Apple and Google promise security updates to fix Krack Wi-Fi flaw

Logo for Krack security flaw
The Krack flaw affects potentially all Wi-Fi networks

Apple and Google have promised software updates to patch a critical flaw in Wi-Fi technology that would allow hackers to steal credit card numbers, passwords and private messages from internet users, while Microsoft says it has already issued an update.

The "Krack" vulnerability that emerged on Monday affects potentially every Wi-Fi network in the world and is seen as one of the biggest security scares in years. It sparked a rush of updates from technology companies on Monday, although many had known about it for weeks.

Apple said it had developed updates to iOS and MacOS that were in testing and would be released within weeks. Microsoft said an automatic security update issued last week had fixed the problem for Windows 7, 8 and 10 users.

Google, which develops the Android software that runs on the majority of smartphones, said it would release a patch on November 6. However, since Android manufacturers have to release their own security updates, it may be months until some phones are safe, and others may never be secured.

The Krack vulnerability, uncovered by a Belgian researcher on Monday, exploits a flaw in the way data is secured as it travels over the air between a device like a PC or smartphone and a Wi-Fi router. It forcibly installs a new "key" into the encryption protocol, meaning a hacker within range of the network could decipher information such as passwords and credit card numbers as it travels.

Mathy Vanhoef, the researcher who discovered the vulnerability, warned that it "works against all modern protected Wi-Fi networks".

The software updates should go some way to limiting the security scare, although internet users have also been urged to patch their routers. 

A handful of router manufacturers have issued fixes or promised them, although BT, Sky and Virgin have not yet issued any guidance to customers about how to  they need to update routers supplied by the companies.

A BT spokesman said: "We’re aware of the issue and we’ll be working with industry to update software as appropriate." 

Virgin Media said: "Our security teams are always alert to any potential issues for our customers." Sky said: "We take the security of our customers extremely seriously and, along with the rest of the industry, are looking into this matter as a priority."

License this content