ESET researchers have discovered a previously unknown vulnerability given the identifier “CVE-2019-15126”, and which affects Wi-Fi chips made by Broadcom and Cypress. The serious flaw was given the name “Kr00k”, and concerns the encryption that is used in Wi-Fi devices and how an attacker could cause them to use an all-zero key. This would enable the actor to decrypt the wireless network packets that are transmitted, which opens up multiple possible exploitation paths. Since Broadcom and Cypress are making the vast majority of Wi-Fi chips in the market, Kr00k affects a wide range of devices such as smartphones, laptops, tablets, IoTs, and more.
ESET researchers have tested and confirmed that the following devices are vulnerable to Kr00K:
The above are given indicatively, just to make a point about the range of the devices that are affected. Broadcom and Cypress have already released updates that address the discovered vulnerabilities, and the majority of the affected manufacturers have delivered them onto the end-users, so the disclosure can be made now. If you have neglected the application of any pending updates for some time, you should install them immediately now.
A “Kr00k” attack begins with the actor getting in range of the vulnerable Wi-Fi-enabled device and triggering a disassociation (disconnection from a WPA2 Wi-Fi point). When in this state, devices are using an “all-zero” 128-bit temporal key (TK), so the hacker can capture and easily decrypt some random data packets that are transmitted from the unpatched chips. No Wi-Fi password is required for this, and thus changing it won’t protect you from Kr00k attacks.
To further complicate things, Kr00k unfortunately also affects Wi-Fi access points. This means that even if you patch your smartphone or tablet if the access point remains unpatched, you continue to be vulnerable to Kr00k attacks. ESET tested the following four access points and found them to be vulnerable to the flaw:
To clarify, Kr00k is helpful to hackers in the sense that it unlocks your Wi-Fi network and partially lifts its encryption security. It doesn’t directly compromise your internet browsing data, like email and online banking passwords. These are still protected by the TLS encryption, but Kr00k brings malicious actors one step closer to them. Finally, ESET reports that Kr00k concerns WPA2 Personal and Enterprise protocols that AES-CCMP encryption. Devices using the more recent WPA3 protocol aren’t affected by this vulnerability.