icetray - Fotolia

Android KRACK flaw patched in latest security update

The latest security release from Google patched the Android KRACK vulnerability affecting Wi-Fi's WPA2 protocol, but update confusion leaves users unsure if they are safe.

Google's latest security update included the patch for the Android KRACK Wi-Fi flaw, but it is unclear when users will see the fix rolled out to devices.

When researchers first disclosed the KRACK vulnerability, they made it clear that the attack was "exceptionally devastating against Linux and Android 6.0 or higher" because those systems could be "tricked into (re)installing an all-zero encryption key."

The November security update from Google included the patch for the Android KRACK flaw and fixed the issue for versions 5.0.2 through 8.0 of the mobile OS. However, users have already seen issues with the rollout.

The Android KRACK patch was part of the security patch level 2017-11-06 released by Google, but the November release was also split into patch levels 2017-11-01 and 2017-11-05. Google's own Pixel and Nexus devices were first to receive a rollout, but some users reported getting the 2017-11-05 patch level, which meant the Android KRACK flaw was not fixed.

Users on Twitter expressed confusion about Google pushing the patch level that did not remediate the KRACK vulnerability, and the CopperheadOS Twitter account provided a possible explanation.

"They have the wpa_supplicant patches in the release for Pixels today marked EMR but they appear to have reverted the patch level back to 2017-11-05 so there's probably something missing outside wpa_supplicant," CopperheadOS wrote on Twitter. "It's only in the branch for 2nd generation Pixels so it's not really patched in AOSP when none of the branches has the patches without them being reverted. For most devices, they'll only get it with 2017-12-01."

Android KRACK around the ecosystem

Normally, users have to wait until Google adds a patch to the Android Open Source Project repository before hardware manufacturers can begin work to push the fix, but with the Android KRACK flaw manufacturers appear to have begun the work to fix the issue before Google.

Manu Kumar Jain, vice president and managing director at Xiaomi India, announced its patch three days before Google.

Samsung also confirmed its November 2017 security update will include the Android KRACK patch, but the rollout of the update had not yet begun at the time of this post.  

The original researchers who discovered KRACK were initially praised for disclosing the issue beforehand to allow major manufacturers time to create patches, but it is unclear when Google was informed of the issue.

Next Steps

Learn tips on protecting your network from a KRACK attack.

Find out how to troubleshoot Wi-Fi connection problems on Android.

Get info on an alliance between Cisco and Apple aimed at improving Wi-Fi security.

Dig Deeper on Application and platform security