KRACK update 1: Fix available for all customers Posted on October 16, 2017 November 9, 2017 UPDATE (10/17/17, 6:00pm PT): eeroOS version 3.5, which includes a patch for the KRACK vulnerability, is now available to all eero customers via an in-app OTA update, as well as through our rolling automatic updates. Google has released a new security patch to make Android devices fool-proof against the KRACK exploit which affected around 41% of Android devices. KRACK attack takes advantage of critical WPA2.
Google has published this month's Android security bulletin, and the company provided a fix for the KRACK vulnerability that came to light last month.
The Android Security Bulletin for November 2017 is split as three separate packages — 2017-11-01, 2017-11-05, and 2017-11-06. The KRACK fixes are included in the latter — 2017-11-06.
If your phone receives the update and the security patch level is 2017-11-06, the KRACK fixes are also included.
Google last major vendor to patch KRACK bugs
Discovered by Mathy Vanhoef, a researcher from the University of Leuven (KU Leuven), the KRACK vulnerability affects the WPA2 WiFi protocol. It allows attackers to forcibly reinstall connection keys and intercept a user's WPA2-protected WiFi traffic.
Many vendors were notified of the vulnerability in advance, including Google, and most provided fixes and workarounds when Vanhoef went public with his research.
Google is among the last major vendors to deliver KRACK fixes. This is in contrast with Microsoft, which silently deployed KRACK fixes to Windows users without telling anyone, a month before the vulnerability became public.
Krack Attack
Apple released KRACK patches at the end of October, as part of iOS 11.1 & macOS High Sierra 10.13.1.
Users can detect devices vulnerable to KRACK attacks with tools and proof-of-concept code Vanhoef released via his GitHub account, or via this third-party-developed toolkit named KRACK Detector.
Other bugs fixed in the November 2017 Android Security Bulletin
Besides the KRACK fixes, Google also patched other security bugs as part of the November 2017 Android Security Bulletin.
These include five remote code execution bugs in the Media framework that allow attackers to take over devices via malformed multimedia files (CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836).
In addition, the security bulletin also includes fixes for six bugs reported by security researcher Scotty Bauer. The bugs (also remote code execution flaws) affect the Qualcomm WLAN component and are described in more detph in a website Bauer has set up specifically for this purpose, here.
Krack Patch 2018
Users who don't receive over-the-air updates from their mobile provider or phone vendor can download updated OS images from the Android project's homepage. Just be aware that flashing the phone and installing the updated OS version is a very complex task, one that often ends up in inexperienced users bricking their phones.