In what is being considered a significant oversight from Broadcom and Cypress, a highly vulnerable spot has been found in their hardware. It’s been dubbed as “Kr00k.”
A team of researchers from the ESET has found a security flaw that affects Wi-Fi hardware manufactured by the company Broadcom and Cypress. The flaw has been dubbed Kr00k, and it’s poised to have a negative impact on the IT market. The defective hardware it’s already in use in at least a billion devices all over the world in a vast catalog of devices with Internet access.
Kr00k has been tracked and labeled as CVE-2019-15126. According to the guys at ESET, the flaw can be used by online attackers to decrypt wireless networks and all the devices being used on it. According to the researchers, the devices affected by the flaw use all-zero encryption to secure communication. The attack can be carried over air transmitted signals and modify data packets.
Kr00k is closely related to the KRAK issue that was found back in 2017. This failure leaves open any smart device for key reinstallation attacks in WPA2 Wi-Fi networks. The team at ESET discovered Kr00k in a brand new analysis run on the KRAK issue. Given the complexity of the flaw, it’s safe to say it was not on the radar of the manufacturers at all.
To offer context about Kr00k, the people at ESET have stated that the flaw can be exploited by attackers even if the victim it’s not connected to a wireless network. The WPA2- AES-CCMP encryption it’s like an open book for any potential cyber attacker who is looking for open networks. The range of attacks could include the theft of data to forced, involuntary shutdowns of the systems on the user’s end.
The way all of this happens is through disassociation. After a WLAN session gets started and ends, the key remains stored in the WNIC controller, and the Wi-Fi chip gets a clean memory set back to zeroes. This is standard protocol since no further data should be going through the device. The issue itself it’s not in the encryption protocol. It’s in the way the hardware implements the encryption. Any communication protected by TLS can’t be recovered because of this flaw. The good news is that the issue does not affect WPA3 protocols.
The attack is noticeable when a disconnection is forced of any smart device using wireless networks. The Wi-Fi chip will clear the session password and set it back to zero. After that, the chip will transmit the data frame contained in the buffer with all-zero encryption. An attacker near the network could be able to force repeated dis-associations by sending packs of information to capture data frames.
The guys at ESET also described the process as best as they could by mentioning how they discovered how all the data frames in the chip transmission buffer were passed after being encrypted using the zero key. When the dissociation happens, the data frames can be captured by an outside source and decrypted. The information sent could contain sensitive information from the user’s network. This can happen even if the attacker is not connected to the same WLAN network as the user.
The team working in the cybersecurity division of ESET has shared their results with Broadcom and Cypress since they create hardware for many big names in the industry, such as Apple, Samsung, Raspberry, and Xiaomi. Many of these companies have already implemented an upgraded version of the chip to avoid future issues.