Qualcomm and MediaTek Wi-Fi chips were found to have been impacted by new variants of the KrØØk information disclosure vulnerability discovered by ESET researchers Robert Lipovský and Štefan Svorenčík.
KrØØk, a security flaw disclosed by ESET in February 2020 and tracked as CVE-2019-15126, can be used by attackers to decrypt some WPA2-encrypted wireless network packets transmitted by vulnerable devices after successful exploitation by forcing them to use all-zero encryption keys to encrypt part of the exchanged traffic.
A list of advisories detailing security updates addressing KrØØk can be found on this page that keeps a list of software updates released by vendors to patch the vulnerability.
Exploiting KrØØk allows adversaries to intercept and decrypt (potentially sensitive) data of interest and, when compared to other techniques commonly used against Wi-Fi, exploiting KrØØk has a significant advantage: while they need to be in the range of the Wi-Fi signal, the attackers do not need to be authenticated and associated to the WLAN. In other words, they don’t need to know the Wi-Fi password.
"Our tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to KrØØk," ESET said at the time.
In total, the number of Wi-Fi-enabled devices exposed to KrØØk attacks exceeded one billion according to a conservative estimate provided by ESET.
Qualcomm and MediaTek Wi-Fi-enabled devices also vulnerable
Even though initially ESET said that only devices with Broadcom and Cypress Wi-Fi chips were affected, Lipovský and Svorenčík discovered new KrØØk variants that have also impacted systems Qualcomm and MediaTek radios used in vehicles, navigation systems, watches, laptops, smartphones, routers, and other devices.
"One of the chips we looked at aside from those from Broadcom and Cypress was by Qualcomm," the researchers explain in a report published today and shared with BleepingComputer earlier this week.
"The vulnerability we discovered (which was assigned CVE-2020-3702) was also triggerable by a disassociation and led to undesirable disclosure of data by transmitting unencrypted data in the place of encrypted data frames – much like with KrØØk."
"We also observed the manifestation of a similar vulnerability (i.e. lack of encryption) on some Wi-Fi chips by MediaTek," including the ASUS RT-AC52U route and the Microsoft Azure Sphere development kit that utilizes the MT3620 microcontroller also used in smart home, commercial, and industrial solutions.
New KrØØk variants already fixed
Qualcomm released a fix for the proprietary driver affected by the newly discovered KrØØk attack in July, and MediaTek fixed the flaw during March and April 2020.
A security update that fixed the bug impacting the MT3620 microcontroller was released later, in July, with Azure Sphere OS version 20.07.
These new findings greatly increase the number of vulnerable devices to KrØØk attacks and their variants if left unpatched.
Lipovský and Svorenčík have released a proof-of-concept testing script for triggering and detecting the KrØØk vulnerability on unpatched devices.
Today, they will also demonstrate at Black Hat USA 2020 during their Kr00k: Serious Vulnerability Affected Encryption of Billion+ Wi-Fi Devices presentation how they were able to trigger the new KrØØk variants device using Qualcomm and MediaTek Wi-Fi chips.
Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from ESET for using industry-standard coordinated disclosure practices. Qualcomm has already made mitigations available to OEMs in May 2020, and we encourage end users to update their devices as patches have become available from OEMs. – Qualcomm spokesperson
Update: Added Qualcomm statement.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now