Security

kr00k – Billions of Wi-Fi devices affected by encryption vulnerability

The IT security researchers at ESET have disclosed a new vulnerability named Kr00k [PDF] in FullMAC WLAN chips manufactured by Broadcom and Cypress.

Referenced as CVE-2019-15126; the vulnerability places over a billion devices at risk which include popular ones such as Amazon Echo, Apple’s suite of devices, Google Nexus, Samsung Galaxy and other portable devices. A complete list of the devices tested inside ESET’s lab are as follows:

• Amazon Echo 2nd gen
• Amazon Kindle 8th gen
• Apple iPad mini 2
• Apple iPhone 6, 6S, 8, XR
• Apple MacBook Air Retina 13-inch 2018
• Google Nexus 5
• Google Nexus 6
• Google Nexus 6S
• Raspberry Pi 3
• Samsung Galaxy S4 GT-I9505
• Samsung Galaxy S8
• Xiaomi Redmi 3S



How the vulnerability helps attackers is by letting them intercept someone’s network packets on a Wi-Fi network that they’re physically close to and then decrypt them to access the data contained within even if it is uncertain what this data would comprise of.

Example of captured WLAN traffic that was divulged due to the Kr00k vulnerability – Image credit: ESET

It is important to note though that attackers do not need to be connected to your Wi-Fi network in itself. To see if your device is vulnerable, it needs to be using WPA2 (Wi-Fi Protected Access) – Personal or the Enterprise protocols with CCMP encryption.

Concerning other protocols such as WEP, WPA-TKIP & WPA3, the researchers have stated that they did not focus on them so we do not know their status in relation to this vulnerability at the moment although it is believed that WPA3 is secure.

Furthermore, since the Wi-Fi layer is being targeted, all communication on the TSL layer is safe including online banking or any other “website prefixed with HTTPS.”


To delve into the specific operations, attackers wait for the user to disconnect their device from the Wi-Fi network or rather “trigger” them to do so. Once done, the vulnerable Wi-Fi chip sets the session key to zero by clearing it in the memory. Usually, this would result in all data transmission being halted. However, in this case, the chip still transmits any data within its buffer using an all-zero encryption key.

ESET’s report depicting the disassociation process and the aftermath.

Nonetheless, even if your device may be compromised, it does not mean that your Wi-Fi password has been revealed as well. Additionally, we can also see similarities between this flaw and others that have been discovered before. To quote an example from the finders themselves, KRACK (Key Reinstallation Attacks) discovered back in 2017 was also exploiting vulnerabilities in WPA2 along with working towards the “unauthorized decryption of data.”



To conclude, currently, this vulnerability has been disclosed to all manufacturers whose devices may be at risk and patches are already being released.

However, even if one may seek to patch one’s device as we’ve seen the aforementioned manufacturers and other brands release security updates & advisory reports, you can still be at risk of an attack since Kr00k also makes use of vulnerable access points and routers to infect users.

More specifically, through lab testing, the team was able to confirm the following routers to be vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

As a user, this means that you should update your devices, on a software level for some and on the firmware level for others like IoT devices and routers to make sure you’re protected from all sides. Manufacturers, on the other hand, should regularly check with both companies to make sure their users are not left vulnerable in the foreseeable future.

You Might Also Like