SAN FRANCISCO — A serious vulnerability in Wi-Fi chips has been discovered that affects billions of devices worldwide, according to researchers. It allows attackers to eavesdrop on Wi-Fi communications.
The bug (CVE-2019-15126) stems from the use of an all-zero encryption key in chips made by Broadcom and Cypress, according to researchers at ESET, which results in data decryption. This breaks the WPA2-Personal and WPA2-Enterprise security protocols.
The vulnerable chips are found in smartphones, tablets and laptops (using Broadcom silicon) and in IoT gadgets (Cypress chips), including several generations of products from Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi). ESET also found the bug to be present in access points (APs) and routers by Asus and Huawei. In all, more than a billion devices are affected, researchers estimated.
ESET dubbed the vulnerability “KrØØk” to incorporate the zeros, and also because it’s related to the KRACK attack, a.k.a. Key Reinstallation Attacks, discovered in 2017. The KRACK approach was an industry-wide problem in the WPA and WPA2 protocols for securing Wi-Fi that could cause “complete loss of control over data,” according to ICS-CERT. It explained in an advisory at the time that KRACK “could allow an attacker to execute a ‘man-in-the-middle’ attack, enabling the attacker within radio range to replay, decrypt or spoof frames.”
According to ESET, “[it] found KrØØk to be one of the possible causes behind the ‘reinstallation’ of an all-zero encryption key, observed in tests for KRACK attacks. This followed our previous findings that Amazon Echo was vulnerable to KRACK,” researchers said in a writeup on the flaw, issued Wednesday at the RSA Conference 2020.
How KrØØk Works
In Wi-Fi, whenever a device connects to an access point (AP), that’s called an association. When it disconnects (for instance when a person roams from one Wi-Fi AP to another, experiences signal interference or turns off Wi-Fi on the device) this is called a disassociation.
“KrØØk manifests itself after a disassociation,” ESET researchers explained. “[Once disassociation happens], the session key stored in the Wireless Network Interface Controller’s (WNIC) Wi-Fi chip is cleared in memory – set to zero. This is expected behavior, as no further data is supposed to be transmitted after the disassociation. However, we discovered that all data frames that were left in the chip’s transmit buffer were transmitted after being encrypted with this all-zero key.” Because it uses all zeros, this “encryption” actually results in the data being decrypted and left in plain text.
The attack path is simple: Associations and disassociations are governed by management frames, which are themselves unauthenticated and unencrypted, ESET explained. To exploit the bug, an adversary can simply manually trigger a disassociation by sending a crafted management data frame, and will then be able to retrieve the plaintext information left in the buffer.
Speaking at a session on the findings at RSAC, ESET researcher Steve Vorencik said that KrØØk can expose up to 32KB of data at once, which is equivalent to around 20,000 words. An attacker can send a series of management frames to trigger the attack in an ongoing fashion and start collecting data, which could be passwords, credit card information or anything else the user may be sending to the internet over Wi-Fi.
“Eavesdropping can be active or passive,” Vorencik said. “What they hear depends on the timing of what the user is doing. You could just wait for something interesting to crop up — and something always does.”
The attack can be magnified when a vulnerable AP is involved in the mix. For instance, listening to a smart home hub can retrieve any information sent between it and satellite devices such as a connected doorbell, smart thermostat or smart lights, or laptops, computers and mobile devices. ESET researchers explained that this then allows attackers to eavesdrop on even unaffected or already patched client devices.
“This greatly increases the scope of the attack,” explained Vorencik. “An attacker needs only to send a management frame to the AP and then can gain access to the whole environment.”
In a demo, Vorencik and fellow ESET researcher Robert Lipovsky showed that KrØØk could be used to retrieve passwords for non-vulnerable devices connected to a “KrØØk-ed” AP, allowing whole-home or whole-office pwning.
ESET responsibly disclosed the bug and allowed a 120-day grace period for Broadcom and Cypress to create firmware updates — and to give manufacturers time to use those to create OS updates, patches and firmware upgrades to roll out to end users. Fixes have been released by major manufacturers, according to ESET, and users will need to update their devices in order to ensure that communications from their Wi-Fi devices can’t be easily hacked and eavesdropped upon.
The totaling of more than a billion devices affected is “a conservative estimate,” according to ESET’s paper, because KrØØk is likely not limited to just the devices the company tested. “Our results are in no way comprehensive,” Lipovsky said at RSAC , adding that Qualcomm and MediaTek gear was not vulnerable.
For Threatpost’s complete RSA Conference 2020 reporting, please visit our special coverage section, available here.