Kr00k Wi-Fi Encryption Vulnerability Affects Over a Billion Devices



  • Event: Kr00k Wi-Fi Encryption Vulnerability Affects Over a Billion Devices

    Summary:

    This Kr00k vulnerability, assigned to CVE-2019-15126, triggers vulnerable Wi-Fi devices to use an all-zero encryption key to encrypt part of the user's communication. In a successful exploit, this vulnerability allows an adversary to decrypt wireless network packets transmitted by a vulnerable device. Prior to patching, affected devices totaled well over a billion endpoints, including mobile devices, laptops, computers and Wi-Fi routers. Several manufacturers have released patches for Kr00k.

    Analysis:

    As data packets are transferred over Wi-Fi, these packets are encrypted using a unique key via a 4-way handshake. During the 4-way handshake, the client and wireless access points are generating and installing cryptographic keys. The relevant component to the Kr00k vulnerability is the 128-bit Temporal Key (TK), which is used to encrypt data frames transmitted during the specific client-AP session.

    Disconnection in Wi-Fi networks is a common phenomenon that occurs on a constant basis due to a weak internet signal and frequency interference. While disconnecting, the session-specific TK value is cleared from memory and is subsequently set to an all zero value. However, and accidentally, all data frames that were left in the vulnerable network chip’s buffer are transmitted after being encrypted with this all-zero Temporal Key.

    Malicious actors can exploit this weak encryption offload by manually triggering disassociations and intercepting the remaining packets on the network chip.

    Revealed at the RSA 2020 Conference in February, Kr00k impacts devices with Broadcom and Cypress Wi-Fi chips using both WPA2-Personal and WPA2-Enterprise protocols, along with AES-CCMP encryption.

    ESET, the discoverer of the security issue, privately and responsibly disclosed the exploit to the respective manufacturers and companies utilizing the vulnerable Wi-Fi chipsets in the Fall of 2019.

    While the vulnerability affects the disassociation procedure of the implanted chip, it can be mitigated through software or firmware updates.

    Several manufacturers and companies have released security advisories regarding Kr00k in the last four months, which are listed below:

    · Aruba Networks

    · Huawei

    · Sonicwall

    · Apple iOS & IPadOS

    · Apple macOS (Catalina, Mojave, & High Sierra)

    · Cisco

    · Mist

    ESET Lab-Tested Affected Devices & Access Points (Not Limited To):

    Below is a list of devices confirmed by ESET Labs that revert the Temporal Key to the all-zero value for packet interception and encryption. While this is not a complete list, the list should give system administrators/managers an idea about the type of devices susceptible to the attack.

    · Amazon Echo 2nd gen

    · Amazon Kindle 8th gen

    · Apple iPad Mini 2

    · Apple iPhone 6, 6S, 8, XR

    · Apple MacBook Air Retina 13-inch 2018

    · Google Nexus 5, 6 , 6P

    · Raspberry Pi 3

    · Samsung Galaxy S4 GT-I9505

    · Samsung Galaxy S8

    · Xiaomi Redmi 3S

    · Asus RT-N12

    · Huawei B612S-25d

    · Huawei EchoLife HG8245H

    · Huawei E5577Cs-321

    Recommended Actions:

    Health-ISAC recommends immediate patches of affected devices utilizing Cypress and Broadcom chips by keeping software and firmware in their latest version.

    Health-ISAC additionally recommends initiating updates on wireless access points that require manual activation. While this may result in a temporary loss of service, the prevention of packet interception will result in a significantly more secure environment for all users.

    References:

    CVE-2019-15126 National Vulnerability Database
    https://nvd.nist.gov/vuln/detail/CVE-2019-15126
    ESET: KR00K - CVE-2019-15126 Serious Vulnerability Deep Inside Your Wi-Fi Encryption
    https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf
    RSA Conference: Kr00k: How KRACKing Amazon Echo Exposed a Billion+ Vulnerable WiFi Devices
    https://www.rsaconference.com/usa/agenda/kr00k-how-kracking-amazon-echo-exposed-a-billion-vulnerable-wifi-devices
    Bleeping Computer: Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
    https://www.bleepingcomputer.com/news/security/kr00k-bug-in-broadcom-cypress-wifi-chips-leaks-sensitive-info/


Log in to reply