Apple Update Leaves Users One-Step Forward and One-Step Back

Latest Update Includes KRACK Patch but Comes Alongside News of iOS Zero-day Vulnerability

On November 1st, 2017, Apple released its latest stream of updates for a variety of devices and programs across its product line. First and foremost, the update has a number of security fixes for device programs like Siri and Messenger as well as browser vulnerabilities. Furthermore, there is a full OS update with the unveiling of iOS 11.1.

However, perhaps the most important element of the update is the included patch for the KRACK Wi-Fi vulnerability. Unfortunately though, as the door slammed on one cyber threat, the door for a new one swung open. An iOS Wi-Fi Zero-day vulnerability, also emerged November 1^st, from the annual Mobile Pwn2Own hacking competition. The details aren’t entirely clear, but recent reports state that:

“Tencent Keen Security Lab gets code execution through a Wi-Fi bug and escalates privileges to persist through a reboot.” – Zero Day Initiative

So, needless to say, it’s been a rollercoaster in the Apple security camp this week. To better understand both the good news and the bad, let’s break down exactly what they’ve fixed with the KRACK patch and what’s left to be addressed in light of the iOS Zero-day news.

What They Fixed: Understanding The KRACK Vulnerability

Recently, conversations in the technology and business communities have been dominated by reports of a new cyber threat dubbed KRACK or Key Reinstallation Attack. KRACK has been described as a security flaw in the WPA2 protocol, which could allow criminals to break the encryption between a router and a given device. Once encryption is broken, criminals are able to intercept and interfere with network traffic.

Security vulnerabilities like KRACK can be hard to wrap your head around so here’s a quick breakdown of how KRACK happens:

• Hackers find WPA2-PSK networks that they want to infiltrate and wait for a user to connect. In a modern business world, users connect to Wi-Fi hotspots everywhere – maybe in the office, but often in remote locations like a public park, coffee shop or their parked vehicle.
• As the device works to legitimize the Wi-Fi connection, hackers can quickly interfere and decrypt any traffic being exchanged over Wi-Fi. This means hackers have the power to cause a lot of trouble without being on the network itself. Without an actual connection to the network, hackers take advantage of this vulnerability to intercept, modify or forge data as well as install malicious malware.
• What makes KRACK especially scary is the fact that the security flaw isn’t contained to a specific software program, rather it targets WPA2 Wi-Fi – a widely used protocol that countless business and individuals rely on daily.

Apple’s Next Security Obstacle: What Is a Zero-day Vulnerability?

Zero-day may sound like some kind of apocalyptic blockbuster, but in the tech world, Zero-day is sort of like a hyped-up way of saying “we didn’t know before, but we know now and we’re working on it.” In short, Zero-day signifies the initial day that companies, like Apple, are made aware of security glitches that, up until that point, had been unknown. That means, if something is described as a 30-day vulnerability, Apple has known about it for 30 days, and so on.

The closer a security glitch is the Zero-day mark, the more successful hackers are at exploiting the threat. Developing patches and fixes to bugs take time, and when cybercriminals and scammers are in the know about Zero-day vulnerabilities, they become serious threats to an organization’s network security.

Apple Security Response: Latest Update Patches KRACK Vulnerabilities and Puts Timeline on Zero-Day

So, for Apple this week has meant some problems solved and others just were begun. Luckily, included in this iOS 11.1 update is a fix for the Wi-Fi-related vulnerability known as KRACK which is available for some – but not all – iOS devices. According to Apple’s official support documentation, the KRACK fix only applies for new iDevices, launched in early 2016 and later.

It’s unclear why the KRACK patch is only being made available for newer iDevices only, but it’s possible a fix for earlier devices is still in the works, or perhaps Apple has determined older versions aren’t vulnerable to KRACK at all. Either way, if any of your team members use a pre-7 iPhone, have them on alert an additional update from Apple just in case. Additionally, any users with an iPhone 5s, iPad Air or later can apply this update. In short, if your Wi-Fi-enabled iDevice can update, you’re strongly encouraged to update asap.

As for the newly identified zero-day vulnerability, Apple is now on a strict timeline to get the bug addressed and have patches released. Tencent Keen Security Lab, a competitive hacking team, earned a cool $110,000 thanks to their discovery of the vulnerability at the Mobile Pwn2Own competition. Apple now has just 90 days to fix the problem lurking on iDevices before details are made public.

As you can see, today’s cybersecurity developments move at lightning speed. Just as one problem is fixed, another presents itself. Companies like Apple are in a constant battle against increasingly sophisticated hackers, looking for OS vulnerabilities. Staying up-to-date on these issues is critical for any business that relies on technology to operate.

Knowing what’s out there and what’s being done to address it is critical to protecting your company’s devices, data and continuity. If the technical talk leaves your head spinning, you’re not alone! Reach out to local IT experts to help get a better grip on what’s putting you and your company at risk.