There’s a new significant vulnerability affecting a wide range of products. Dubbed Kr00k (CVE-2019-15126), the vulnerability can be exploited to intercept and decrypt WiFi network traffic relying on WPA2 connections.
The CVE-2019-15126 flaw was disclosed during the RSA 2020 security conference in San Francisco by ESET researchers.
CVE-2019-15126: Kr00k Vulnerability Explained
The researchers say that Kr00k, or CVE-2019-15126, affects all Wi-Fi-capable devices that utilize Broadcom and Cypress Wi-Fi chips, or two of the most popular and widely used such chipsets. These chips are used in almost any device, such as smartphones, laptops, IoT devices, etc.
According to ESET, the Kr00k vulnerability affects devices from Amazon (Echo Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3) and Xiaomi (Redmi), but also access points from Asus and Huawei. It appears that more than a billion devices are prone to the vulnerability, and this number is a “conservative estimate”.
What makes Kr00k different than similar vulnerabilities?
Technically, the flaw is not much different than other flaws disclosed on a daily basis. However, what makes this one more complex, unique and dangerous is the fact that it impacts the encryption which secures data packets sent over WiFi connections.
In a typical situation, these packets are encrypted via a unique key which is associated with the user’s WiFi password. However, it appears that in Broadcom and Cypress Wi-Fi chipsets this key is reset to an all-zero value during a specific process known as disassociation.
Disassociation is a “natural process” in a Wi-Fi connection, as it stems from a disconnection which can happen as a result of a low signal. Wireless devices can be in disassociated states multiple times a day, and they can reconnect automatically to the previous network.
The issue with the Kr00k vulnerability is that threat actors can force devices to enter a prolonged disassociated state to receive specific WiFi packets, and then deploy the bug to decrypt the traffic via the zeroed key.
It is noteworthy that the researchers discovered Kr00k while they were “KRACKing Amazon Echo”. The KRACK vulnerabilities were uncovered in 2017 when researchers engineered a dangerous exploit called the Krack Attack which makes it possible for malicious users to eavesdrop on Wi-Fi traffic between computers and other network devices like routers and access points.
Even two years after the vulnerabilities were disclosed, many Wi-Fi enabled devices were still vulnerable, including multiple Amazon devices such as the widely adopted Amazon Echo and Amazon Kindle. The enormous userbase of these devices created a great security threat.
ESET later discovered that “while the second generation Amazon Echo was not affected by the original KRACK attacks, it was vulnerable to one of the KRACK variants, specifically: PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, random Anonce.”
The researchers also reported this flaw to Amazon and discovered that the wrongdoer was the Cypress WLAN chip used in the second generation of Echo devices. The Cypress WLAN chip was vulnerable to the bug the researcher later named Kr00k.
They also believe that the KRACK testing scripts revealed it by triggering a disassociation. “It should be noted that encryption with an all-zero TK can have number of causes – Kr00k is just one of them, although a very significant one, due to the widespread distribution of the vulnerable Broadcom and Cypress chips,” the experts said in their report.
Cisco Currently Investigating the Impact of Kr00k in Its Products
One of the latest news regarding this vulnerability is that Cisco is currently checking the impact of the vulnerability within its own products. The reason is that the company uses Broadcom chips in their product portfolio. It appears that many of the company’s devices are affected – a multitude of grid and Power over Ethernet (PoE) routers, firewall products, IP phones, and access point systems.
Cisco is also checking the state of Cisco DX70, DX80, and DX650 IP phones running operating on Android firmware, as well as the Cisco IP Phone 8861. Patches are yet to be developed.