ESET researchers have discovered Kr00k (CVE-2019-15126), a hitherto unknown vulnerability in Wi-Fi chips used in client devices, Wi-Fi access points and routers.
The Kr00k vulnerability encrypts the network communication of an infected device with an "all-zero" encryption key, enabling the cybercriminal to decrypt the wireless network packets and successfully crown his attack.
The discovery of Kr00k is linked to previous research of ESET for the security gaps that were detected in the Amazon Echo, which allowed attacks from KRACK (Key Reinstallation Attack) vulnerabilities. Kr00k is related to KRACK, but has fundamental differences. Analyzing the KRACK, ESET researchers found that Kr00k was one of the factors responsible for "reinstalling" an "all-zero" encryption key, which was observed in tests for KRACK attacks. Following this research, most major device manufacturers have released related patches.
Kr00k is particularly dangerous because he has affected more than one billion Wi-Fi-enabled devices, with this number being a conservative estimate.
ESET will publicly present its research into this vulnerability for the first time on February 26 at the RSA conference Conference 2020.
Kr00k affects all devices with Broadcom and Cypress Wi-Fi chips that have not been patched. These are the most common Wi-Fi chips used today in client devices. Wi-Fi access points and routers are also vulnerable, which means that even environments where client devices have been patched have been compromised. ESET examined and confirmed that among the vulnerable devices were client devices from Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), as well as access points from Asus and Huawei.
ESET disclosed the vulnerability to chipmakers Broadcom and Cypress, who subsequently released patches. The company also partnered with the Industry Consortium for Advancement of Security on the Internet (ICASI), in order to make Kr00k known to all stakeholders, both device manufacturers using the vulnerable chips and other potentially affected manufacturers. According to the information available to ESET, the devices of the major manufacturers have now been updated with the relevant patches.
"Kr00k occurs after disconnecting from Wi-Fi - something that can happen very normally, for example due to a weak Wi-Fi signal or even caused by an intruder. "If an attack is successful, several kilobytes of potentially sensitive information can be found exposed," explains Miloš Čermák, ESET's head of Kr00k vulnerability research, adding that "by repeatedly causing logins, network with potentially sensitive data ".
Figure: An active intruder can cause disconnections to collect and decrypt data.
"To protect a user, it must be ensured that all Wi-Fi enabled devices, such as phones, tablets, laptops, IoT smart devices, Wi-Fi access points and routers, have the latest update." advises ESET researcher Robert Lipovský, who works with the team that analyzes Kr00k.
"It is a matter of concern that the Kr00k vulnerability affects not only client devices but also Wi-Fi access points and routers. "This significantly increases the scope of the attack, as an attacker can decrypt the data transmitted from an access point with vulnerability, an operation that occurs uncontrollably on a device, even if it has no vulnerabilities."
For more technical details about the Kr00k, you can read the white paper: “K.r00k - CVE-2019-15126 Serious vulnerability deep inside your Wi-Fi encryption” and related blogpost on WeLiveSecurity. All the latest developments are at account of the ESET Research Team on Twitter.
