A serious vulnerability in more than a billion Wi-Fi devices fitted with chips made by Broadcom and Cypress, among others, could allow an attacker to decrypt wireless network packets and intercept web traffic.
The flaw, assigned CVE-2019-15126 and dubbed Kr00k, causes Wi-Fi devices to revert to an encryption key comprising just zeroes to secure part of the user’s communication.
Hackers can exploit this by using the Kr00k bug while artificially extending the period in which an all-zero encryption key is in use in order to decrypt Wi-Fi packets.
A vast number of devices are affected, according to researchers with ESET, including smart home units, smartphones, as well as the Raspberry Pi 3. These are in addition to Wi-Fi routers and access points with Broadcom chips.
Staggeringly, more than a billion devices with WPA2-Personal and WPA2-Enterprise protocols with AES-CCMP encryption are affected by Kr00K, although this is still a “conservative estimate”.
“While the source of the bug lies in the Wi-Fi chips, fortunately, it can be mitigated through software or firmware updates,” the researchers said in a paper.
“According to some vendor publications and our own (non-comprehensive tests), devices should have received patches for the vulnerability by the time of publication.
“Depending on the device type, this might only mean ensuring the latest OS or software updates are installed (Android, Apple and Windows devices; some IoT devices), but may require a firmware update (access points, routers and some IoT devices).”
The vulnerability manifests during the disassociation state in Wi-Fi devices, which is effectively a temporary disconnection that occurs naturally due to low signal, or when a device moves between access points.
During this state, the encryption key used to secure packets, in Broadcom and Cypress Wi-Fi chips, is reset to an all-zero value.
Attackers could, in practice, manually force an extended dissociation period, before reassociation, to receive Wi-Fi packets and use the Kr00k bug to decrypt Wi-Fi traffic which, temporarily, uses the all-zero encryption key.
The flaw is similar in nature to the infamous KRACK (Key Reinstallation Attacks) exploit discovered in 2017. Although KRACK received widespread attention at the time, not all devices were fully patched. Kr00k is one of the possible causes behind the ‘reinstallation’ of an all-zero encryption key which was observed in the tests for KRACK attacks.
There are a number of differences, however, namely that while KRACK was a series of attacks, Kr00k, is a single vulnerability. KRACK, meanwhile, was triggered during the four-way handshake procedure in Wi-Fi devices, while Kr00k is triggered after dissociation.
The breadth of devices by KRACK is also much wider given it exploits implementation flaws in the WPA2 protocol itself, as opposed to Kr00k, which affects only the most common Wi-Fi chips manufactured by Broadcom and Cypress.
The bug affects FullMAC WLAN chips, by the two aforementioned companies. While Broadcom chips are used by the majority of Wi-Fi devices, Cypress chips are predominately used in IoT devices.
ESET researchers tested a host of devices and found that among those affected include the Apple iPad mini 2 as well as iPhone 6, 6S, 8 and XR, as well the MacBook Air Retina 13in 2018.
A handful of Android smartphones were also affected, including Google Nexus 5, 6 and 6S, the Samsung Galaxy S8 and Xiaomi Redmi 3S. This is in addition to the 2nd-gen Amazon Echo and 8th-gen Kindle, as well as Raspberry Pi 3 devices.
RELATED RESOURCE
The vulnerable access points that were tested include the Asus RT-N12, Huawei B512S-25d, EchoLife HG8245H and E5577Cs-321.
“We estimate that the number of affected devices, prior to patching, was well over a billion as the billion mark is passed by counting only the number of affected iPhone generations we tested,” the researchers added.
“We have also tested some devices with Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, Mediatek and did not see the vulnerability manifest itself.
“Obviously, we have not tested every possible Wi-Fi chip by every manufacturer, so while we are currently not aware of other affected chips, we also cannot rule this out.”
The researchers have also recommended that organisations should update devices with Broadcom or Cypress chips to the latest software versions, including both client devices as well as access points.
They added that patches for devices by major manufacturers should have been released by now, including for phones, tablets, laptops, IoT devices, access points and routers.
Moreover, manufacturers using Broadcom or Cypress chips should check with these companies that their devices have been patched.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Billions of IoT devices will need to be secured in the next four years – zero trust could be the key to successNews Researchers have warned more than 28 billion IoT devices will need to be secured by 2028 as attacks on connected devices surge.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
