A billion iPhones, Galaxy phones, iPads and Kindles at risk from massive Kr00k Wi-Fi flaw

Kr00k attack
(Image credit: Future)

SAN FRANCISCO — Encryption is great for protecting data in transit, unless that data is encrypted in all zeroes. 

Unfortunately, that's exactly what a newly-revealed Wi-Fi chip vulnerability does, according to ESET researchers who disclosed the flaw today (Feb. 26) at the RSA Conference here. 

The vulnerability puts more than 1 billion consumer devices at risk, including Apple iPhones, iPafds, and Macs, Amazon Echoes and Kindles, Samsung Galaxy phones and tablets, Raspberry Pi 3s, older Google Nexus phones, and some Wi-Fi routers made by Asus and Huawei. 

The ESET researches have dubbed the flaw Kr00k (officially CVE-2019-15126), because off its similarities to the earlier Key Reinstallation Attack, often referred to as KRACK

The vulnerability exists in Wi-Fi chips made by Broadcom and Cypress, which acquired Broadcom's Internet of Things division in 2016, and affects devices connecting with the nearly-ubiquitous WPA2 standard. 

Many device manufacturers have updated their software, so users should make sure their devices are updated to the latest possible versions. (Apple appears to have fixed the flaw with iOS 13.2 and macOS 10.15.1 Catalina.) However, it can sometimes be difficult to determine if a router, for example, has the latest firmware.

How the Kr00k attack works

In a successful attack exploiting the vulnerability, the targeted device — such as a smartphone — will be forced to disconnect from the Wi-Fi access point. 

When the device automatically reconnects, the last several kilobytes of data from the previous Wi-Fi session will be transmitted again, encrypted not with a complex, random encryption key, but an easy-to-guess, all-zero encryption key. 

A hacker could use Kr00k to force a device to disconnect and reconnect repeatedly, forcing more data into the poorly-secured buffer. This would eventually provide enough data for the hacker to be able to bypass the Wi-Fi network's encryption key, and then be able to read data coming from other users on the same Wi-Fi network. 

ESET researchers have worked for more than a year on researching the vulnerability and ensuring that manufacturers using the Broadcom and Cypress chips had developed and released patches for it. This includes Amazon and Apple, but patching the vast number of affected devices is complicated

How dangerous is the Kr00k attack?

Meanwhile, say ESET researchers, consumers remain exposed to what the researchers described as a relatively simple attack if the consumers haven't updated their devices with the latest patches. 

The risk of the exploit is considered to be relatively low because it requires the attacker to have physical proximity to the Wi-Fi router in order to force devices to disconnect from it. But that could be as simple as walking into a coffee shop and attacking the local network. 

The data put at risk in transit because of weakened encryption means that consumers should take patching their devices seriously, cautioned Robert Lipovský, senior malware researcher at ESET, and one of the primary Kr00k researchers.

“A hacker can get your username, password, session IDs, whatever is sent,” he said.

Part of the problem with relying on consumers to patch their own devices is that not all devices patch automatically. While it's considered a best-practice to enable automatic updates, as Apple devices do by default, policies differ from one manufacturer to the next.

Lipovský recommends consumers manually check their devices and Wi-Fi routers to ensure they have the latest updates installed, since it’s hard to tell if the vulnerability is actively being exploited.

“There’s no way to know if it’s being exploited in the wild,” said Lipovský.

Seth Rosenblatt is editor-in-chief of The Parallax, which he founded in 2015 after eight years at CNET. Based in San Francisco, he also writes about connected technology and pop culture.