero calls "TrueMesh," to ensure that eero can adapt to any home in which it's placed.

eero (2nd generation) and eero Beacon

If users stock their home with three eeros, they can even gain access to tri-band Wi-Fi, which broadcasts on three wireless radio bands simultaneously, generating a multi-user experience that doesn't create lag for anyone in the home. As an example, eero said users will be able to download huge files, run a FaceTime call, or compete in a multiplayer game all at the same time, and the routers will provide the same Wi-Fi quality to each experience without compromise.

Once an eero (1st or 2nd generation) is connected to a network's modem, users will be able to introduce the company's all new eero Beacon into their network. eero Beacon is a full-fledged access point which the company says has 30 percent better performance than the original eero, but the Beacon is built for portability and plugs directly into any wall outlet.
Our vision for eero is to go beyond providing perfect connectivity by adding context and intelligence to our homes. As everything in our homes comes online, and we consume more and more content over the internet, we can imagine services and experiences — whether built by us or partners — relying on eero for WiFi and more. We can even imagine changing everything again, this time with another much bigger idea: that over time eero just might evolve into the underlying operating system for the home of the future.
The company said users can add as many Beacons to their network as they want in order to truly cover their entire home in reliable Wi-Fi. As a bonus, Beacon includes a built-in ambient light sensor that automatically lights up dark hallways and rooms at night, and turns off during the day.

In order to ensure that internet browsing is kept secure, eero has introduced a new subscription service called eero Plus, starting at $9.99/month. It includes the following features:
  • Advanced Security: Blocks you from accidentally accessing millions of sites associated with harmful content, like malware, ransomware, and phishing attacks. Unlike the built-in protections included in your browser or email client, the database of threats eero Plus protects against is automatically updated every single second.
  • Expanded Parental Controls: Lets you filter adult, illegal, and violent content, or enable SafeSearch for specific profiles on your network. eero Plus ensures that as new content is posted, it’s filtered in real time.
  • VIP Support: Gives you priority access to our support team so you don’t have to wait to speak with a WiFi expert.
Along with the hardware additions, eero is also updating its eero home Wi-Fi system iOS app [Direct Link], which it says will launch towards the end of June. The update brings a refreshed user interface and new tools, including a "home-type selector" that allows users to precisely detail the size and shape of their living space so they can get the most out of their eero devices.


The new eeros will use Thread, a low-power wireless protocol that uses IPv6 natively, resulting in more reliability and better encryption. Thread will also result in fewer hubs required by users to be scattered about their homes, and eero promised that over-the-air software updates "means your new eero system comes future-proofed."

One eero sells for $199, while an eero Beacon costs $149 on the company's store. Users can also choose from a few start-up packs to save some money, including a Small Homes pack (1-2 bedrooms) that includes one eero and one eero Beacon at $299, as well as a Most Homes pack (2-4 bedrooms) with one eero and two eero Beacons for $399. A Pro Wi-Fi System -- which fuels tri-band mesh capabilities -- packs in three eeros for $499.

The new devices begin shipping at the end of June, and can be ordered today from eero's website, or retailers like Amazon, Best Buy, Target, and Walmart.

Tags: wi-fi, eero

Discuss this article in our forums

Eero Reveals 2nd Gen Router, Wi-Fi Extending ‘Beacon’, Internet Security Service, and iOS App Update

Whole-home Wi-Fi company eero today announced two new pieces of hardware, a refresh to its iOS app, and a new premium internet security service called "eero Plus."

The new, second-generation version of eero is the same size and form factor as the previous version, but includes twice the power according to the company. Simply called eero (2nd generation), the new router includes next-generation mesh network technology, which eero calls "TrueMesh," to ensure that eero can adapt to any home in which it's placed.

eero (2nd generation) and eero Beacon

If users stock their home with three eeros, they can even gain access to tri-band Wi-Fi, which broadcasts on three wireless radio bands simultaneously, generating a multi-user experience that doesn't create lag for anyone in the home. As an example, eero said users will be able to download huge files, run a FaceTime call, or compete in a multiplayer game all at the same time, and the routers will provide the same Wi-Fi quality to each experience without compromise.

Once an eero (1st or 2nd generation) is connected to a network's modem, users will be able to introduce the company's all new eero Beacon into their network. eero Beacon is a full-fledged access point which the company says has 30 percent better performance than the original eero, but the Beacon is built for portability and plugs directly into any wall outlet.
Our vision for eero is to go beyond providing perfect connectivity by adding context and intelligence to our homes. As everything in our homes comes online, and we consume more and more content over the internet, we can imagine services and experiences — whether built by us or partners — relying on eero for WiFi and more. We can even imagine changing everything again, this time with another much bigger idea: that over time eero just might evolve into the underlying operating system for the home of the future.
The company said users can add as many Beacons to their network as they want in order to truly cover their entire home in reliable Wi-Fi. As a bonus, Beacon includes a built-in ambient light sensor that automatically lights up dark hallways and rooms at night, and turns off during the day.

