At the RSA security conference, security researchers announced that there is a Wi-Fi vulnerability that affects billions of devices. This vulnerability allows nearby attackers to decrypt sensitive data that are sent over the air.
Eset, the security company that discovered vulnerability, named it Kr00k and it is tracked as CVE-2019-15126. Kr00k affects the Wi-Fi chips made by Cypress Semiconductor and Broadcom. FullMAC WLAN chips from both companies are especially affected according to Eset. These chips are used in billions of devices and some of the devices include the following:
- Apple Macs
- Amazon Echos
- Amazone Kindles
- Android devices
- Raspberry Pi 3
- Wi-Fi routers from Asus and Huawei
Most of the affected devices have patches made available by manufacturers but it is not clear how many of them installed the patches. Routers have the biggest concern because they often go unpatched indefinitely.
How does the vulnerability work?
When a wireless device disassociate from a wireless access point, unsent data frames will be placed in a transmit buffer and then sent over the air. Kr00k exploits this weakness. If either the device or the wireless access point has the flaw, these data frames will be encrypted with a key consisting of all zeroes instead of the session key negotiated earlier by the wireless device and the wireless access point. The use of a key consisting of all zeroes to encrypt data is equivalent to having no key.
The following diagram from ArsTechnica shows what would happen when a device disassociate from a wireless access point if either one is vulnerable.
A disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable device or access point can easily trigger this vulnerability by sending disassociation frames since they are not authenticated. From there, hackers could then capture and decrypt the transmitted data. They could trigger multiple disassociation to improve their chance of obtaining useful data.
The following diagram from ArsTechnica shows how the attack would happen.
What are the devices affected?
Eset researchers identified a variety of mobile devices that are vulnerable, including:
- Amazon Echo 2nd gen
- Amazon Kindle 8th gen
- Apple iPad mini 2
- Apple iPhone 6, 6S, 8, XR
- Apple MacBook Air Retina 13-inch 2018
- Google Nexus 5
- Google Nexus 6
- Google Nexus 6S
- Raspberry Pi 3
- Samsung Galaxy S4 GT-I9505
- Samsung Galaxy S8
- Xiaomi Redmi 3S
In addition, the following routers are also vulnerable:
- Asus RT-N12
- Huawei B612S-25d
- Huawei EchoLife HG8245H
- Huawei E5577Cs-321
The researchers also tested Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, and Mediatek and did not find any evident of them being vulnerable. However, since it was impossible to test all devices, it is possible that other devices using Cypress and Broadcom chips are affected.
For Apple, the vulnerabilities were patched in October 2019 as part of macOS Catalina 10.15.1, Security Update 2019-001 for macOS Mojave, Security Update 2019-006 for macOS High Sierra, iOS 13.2 and iPadOS 13.2 More information on the patches could be found here for macOS and here for iOS and iPadOS.
Amazon also state that Amazon Echo and Kindle devices listed in the security research have received automatic security update over the internet in a separate statement to ArsTechnica.