More than One Billion Devices Affected by Wi-Fi Encryption Vulnerability

By Warren Domingo on February 28, 2020

Introduction

Many devices produced today are all headed towards connectivity to the Internet and becoming part of the Internet of things (IoT). These IoT devices can make life easier as more processes around home become automated. However, this also increases the attack surface of a network as more connected devices are made available for adversaries. Kr00k, tracked by CVE-2019-15126, exploits a vulnerability found in Wi-Fi chips made by Broadcom and Cypress. This impacts smartphones, laptops, IoT devices, and routers. Hackers can decrypt some wireless network packets that are transmitted by affected devices.

Vulnerability

This vulnerability takes place when a device disconnects from a Wi-Fi network. Disassociation occurs when a device is no longer in range of a network, when changing networks, when interference occurs, or when turning off Wi-Fi capabilities completely. After disassociation, the key securing the communication is set to zero, as it is not expecting any more traffic. However, there are still packets in the transmit buffer that are sent after the key is set to all zeros.

Impact

Adversaries can use this vulnerability to decrypt network packets and possibly gain sensitive information. There are a few ways that disassociation can occur. It can happen naturally, or an attacker can send malicious packets to the device causing it to disconnect from the network. Adversaries do not have to be connected to the LAN to capture packets. If the adversary is within the range of the network, devices in monitor mode can capture packets. Packets that were in the transmit buffer will be part of capture and can be decrypted using the zero key. If a log-in attempt were taking place when the disassociation occurred, passwords and log-in info can be decrypted.

Mitigation

This vulnerability has been discovered in the Summer of 2019 and has been brought to the attention of the companies producing the vulnerable Wi-Fi chip. They have a firmware update patching this vulnerability and distributed it to vendors that use the Wi-Fi chips. These vendors will then release patches of their own that will patch the vulnerability on devices that use the vulnerable chips. It is possible that WPA3 is not affected by this vulnerability. Furthermore, communications that use TLS cannot be decrypted using this vulnerability.

Relevance

Many companies use Wi-Fi chips produced by these companies. Large names like Amazon, Apple, Cisco, Google, Huawei, and Samsung all have vulnerable products. Though patches have been released, it is estimated that more than one billion devices were vulnerable. Furthermore, other Wi-Fi chip manufactures that have not been tested may also be vulnerable, adding to the list of possibly affected devices.

References

[1] BleepingComputer, “Cisco Working on Patches for New Krook WiFi Vulnerability”, February 27. 2020. https://www.bleepingcomputer.com/news/security/cisco-working-on-patches-for-new-kr00k-wifi-vulnerability/

[2] ESET, “Kr00k, A serious vulnerability deep inside Wi-Fi encryption”, February 25. 2020. https://www.eset.com/int/kr00k/

[3] Security Week, “Kr00k Vulnerability Exposed Data From Ober a Billion Wi-Fi Devices”, February 26. 2020. https://www.securityweek.com/kr00k-vulnerability-exposed-data-over-billion-wi-fi-devices

[4] ZD Net, “Cisco patches incoming to address Kr00k vulnerability impacting routers, firewall products”, February 27, 2020. https://www.zdnet.com/article/cisco-says-patches-incoming-to-address-new-kr00k-vulnerability-impacting-routers-firewall-products/