It’s worth noting that updating the AP doesn’t really change much - it is the clients that need updating. Every phone, every kindle, every laptop…
There isn’t a lot you can do to the access point to mitigate this (well there is one way, but most manufacturers have chosen not to - I believe Aruba has one - but it effectively locks the affected client out of the network).
Nobody is using 802.11r as iOS devices have issues with it, so it’s never switched on.
In a world where people routinely carry around 3 year old cheap phones with no manufacturer support, updates just aint going to happen…
In fairness, this has only become clear later on! When this was first leaked earlier this morning we had very few details.
Yes. And unfortunately due to the way Android works it is very difficult to push out security updates easily. Android 8 I believe has a way to issue OTA security updates bypassing the vendor.
The hundreds of ipad 2s some of our clients use aren’t getting updated either…
The only mitigation is currently to exploit this you have to be on the network… so your home network is probably OK as long as you keep devices clear of malware. University networks, corporate networks, etc… not so much.
Technically google could update wpa_supplicant on the next play services update. That could have a nonzero failure rate in some of the wierder chinese phones though.
