New Kr00k vulnerability enables attackers decrypt WiFi packets
Researchers
ESET
discovered
new Wi-Fi communications vulnerability. Kr00k–
formally
known as CVE-2019-15126 – is a vulnerability in Broadcom and
Cypress Wi-Fi radio chips that allows unauthorised
decryption of some WPA2-encrypted traffic.
This
vulnerability affects billions
of
unpatched devices that use these chipsets, including Amazon Echos
and Kindles, Apple iPhones and iPads, Samsung Galaxy devices and many
more. Additionally, this vulnerability affects the radios in many
access points.
Do
not panic as patches should now be available
This
vulnerability is classified
as low-risk
and
firmware patches will address the problem.
What
is it?
The
vulnerability can be exploited during a MAC-level process known as
disassociation,
which is the very short window of time when a client and AP terminate
a Wi-Fi connection between the two devices. During disassociation of
the Wi-Fi client, encryption keys are deleted immediately and
replaced by an all-zeros key. The hardware does not accept further
Wi-Fi traffic for transmission, but traffic already in the
transmission queue is not flushed immediately. For
a brief instance, frames already buffered in the hardware transmit
queue will be encrypted using the all-zeros key and then transmitted.
An attacker monitoring this transmission could decrypt a few frames.
In other words, the worst-case scenario is that only a few frames are
decrypted, so the risk of exposure of any vital information is
minimal. However,
a black-hat attacker could gain access to several kilobytes of
sensitive data, especially if the attacker initiated the
disassociation process repeatedly.
Also,
Kr00k is not tied to either an 802.1X or PSK password. Therefore, the
vulnerability does not affect password security, and changing it does
not hamper the ability of attackers trying to exploit the
vulnerability. Also, be aware that implementing management frame
protection (MFP) does not prevent this attack. The resolution is a
firmware patch. Full details about Kr00k are available from ESET at
https://www.eset.com/int/kr00k/
Also
see RSA conference 2020 presentation video
https://youtu.be/_40E6WRMRyE