ESET researchers have discovered Kr00k (CVE-2019-15126), a hitherto unknown vulnerability in Wi-Fi chips used in client devices, Wi-Fi access points and routers.
The Kr00k vulnerability encrypts an infected device's network communication with key "all-zero" encryption, giving the cybercriminal the ability to decrypt wireless network packets and make his attack successful.
The discovery of Kr00k is linked to previous research ESET for security vulnerabilities detected in Amazon Echo that allowed KRACK (Key Reinstallation Attack) vulnerabilities. Kr00k is related to KRACK, however it shows fundamental differences. Analyzing the KRACK, ESET researchers discovered that Kr00k was one of the agents responsible for the "reinstallation” of an “all-zero” encryption key, observed in tests for KRACK attacks. After this research, most major device manufacturers released related patches.
The Kr00k is particularly dangerous because it has affected over a billion Wi-Fi-enabled devices, a number that is a conservative estimate.
ESET will publicly present its research on this vulnerability for the first time on February 26 at the RSA Conference 2020.
Kr00k affects all devices with Broadcom and Cypress Wi-Fi chips that have not been patched. These are the most common Wi-Fi chips used today in client devices. Wi-Fi access points and routers are also vulnerable, which means that even environments where client devices have been patched have been compromised. ESET examined and confirmed that among the vulnerable devices were client devices from Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), as well as access points from Asus and Huawei.
ESET announced the vulnerability to chip makers Broadcom and Cypress, which then released a patch. The company also partnered with the Industry Consortium for Advancement of Internet Security (ICASI) to inform Kr00k of all stakeholders, both vulnerable chip makers and others who may be involved. affected. According to the information available to ESET, the devices of the major manufacturers have now been updated with the relevant patches.
"Kr00k occurs after disconnecting from Wi-Fi - something that can happen very normally, for example due to a weak Wi-Fi signal or even caused by an intruder. "If an attack is successful, several kilobytes of potentially sensitive information can be found exposed," explains Miloš Čermák, ESET's head of Kr00k vulnerability research, adding that "by repeatedly causing logins, network with potentially sensitive data ".
Figure: An active intruder can cause disconnections to collect and decrypt data.
"To protect one user, θα πρέπει να βεβαιωθεί ότι όλες οι συσκευές με δυνατότητα σύνδεσης σε Wi-Fi, όπως τηλέφωνα, tablet, φορητοί υπολογιστές, έξυπνες συσκευές IoT, Wi-Fi access points and routers, διαθέτουν την πιο πρόσφατη έκδοση ενημέρωσης» συμβουλεύει ο ερευνητής της ESET, Robert Lipovský, που συνεργάζεται με την ομάδα που αναλύει το Kr00k.
"Worryingly, the Kr00k vulnerability affects not only client devices, but also Wi-Fi access points and routers. This greatly increases the scope of the attack, as an attacker can decrypt the data transmitted by a vulnerable access point, a mode that happens uncontrollably on a device, even if it has no vulnerabilities."
For more technical details about the Kr00k, you can read the white paper: “K.r00k - CVE-2019-15126 Serious vulnerability deep inside your Wi-Fi encryptionAnd the related blogpost on WeLiveSecurity. All the latest developments are on the ESET research team's Twitter account.
