On December 12, Apple released a pair of AirPort firmware updates to close the WPA2 key reinstallation attack vulnerability. The vulnerability was first publicly announced in October, after alerting vendors of the vulnerability much earlier in the year.
Apple AirPort Extreme/AirPort Time Capsule base station firmware version 7.7.9 and AirPort Express firmware 7.6.9 both include the patch that protects against the WPA2 key reinstallation attack. The Common Vulnerabilities and Exposures (CVE) numbers that these patches address are CVE-2017-9417, CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080.
The AirPort firmware updates can be applied using the iOS AirPort Utility, available for free from the Apple iOS App Store. If you have an Apple AirPort running in your home or office, you need to update it right away to close this serious vulnerability.
About this time last year, I wrote about my doubling-down on Apple AirPort hardware in the face of media reports (aka: rumors) that Apple had abandoned the AirPort product line. I still hold that there are much better Wi-Fi solutions available today, even for die hard Apple fans like us. The Wirecutter (https://thewirecutter.com/reviews/best-wi-fi-mesh-networking-kits/) has a very good review of mesh network Wi-Fi devices from vendors such as Eero and Netgear. You really should be running them over Apple’s AirPort at this point. Still, despite Apple reportedly walking away from AirPort, as a customer, I am glad that Apple tool on the task of releasing a pair of security updates for the aging devices. It seems only fair to customers, since Apple is still selling the AirPort hardware online and in retail stores.
What About My Other Apple Gear?
Apple updated iOS 11, macOS, watchOS, and tvOS back in October. If you are running iOS 11.1, watchOS 4.1, tvOS 11.1, or the latest versions of macOS High Sierra 10.13, Sierra 10.12, or El Capitan 10.11 you have already installed the WAP2 patch. Use the Software Update feature of these operating systems to verify that you are up-to-date or install the latest software releases if need be.
If you are still running macOS/OS X Mavericks 10.10, you should consider upgrading to High Sierra to gain the WPA2 patch. Mavericks and earlier versions of macOS will not be patched.
What About Everything Else?
The WPA2 key reinstallation vulnerability is not a flaw or vulnerability that is specific to Apple hardware and software. It is a flaw in the WAP2 system itself. Thankfully, the flaw can be fixed with software. What that means, though, is that to improve your chances of being protected against attacks using the WAP2 vulnerability, you must patch all of your Wi-Fi equipment, including routers/modems, smart devices (i.e.: light bulbs, switches, and cameras), TVs, Blu-ray player, and gaming consoles, for example.
Learning More About the WAP2 Vulnerability
To learn more about the KRACK WPA2 key reinstallation vulnerability, and to see just how catastrophic the vulnerability can be, see Mathy Vanhoef’s summary website and Krebs’ What You Should Know About the ‘KRACK’ WiFi Security Weakness blog post.