In October, we reported on a new and dangerous WPA2 WiFi protocol vulnerability known as KRACK (Key Reinstallations Attacks) that disrupts the initial handshake between access points and WiFi devices, allowing attackers to intercept data that’d normally be encrypted. A fix was included in Android’s November security update, but not all devices got it right away. According to Google (via Ars Technica), Nexus and Pixel phones won’t receive it until December.
If you’re the proud owner of a Nexus 5X, Nexus 6P, Google Pixel, Pixel XL, Pixel C, Pixel 2, or Pixel 2 XL, you might notice that your handset has November’s security update installed on it. But it’s a bit misleading — this month’s patch doesn’t include a fix for KRACK.
Why’s that? If you’re not familiar with Android’s monthly security update bulletins, they can be tough to follow. Google typically splits up patches in order to give original equipment manufacturers (OEMs), component vendors, and carriers time to implement them. Normally, one security bulletin at the beginning of the month (01) cover bugs in the Android Open Source Project (AOSP) repository, and a subsequent bulletin on the 5th of the month (05) deals with hardware supplier patches.
In November, Google took the unusual step of issuing a patch for KRACK on the 6th of the month. (You can see the three different security bulletins for November here: November 1st, November 5th, November 6th). Most OEMs roll out security updates that include all patches published on the 1st of the month and before, but Google usually waits a week and adds the patches from the 5th of the month as well. And since Google issues those security updates on the 5th of each month, Nexus and Pixel owners won’t get the KRACK patch until December.
It’s a rather interesting turn of events. Nexus and Pixel devices are usually the first to receive the monthly security patches, and other OEMs have been quicker to respond — fixes have already reached the OnePlus 5, NVIDIA Shield, Essential Phone and even the OnePlus 2. But if you’re running a custom ROM, chances are you’ve gotten the fix early. LineageOS, OmniROM, MIUI 9, and AOSPA have patched against KRACK.
Source: Ars Technica