Kr00k vulnerability


New Kr00k vulnerability enables attackers decrypt WiFi packets

By Paul Rummery, Securenet Consulting

Researchers ESET discovered new Wi-Fi communications vulnerability. Kr00kformally known as CVE-2019-15126 – is a vulnerability in Broadcom and Cypress Wi-Fi radio chips that allows unauthorised decryption of some WPA2-encrypted traffic.

This vulnerability affects billions of unpatched devices that use these chipsets, including Amazon Echos and Kindles, Apple iPhones and iPads, Samsung Galaxy devices and many more. Additionally, this vulnerability affects the radios in many access points.

Do not panic as patches should now be available

This vulnerability is classified as low-risk and firmware patches will address the problem.


What is it?

The vulnerability can be exploited during a MAC-level process known as disassociation, which is the very short window of time when a client and AP terminate a Wi-Fi connection between the two devices. During disassociation of the Wi-Fi client, encryption keys are deleted immediately and replaced by an all-zeros key. The hardware does not accept further Wi-Fi traffic for transmission, but traffic already in the transmission queue is not flushed immediately. For a brief instance, frames already buffered in the hardware transmit queue will be encrypted using the all-zeros key and then transmitted. An attacker monitoring this transmission could decrypt a few frames. In other words, the worst-case scenario is that only a few frames are decrypted, so the risk of exposure of any vital information is minimal. However, a black-hat attacker could gain access to several kilobytes of sensitive data, especially if the attacker initiated the disassociation process repeatedly.

Also, Kr00k is not tied to either an 802.1X or PSK password. Therefore, the vulnerability does not affect password security, and changing it does not hamper the ability of attackers trying to exploit the vulnerability. Also, be aware that implementing management frame protection (MFP) does not prevent this attack. The resolution is a firmware patch. Full details about Kr00k are available from ESET at https://www.eset.com/int/kr00k/

Also see RSA conference 2020 presentation video https://youtu.be/_40E6WRMRyE