In order to ensure that internet browsing is kept secure, eero has introduced a new subscription service called eero Plus, starting at $9.99/month. It includes the following features:
  • Advanced Security: Blocks you from accidentally accessing millions of sites associated with harmful content, like malware, ransomware, and phishing attacks. Unlike the built-in protections included in your browser or email client, the database of threats eero Plus protects against is automatically updated every single second.
  • Expanded Parental Controls: Lets you filter adult, illegal, and violent content, or enable SafeSearch for specific profiles on your network. eero Plus ensures that as new content is posted, it’s filtered in real time.
  • VIP Support: Gives you priority access to our support team so you don’t have to wait to speak with a WiFi expert.
Along with the hardware additions, eero is also updating its eero home Wi-Fi system iOS app [Direct Link], which it says will launch towards the end of June. The update brings a refreshed user interface and new tools, including a "home-type selector" that allows users to precisely detail the size and shape of their living space so they can get the most out of their eero devices.


The new eeros will use Thread, a low-power wireless protocol that uses IPv6 natively, resulting in more reliability and better encryption. Thread will also result in fewer hubs required by users to be scattered about their homes, and eero promised that over-the-air software updates "means your new eero system comes future-proofed."

One eero sells for $199, while an eero Beacon costs $149 on the company's store. Users can also choose from a few start-up packs to save some money, including a Small Homes pack (1-2 bedrooms) that includes one eero and one eero Beacon at $299, as well as a Most Homes pack (2-4 bedrooms) with one eero and two eero Beacons for $399. A Pro Wi-Fi System -- which fuels tri-band mesh capabilities -- packs in three eeros for $499.

The new devices begin shipping at the end of June, and can be ordered today from eero's website, or retailers like Amazon, Best Buy, Target, and Walmart.

Tags: wi-fi, eero

Discuss this article in our forums

Linksys Debuts Its First 2-in-1 Cable Modem and Wi-Fi Router

Linksys today introduced its first 2-in-1 wireless router and cable modem. The emphasis should be on "cable" in that sentence, as Linksys already sells a handful of routers with built-in DSL modems for internet over a telephone line.


The Linksys CG7500 supports many of the latest wireless standards, including 802.11ac Wi-Fi, IPv6, and beamforming technology. The AC1900-speed router has 3X3 internal dual-band 2.4 GHz and 5 GHz antennas, 24x8 channels, four Gigabit Ethernet ports for high-speed wired connections, and one USB 2.0 port.

The modem is DOCSIS 3.0 certified, meaning it is compatible with Comcast Xfinity and Charter Spectrum in the United States, and many other major cable providers, for internet plans with theoretical speeds of up to 300 Mbps. Linksys says it can be used with 12+ devices at once without any lag or buffering.

2-in-1 modems and routers are often considered worse than a separate router and modem combination, but the CG7500 is worth considering for anyone that wants to stop renting a modem from their cable company. For most people, it'll likely provide good enough Wi-Fi in a medium-sized house or apartment.

Linksys is accepting pre-orders for the CG7500 on its website for $199.97 in the United States. It'll be available from Amazon, Best Buy, B&H, Micro Center, New Egg, Office Depot, Target, Walmart, Fry's, and Meijer on May 15.

Competing 2-in-1 options include the NETGEAR AC1900 Nighthawk for around the same price of $198.99, and the Arris SURFboard SBG6900-AC with a reduced 16x4 channels for a current sale price of $167.99 (regular $199.99).

Tags: wi-fi, Linksys

Discuss this article in our forums

Google Wifi review: The easiest, cheapest way to fix bad Wi-Fi

Https%3a%2f%2fblueprint-api-production.s3.amazonaws.com%2fuploads%2fcard%2fimage%2f307660%2fgoogle-wifi-review-4

Feed-twFeed-fb

I think we can all agree that Wi-Fi routers aren’t sexy devices. Nobody really gets excited over a router, unless maybe if you work in IT. 

And yet, Wi-Fi routers are kind of the rage right now. You see, we all want fast and reliable Wi-Fi in every corner of our home. But networking gear is mostly “meh,” with ugly and cumbersome hardware and sub-par software, often using dated web-based interfaces that might as well require a computer science degree to figure out. 

Google’s OnHub router, which debuted last year, was a good step towards improving Wi-Fi at home, but at $200 it was still too pricey and didn’t really fix bad Wi-Fi in large, multi-room homes. Read more…

More about Mashable Choice, Reviews, Routers, Google Wifi, and Wi Fi