ESET researchers have discovered Kr00k (CVE-2019-15126), a hitherto unknown vulnerability in chip Wi-Fi, used in client devices, Wi-Fi access points and routers.
The Kr00k vulnerability encrypts an infected device's network communication with key "all-zero" encryption, giving the cybercriminal the ability to decrypt wireless network packets and make his attack successful.
The discovery of Kr00k is linked to previous research of ESET for the security gaps that had been identified in the Amazon Echo, which allowed attacks from vulnerabilities KRACK (Key Reinstallation Attack). Kr00k is related to KRACK, but has fundamental differences. Analyzing the KRACK, ESET researchers found that Kr00k was one of the factors responsible for "reinstalling" an "all-zero" encryption key, which was observed in tests for KRACK attacks. Following this research, most major device manufacturers have released related patches.
The Kr00k is particularly dangerous because it has affected over a billion Wi-Fi-enabled devices, a number that is a conservative estimate.
ESET will publicly present its research on this vulnerability for the first time on February 26 at the RSA Conference 2020.
Kr00k affects all devices with Wi-Fi chips Broadcom και Cypress, που δεν έχουν ενημερωθεί με patch. Πρόκειται για τα πιο κοινά τσιπ Wi-Fi που χρησιμοποιούνται σήμερα στις συσκευές client. Ευάλωτα είναι επίσης και τα Wi-Fi access points και τα routers, που σημαίνει ότι κινδυνεύουν ακόμη και περιβάλλοντα που οι συσκευές client έχουν ενημερωθεί με patch. Η ESET εξέτασε και επιβεβαίωσε ότι μεταξύ των ευάλωτων συσκευών ήταν οι συσκευές client από τις εταιρείες Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) και Xiaomi (Redmi), καθώς και access points από την Asus και την Huawei.
ESET announced the vulnerability to chip makers Broadcom and Cypress, which then released a patch. The company also partnered with the Industry Consortium for Advancement of Internet Security (ICASI) to inform Kr00k of all stakeholders, both vulnerable chip makers and others who may be involved. affected. According to the information available to ESET, the devices of the major manufacturers have now been updated with the relevant patches.
«Το Kr00k εμφανίζεται μετά από αποσυνδέσεις από τα Wi-Fi - κάτι που μπορεί να συμβεί πολύ φυσιολογικά, για παράδειγμα εξαιτίας ενός αδύναμου σήματος Wi-Fi ή ακόμη και να προκληθεί από έναν εισβολέα. Αν μια επίθεση είναι επιτυχής, μπορεί να βρεθούν εκτεθειμένα αρκετά kilobytes δυνητικά ευαίσθητων πληροφοριών», εξηγεί ο Miloš Čermák, ο επικεφαλής στις έρευνες ης ESET σχετικά με την ευπάθεια Kr00k, προσθέτοντας ότι «προκαλώντας επανειλημμένα αποσυνδέσεις, ο επιτιθέμενος μπορεί να συλλέξει ένα σημαντικό αριθμό πακέτων δικτύου με δυνητικά ευαίσθητα δεδομένα».
Figure: An active intruder can cause disconnections to collect and decrypt data.
"To protect a user, it must be ensured that all Wi-Fi enabled devices, such as phones, tablets, laptops, IoT smart devices, Wi-Fi access points and routers, have the latest update." advises ESET researcher Robert Lipovský, who works with the team that analyzes Kr00k.
"It is a matter of concern that the Kr00k vulnerability affects not only client devices but also Wi-Fi access points and routers. "This significantly increases the scope of the attack, as an attacker can decrypt the data transmitted from an access point with vulnerability, an operation that occurs uncontrollably on a device, even if it has no vulnerabilities."
For more technical details about the Kr00k, you can read the white paper: “K.r00k - CVE-2019-15126 Serious vulnerability deep inside your Wi-Fi encryptionAnd the related blogpost on WeLiveSecurity. All the latest developments are on the ESET research team's Twitter account.
