Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/26/2020
10:15 AM
50%
50%

Kr00k Wi-Fi Vulnerability Affected a Billion Devices

Routers and devices with Broadcom and Cypress Wi-Fi chipsets could be forced to sometimes use encryption keys consisting of all zeroes. Now patched, the issue affected a billion devices, including those from Amazon, Apple, Google, and Samsung.

RSA Conference 2020 – San Francisco – A vulnerability in the way that two Wi-Fi chipsets handled network interruptions and encryption keys could have given attackers the ability to decrypt some of the network packets sent by more than a billion common wireless devices and routers — including those from Amazon, Apple, and Samsung, security firm ESET said at the RSA Conference on Wednesday.

Found in late 2018, the vulnerability — dubbed Kr00k and assigned CVE-2019-15126 — can force part of the wireless communication between devices to use all zeroes for the encryption key, allowing the attacker to eavesdrop on a limited amount of wireless data. The National Vulnerability Database assigned the vulnerability a base score of 3.1, which makes it low severity.

"If an attack is successful, several kilobytes of potentially sensitive information can be exposed," Miloš Čermák, the lead ESET researcher into the Kr00k vulnerability, said in a statement. "By repeatedly triggering disassociations, the attacker can capture a number of network packets with potentially sensitive data."

The vulnerability expands on research that ESET over the past 18 months on home Internet of Things devices. In October 2019, the company revealed that older Amazon Echoes and Kindles were vulnerable to the Key Reinstallation Attack, or KRACK — a 2-year-old issue that allows bad actors to perform a man-in-the-middle attack.

The latest attack affects far more devices — more than a billion, according to ESET, including older Amazon Echo devices and Kindles, Apple iPad mini 2, various older Apple iPhones, the Apple MacBook Air, and various Google Nexus smartphones. At least two models of the Samsung Galaxy are affected, as are Raspberry Pi 3 and the Xiaomi Redmi 3S.

In addition, Wi-Fi access points from Asus and Huawei are vulnerable as well, potentially leaving some device communication vulnerable if the hotspot base station remains vulnerable, ESET stated in its analysis of the issue.

"This greatly increases the attack surface, as an adversary can decrypt data that was transmitted by a vulnerable access point, which is often beyond your control, to your device, which doesn’t have to be vulnerable," Robert Lipovský, an ESET researcher working with the Kr00k vulnerability research team, said in a statement.

Related to the KRACK vulnerability discovered in 2017, the vulnerability affects both WPA2-Personal and WPA2-Enterprise protocols. ESET first reported the vulnerability to Amazon more than a year ago, and with further research, discovered in July 2019 that the Cypress Wi-Fi chipset was the source of the security issue. In August, the company confirmed that the widely used Broadcom Wi-Fi chipsets were vulnerable as well.

The attack abuses an implementation flaw in the chipsets. When a Wi-Fi connection is lost — either because the device moves to a different network or due to interference — the device is "disassociated" from the network. The problem for the affected chipsets is that disassociation causes the key to be zeroed out and then any buffered data will be sent using that key of all zeros. By repeated disassociating the device from the network, an attacker can capture several data frames.

"Kr00k manifests itself after Wi-Fi disassociations, which can happen naturally, for example due to a weak Wi-Fi signal, or may be manually triggered by an attacker," ESET's Čermák said.

For more than a year, ESET has worked with device makers to create a fix for the issue and patch devices. Most users should be safe, but they should check that their devices have the more recent software updates, the company said. Even though the source of the bug is in the Wi-Fi chipsets, their behavior can be modified through the firmware. Patches for all affected devices made by major manufacturers have been released, ESET stated.

"To protect yourself, as a user, make sure you have updated all your Wi-Fi capable devices, including phones, tablets, laptops, IoT smart devices, and Wi-Fi access points and routers, to the latest firmware version," Lipovský said.

The company urged device manufacturers that may not have patched their device to reach out to their chipset vendors for more information.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Wendy Nather on How to Make Security 'Democratization' a Reality."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:27:59 PM
Latest firmware
To protect yourself, as a user, make sure you have updated all your Wi-Fi capable devices, including phones, tablets, laptops, IoT smart devices, and Wi-Fi access points and routers, to the latest firmware version I would suggest to check firmware versions constantly and update it, it will keep us secure and increase then performance of the device
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:25:11 PM
Updates
Most users should be safe, but they should check that their devices have the more recent software updates Obviously that is what it comes down, keep the devices up to date with the latest patches
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:23:28 PM
Base station
potentially leaving some device communication vulnerable if the hotspot base station remains vulnerable, That makes sense, base station is part of star topology, once it is compromised whole communication is compromised
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:13:40 PM
Re: Do not feel safe
I hear you. It is better to be prepared rather than scared of course.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:11:30 PM
Limited data
allowing the attacker to eavesdrop on a limited amount of wireless data I wonder what indicates limited amount of data, once they eavesdrop then they have the data.
boholuxe
50%
50%
boholuxe,
User Rank: Apprentice
2/27/2020 | 3:18:43 PM
Do not feel safe
After reading this article I feel insecure
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13757
PUBLISHED: 2020-06-01
Python-RSA 4.0 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing exces...
CVE-2020-13758
PUBLISHED: 2020-06-01
modules/security/classes/general.post_filter.php/post_filter.php in the Web Application Firewall in Bitrix24 through 20.0.950 allows XSS by placing %00 before the payload.
CVE-2020-9291
PUBLISHED: 2020-06-01
An Insecure Temporary File vulnerability in FortiClient for Windows 6.2.1 and below may allow a local user to gain elevated privileges via exhausting the pool of temporary file names combined with a symbolic link attack.
CVE-2019-15709
PUBLISHED: 2020-06-01
An improper input validation in FortiAP-S/W2 6.2.0 to 6.2.2, 6.0.5 and below, FortiAP-U 6.0.1 and below CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump commands in the CLI.
CVE-2020-13695
PUBLISHED: 2020-06-01
In QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8, the local www-data user has sudo privileges to execute grep as root without a password, which allows an attacker to obtain sensitive information via a grep of a /root/*.db or /etc/shadow file.