Kr00k vulnerability compromises billions of Wi-Fi devices

Billions of devices using Wi-Fi chips made by Broadcom and Cypress are at risk of being compromised through a serious vulnerability called Kr00k, uncovered by ESET Research threat hunters Miloš Čermák, Robert Lipovský and Štefan Svorenčík, and disclosed at RSA Conference 2020 in San Francisco.

Assigned CVE-2019-15126, Kr00k affects both client devices and Wi-Fi access points (APs), and routers with Broadcom chips. Successful exploitation causes unpatched devices to use an all-zero encryption key to encrypt part of the user’s network communications. If successful, an attacker can decrypt wireless network packets transmitted by a vulnerable device.

ESET testing has confirmed that prior to patching, devices including the Amazon Echo and Kindle, Apple iPhone, iPad and MacBook, Google Nexus, Samsung Galaxy, Raspberry Pi 3, Xiaomi RedMi, and APs made by Asus and Huawei, were all known to be at risk from Kr00k, which is related to, but largely different from, Krack – a vulnerability in the Wi-Fi Protected Access 2 (WPA2) vulnerability, which was discovered in 2017.

At the beginning of the ESET team’s research, they found Kr00k to be one of the possible causes behind the reinstallation of an all-zero encryption key, which they had seen in tests for Krack attacks. This came about after the same team spotted that Amazon Echo devices were still vulnerable to Krack, as previously reported.

 “We responsibly disclosed the vulnerability to chip manufacturers Broadcom and Cypress, who subsequently released updates during an extended disclosure period. We also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to ensure that all potentially affected parties – including affected device manufacturers using the vulnerable chips, as well as any other possibly affected chip manufacturers – were aware of Kr00k,” said the team.

“According to our information, patches for devices by major manufacturers have been released by now. To protect yourself, as a user, make sure you have applied the latest available updates to your Wi-Fi-capable devices, including phones, tablets, laptops, IoT devices, and Wi-Fi access points and routers. As a device manufacturer, please inquire about patches for the Kr00k vulnerability directly with your chip manufacturer.”

If Kr00k was to be taken advantage of by cyber criminals in the wild, like Krack, they would need to be within close range of their target’s Wi-Fi network – although they would not need to know its password to take advantage of it. This would seem to suggest that, as with Krack, there are unlikely to have been many, if any, real-world exploitations.

Craig Young, principal security researcher at TripWire, said: “Both attacks [Krack and Kr00k] can potentially allow nearby attackers to gain access to information which should have only been sent after being securely encrypted. In the case of Kr00k, the researchers found that the affected wireless NIC implementations would insecurely send queued data after being disassociated from the network.

“At the end of the day though, although this is a very interesting attack, it is not something to lose sleep over,” he said.

“As shown in the Kr00k publication, most of the sensitive data attackers are likely to obtain is going to additionally be encrypted by TLS as it should be. Vulnerabilities such as Krack, Kr00k or Dragonblood are all excellent reminders of why HTTPS Everywhere is important.”