Now-Fixed WiFi Vulnerability Left Apple Devices Open to Attack

A vulnerability in WiFi chips made by Cypress Semiconductor and Broadcom left billions of devices susceptible to an attack that allowed nearby attackers to decrypt sensitive data sent over the air.


The security flaw was detailed at the RSA security conference today (via Ars Technica), and for Apple users, the issue was addressed in the iOS 13.2 and macOS 10.15.1 updates that were released back in late October.

Dubbed Kr00k, the WiFi chip flaw caused vulnerable devices to use an all-zero encryption key to encrypt part of a user's communications. When applied successfully, the attack let hackers decrypt some wireless network packets sent by a vulnerable device. As described by Ars Technica:

Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.

Chips from Broadcom and Cypress are used in many modern WiFi devices like smartphones, laptops, Internet of Things products, WiFi access points, and routers.

Our tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to KrØØk. This totaled to over a billion Wi-Fi-capable devices and access points, at a conservative estimate. Further, many other vendors whose products we did not test also use the affected chipsets in their devices.

According to ESET Research, which published details on the vulnerability, it was disclosed to Broadcom and Cypress along with potentially affected parties. At this time, patches for devices from most major manufacturers have been released.

ESET Research recommends making sure all of the latest updates have been applied to WiFi capable devices to patch the vulnerability.

Top Rated Comments

(View all)
Avatar
8 months ago
Anybody know if it's fixed in Mojave 10.14.6 ?
Score: 5 Votes (Like | Disagree)
Avatar
8 months ago
but we were assured that iOS devices were secure...
Score: 5 Votes (Like | Disagree)
Avatar
8 months ago


They are as secure as anything else. But Apple designs some of their chips, they don't make them. Contractors do. So the vulnerabilities can still be introduced into the supply chain through the same vector; chip providers... just like the vulnerabilities can be introduced by Apple themselves... or the chip makers suppliers... or...

Most of this stuff is scarier in theory than in practice.

It would be very unlikely for a vulnerability that does not exist in the design to exist in the manufactured silicon. When we design chips, and have them made, we test them extremely thoroughly to make sure they behave identically to the RTL and simulated netlist.

And since the manufacturer does not have a simulate-able netlist, it would be very difficult to introduce intentional flaws while still maintaining full functionality so as to fool this testing.
Score: 4 Votes (Like | Disagree)
Avatar
8 months ago


Anybody know if it's fixed in Mojave 10.14.6 ?

it's not there, no problem with Mojave and WiFi..

why the angry faces? Apple hasn’t confirmed it, so there’s no problem..
Score: 4 Votes (Like | Disagree)
Avatar
8 months ago


this is why you keep your devices updated because of security risks - most people forget that

Yeah, well, if they make new versions compatible with old software, I can do that, but I'm not spending ten grand to move to Catalina.
Score: 3 Votes (Like | Disagree)
Avatar
8 months ago


No we were assured that “what happens on the iPhone stays in the iPhone” and “it just works”.

I never understood the “ what happens on my iPhone stays on my iPhone” campaign.
Doesnt make much sense to me when I rely on iCloud so much.
Score: 3 Votes (Like | Disagree)

Top Stories

When Will the iPhone 12 Launch? Here's What We Know

Wednesday September 16, 2020 6:12 am PDT by
Yesterday's "Time Flies" Apple event saw the release of the Apple Watch Series 6, Apple Watch SE, iPad 8, and iPad Air 4, but no new iPhone models. Rumors before the event strongly alleged that it would not see the unveiling of new iPhones, with many reports pointing to an October launch. The lack of new iPhone models yesterday seems to confirm that the iPhone 12 lineup will not appear...

iOS 14 Picture in Picture No Longer Working With YouTube's Mobile Website in Safari [Without Premium]

Friday September 18, 2020 12:21 pm PDT by
Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. When Picture in Picture was working with YouTube The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched...

Hands-On With the New Apple Watch Series 6 and Apple Watch SE

Friday September 18, 2020 1:19 pm PDT by
Today's the official launch date for the Apple Watch Series 6 and the Apple Watch SE, both of which Apple announced on Tuesday. We picked up a couple of the new models and thought we'd give them a quick look for MacRumors readers thinking of ordering a new watch. Apple Watch Series 6 & Apple Watch SE Hands-On! When it comes to design, both the $399 Series 6 and the $279 SE look just like...

Here's How You Can Download iOS 14 and iPadOS 14 Around the World [It's Out]

Wednesday September 16, 2020 2:36 am PDT by
Apple's official public release of iOS 14 and iPadOS 14 dropped on Wednesday, September 16, just a day after the company released the Golden Master to third-party developers. Also set to be made available to the general public for the first time are watchOS 7 and tvOS 14. Getting Started With iOS 14 Video Click image to watch iOS 14 Getting Started While that's left a lot of developers...

Apple Releases iOS 14 and iPadOS 14 With Home Screen Redesign, App Library, Compact UI, Translate App, Scribble Support, App Clips, and More

Wednesday September 16, 2020 12:48 pm PDT by
Apple has released iOS 14 and iPadOS 14, the newest operating system updates designed for the iPhone and iPad. As with all of Apple's software updates, iOS 14 and iPadOS 14 can be downloaded for free. iOS 14 is available on the iPhone 6s and later, while iPadOS 14 is available on the iPad Air 2 and later. The updates are available on all eligible devices over-the-air in the Settings app. To ...

iOS 14.2 Beta Adds New Shazam Music Recognition Feature for Control Center

Thursday September 17, 2020 3:36 pm PDT by
Apple today released the first beta of iOS 14.2 to developers for testing purposes, and the new update introduces a Music Recognition control for the Control Center. The new feature lets you discover music playing around you and it recognizes the music playing with in apps, even when you're wearing AirPods. Songs pop up as notifications, and you can tap to listen in Apple Music....

Apple Updates AirPods 2 and AirPods Pro Firmware to Version 3A283

Monday September 14, 2020 11:24 am PDT by
Apple today released new 3A283 firmware updates for the second-generation AirPods and the AirPods Pro. The second-generation AirPods are being updated from the 2D15 firmware they were previously running, while the AirPods Pros are being updated from the 2D27 firmware they had installed previously. Apple does not provide details on what's included in refreshed firmware so we don't know what's ...

Rumor Report Card: Assessing the Accuracy of Leaks After Apple's Event

Friday September 18, 2020 12:57 pm PDT by
Apple hosted its virtual "Time Flies" event this week, where it introduced four new products, including the Apple Watch Series 6, lower-cost Apple Watch SE, a 10.9-inch iPad Air with an all-screen design, and an updated 10.2-inch iPad with a faster A12 Bionic chip. As expected, there were no new iPhones, which are believed to be coming in October instead. Apple also announced that it will be ...

Epic Games Announces 'Fortnite: Save the World' Will No Longer Be Playable on macOS

Friday September 18, 2020 4:50 am PDT by
Epic Games has announced that "Fortnite: Save the World" will no longer be playable on macOS, after Apple terminated Epic Games' developer account. Fortnite has been in violation of the ‌App Store‌ rules since August 13, when it introduced a direct payment option that skirted Apple's in-app purchase system by allowing payments directly to ‌Epic Games‌. Shortly after Epic blatantly...

Deals: Cellular Carriers Introduce First Offers on Apple Watch Series 6 and SE

Friday September 18, 2020 7:43 am PDT by
With the launch of the Apple Watch Series 6 and Apple Watch SE today, cellular carriers have now introduced special offers for these new wearable devices. Note: MacRumors is an affiliate partner with these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Starting with AT&T, if you buy one Apple Watch Series 3, Series...