Summary:
ESET researchers discovered a ‘previously unknown vulnerability’ in Wi-Fi chips and named it Kr00k. More than a billion devices are affected by this vulnerability including phones, tablets, computers, Wi-Fi routers and IOT devices with Wi-Fi capabilities. This article aims to shed some light on this newly discovered attack vector. The vulnerability itself, the attack vector and how they do it. As mentioned later in the article, protect yourself now by ensuring Wi-Fi capable devices have updated their respective firmware.Start:
The Kr00k vulnerability is a serious flaw and has been assigned the name CVE-2019-15126 by ESET researchers. Until now this vulnerability has been unknown, yet it affects billions of devices. A successful attack allows an adversary to decrypt wireless network packets transmitted by vulnerable devices. Vulnerable devices would be those containing the affected Wi-Fi chips. As previously mentioned, the Wi-Fi chips would be part of phones, tablets, computers, Wi-Fi routers and IOT devices with Wi-Fi capabilities. This is a huge threat to the IOT world as it presents a new and previously unknown attack vector. Kr00k is the vulnerability and it affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t yet been patched. But because attackers can get a hold of wireless network packets, network devices are still at risk if unpatched devices exist on the network. Essentially as soon as there is one weak link in your ecosystem in terms of Wi-Fi chips, then there is a possible attack vector. To quote the executive summary from ESET more specifically‘tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to Kr00k.’
ESET goes on to say that a conservative estimate of over a billion Wi-Fi-capable devices and access points were vulnerable to Kr00k. The ESET researches noted that vendors whose products they did not test also use the affected chipsets in their devices.