A vulnerability has been identified in Wi-Fi chips manufactured by Broadcom and Cypress which are used in more than a billion devices, according to a paper recently published by ESET. Smartphones, tablets, laptops, and IoT devices are all affected, including Apple iPhones, iPads, and MacBooks; Samsung Galaxy and Google Nexus smartphones; Amazon Echo and Kindle; Raspberry Pi3; Asus and Huawei access points and routers; and many IoT devices. ESET said many more devices could be affected as the flaws are not restricted to the devices they tested. Billions of devices could well be affected.
The flaw – tracked as CVE-2019-15126 – and dubbed Kr00k due to its similarity to KRACK, breaks the encryption of the WPA2-Personal or WPA2-Enterprise protocols and would allow attackers to eavesdrop on Wi-Fi communications. The vulnerability is not in the WPA2 Personal and Enterprise protocols, but how encryption is implemented on the vulnerable chips. The vulnerability is due to the use of an all-zero encryption key which causes decryption of some wireless network packets transmitted by vulnerable devices.
The vulnerability manifests itself after Wi-Fi devices disconnect from access points (dissociation). “[After disassociation], the session key stored in the Wireless Network Interface Controller’s (WNIC) Wi-Fi chip is cleared in memory – set to zero. This is expected behavior, as no further data is supposed to be transmitted after the disassociation,” explained ESET. “However, we discovered that all data frames that were left in the chip’s transmit buffer were transmitted after being encrypted with this all-zero key.” The problem is because all zeros are used, the encryption actually results in data being decrypted and stored in plain text.
In an attack scenario, an attacker in close proximity to a vulnerable device could trigger repeated disassociations by sending specially crafted management data frames, and then capture the plain text data left in the buffer, which could include sensitive data such as DNS, ARP, ICMP, HTTP, TCP, and TLS packets. An attack on a vulnerable router would allow an attacker to capture some network traffic that is transmitted by devices that do not have the Kr00k vulnerability. Up to 32KB of data – around 20,000 words – could be captured each time.
The type of data that could be captured depends on what the user is doing at the time and what data is being sent over Wi-Fi, which could include credit card details and passwords.
ESET disclosed the bug to Broadcom and Cypress last year to allow them to create firmware updates to fix the flaw. Major device manufacturers were also notified to allow them to develop software and firmware updates. Major device manufacturers, including Apple, have started rolling out updates to correct the flaw.