ESET researchers have discovered Kr00k (CVE-2019-15126), a previously unknown vulnerability in Wi-Fi chips used in many client devices, Wi-Fi access points and routers.
Kr00k is a vulnerability that causes the network communication of an affected device to be encrypted with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt wireless network packets.
The discovery of Kr00k follows previous ESET research into the Amazon Echo being vulnerable to KRACKs (Key Reinstallation Attacks). Kr00k is related to KRACK, but is also fundamentally different. During the investigation into KRACK, ESET researchers identified Kr00k as one of the causes behind the “reinstallation” of an all-zero encryption key observed in tests for KRACK attacks. Subsequent to our research, most major device manufacturers have released patches.
Kr00k is particularly dangerous because it has affected over a billion Wi-Fi enabled devices – a conservative estimate.
ESET will publicly present its research into this vulnerability for the first time on February 26 at the RSA Conference 2020.
Kr00k affects all devices with Broadcom and Cypress Wi-Fi chips that remain unpatched. These are the most common Wi-Fi chips used in today’s client devices. Wi-Fi access points and routers are also affected by the vulnerability, making even environments with patched client devices vulnerable. ESET tested and confirmed that among the vulnerable devices were client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), as well as access points by Asus and Huawei.
ESET responsibly disclosed the vulnerability to the chip manufacturers Broadcom and Cypress, who subsequently released patches. We also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to ensure that all possibly affected parties – including affected device manufacturers using the vulnerable chips, as well as other possibly affected chip manufacturers – were aware of Kr00k. According to our information, devices by major manufacturers have now been patched.
“Kr00k manifests itself after Wi-Fi disassociations – which can happen naturally, for example due to a weak Wi-Fi signal, or may be manually triggered by an attacker,” said Miloš Čermák, the lead ESET researcher into the Kr00k vulnerability. “If an attack is successful, several kilobytes of potentially sensitive information can be exposed. By repeatedly triggering disassociations, the attacker can capture a number of network packets with potentially sensitive data,” he adds.
“To protect yourself, as a user, make sure you have updated all your Wi-Fi capable devices, including phones, tablets, laptops, IoT smart devices, and Wi-Fi access points and routers, to the latest firmware version,” said Robert Lipovský, an ESET researcher working with the Kr00k vulnerability research team. “Of great concern is that not only client devices, but also Wi-Fi access points and routers that have been affected by Kr00k. This greatly increases the attack surface, as an adversary can decrypt data that was transmitted by a vulnerable access point, which is often beyond your control, to your device, which doesn’t have to be vulnerable.”
For more technical details about Kr00k, read the white paper Kr00k – CVE-2019-15126 Serious vulnerability deep inside your Wi-Fi encryption and blog post on WeLiveSecurity. More information available also on the dedicated landing page. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.