The researchers of ESET claim that there may be in the world more than a billion technological devices afflicted by a vulnerability called "Kr00K" linked to Wi-Fi and which allows an attacker to decode sensitive information.
At first glance the problem seems very serious, and indeed it is, even if there are "distinctions" to be made. First of all, the problem is of interest only the Wi-Fi chips of Cypress Semiconductor and Broadcom: Qualcomm, Realtek, Mediatek and Ralink's solutions do not seem to present the flaw according to ESET researchers.
Second, the Kr00K bug only affects Wi-Fi connections that use i WPA2-Personal or WPA2-Enterprise security protocols with AES-CCMP encryption. This means that by using the new WPA3 authentication protocol you are safe.
Thirdly, ESET has worked in recent months with the various companies involved for responsible communication, therefore several devices have already been updated to address the vulnerability. Apple, for example, is one of the companies that intervened more quickly, updating iOS, iPadOS and macOS last October.
The problem is that may not be enough, because if a router or access point has not been updated (a firmware update may be required), client devices are still potentially at risk.
"This leads to scenarios in which client devices that are not exposed – because they are patched or use a different unsuccessful Wi-Fi chip – can be connected to a vulnerable access point," said the developers. "The attack surface is significantly larger, as an attacker can decode the data that has been transmitted from a vulnerable access point to a specific client (which may be vulnerable)."
The Kr00K flaw (CVE-2019-15126) affects products such as the second generation Amazon Echo, the eighth generation Kindle, the Google Nexus 5, 6 and 6S smartphones, the Samsung Galaxy S4 (GT-I9505) and S8, the Xiaomi Redmin 3S and even the development board Raspberry Pi 3. These are obviously just some of the products tested by the researchers. On the Apple front, products like the iPad mini 2, the iPhone 6, 6S, 8, XR and the 2018 13-inch MacBook Air Retina had been "pinched".
However, the products involved could be many more, including some Asus and Huawei Wi-Fi routers involved. Further details and models can be found on the dedicated website set up by ESET. The Kr00k attack exploits a vulnerability that occurs when devices are disassociated from a wireless access point. If the device or access point is vulnerable, any fragment of unsent data is placed in a transmission buffer and then sent later.
The problem is that instead of encrypting this data with a previously negotiated session key used during a normal connection, vulnerable devices use a key made up of all zeros, an aspect that simplifies decoding.
Disassociation typically occurs when a client device switches from one Wi-Fi access point to another, encounters signal interference, or if its Wi-Fi is turned off. Attackers within range of a vulnerable client device or access point can easily trigger dissociations by sending so-called management frames, which are not encrypted and require no authentication. This lack of security allows an attacker to create management frames that manually trigger a dissociation.
With forced dissociation, vulnerable devices will typically transmit several kilobytes of data that are encrypted with a zero-session key. The attacker can then capture and decipher the data. ESET researcher Robert Lipovsky told the Arstechnica website that attackers can trigger multiple dissociations to increase the chances of obtaining useful data.
What to do to "get safe"? Broadcom (which acquired Cypress in 2016) developed its own patches and released them to device manufacturers, who in turn had to implement them in their updates. Therefore the ball passes to the users, who must install the latest available updates.
obviously this process leaves room for possible "flaws" (sorry for the pun). In fact, it is not said that each manufacturer releases patches for all their devices involved and it is not said that users keep their devices updated.
