A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets.

The flaw received the name Kr00k and was identified in components from Broadcom and Cypress, which are integrated into mobile phones, tablets, laptops, IoT gadgets. By current conservative estimates, over one billion devices are affected.

All-zero session key

Researchers at security company ESET, who found the vulnerability, explain that exploitation leads to unpatched devices to "use an all-zero encryption key to encrypt part of the user’s communication."

Kr00k is now identified as CVE-2019-15126 and affects both WPA2-Personal and WPA2-Enterprise protocols using AES-CCMP encryption for data integrity and confidentiality, the researchers say.

It is related to KRACK (Key Reinstallation Attack), a flaw in the 4-way handshake of the WPA2 protocol, discovered by security researchers Mathy Vanhoef and Frank Piessens, and disclosed publicly in October 2017.

"In the beginning of our research, we found Kr00k to be one of the possible causes behind the “reinstallation” of an all-zero encryption key, observed in tests for KRACK attacks."

A device establishes a connection to an access point in multiple stages, with WPA 2 (Wi-Fi Protected Access II) protocol ensuring mutual authentication of the two parties via the Pre-Shared Key (PSK), which is the WiFi password.

The 4-way handshake process establishes cryptographic keys for data integrity and confidentiality, one of them being the Pairwise Transient Key (PTK). This is split into other keys that have various purposes.

The one relevant in the context of Kr00k exploitation is the 128-bit Temporal Key (TK), which encrypts unicast data frames between the client and the access point.

A client moving from one point to another may connect to multiple access points (association, reassociation), lose connection due to interference (disassociation).

ESET researchers explain that Kr00k occurs after a disassociation stage, when the TK stored in the WiFi chip is set to zero, a.k.a. cleared in memory.

While this is a normal process, sending out all the data frames left in the chip's transmit buffer (Tx) after being encrypted with the all-zero TK is not.

Unlike KRACK, which is an attack occurring during the 4-way handshake, Kr00k is a vulnerability that can be leveraged after triggering a disassociation state.

Exploitation potential

Exploiting the vulnerability is possible by inducing a disassociation state on the target device - a trivial thing to do via a deauthentication attack that requires the victim device MAC address and sending a management data frame that is processed as is: unauthenticated and unencrypted.

An adversary can intercept the data frames remnant in the transmit buffer and decrypt them, potentially capturing sensitive information.

"This is possible even if the attacker is not connected (authenticated and associated) to the WLAN (e.g. doesn’t know the PSK) – by using a WNIC in monitor mode – which is what would make Kr00k advantageous for the attackers, compared to some other attack techniques used against Wi-Fi security," explains ESET.

An attacker in the proximity of the victim can keep triggering disassociations to capture a larger number of network packets (DNS, ARP, ICMP, HTTP, TCP) that could contain sensitive information.

WLAN traffic captured by exploiting Kr00k

Vulnerable products

Given that Broadcom chips are used in most WiFi gadgets and those from Cypress are preferred IoT makers, it is safe to assume that at the time of the discovery Kr00k impacted at least one billion devices.

Prior to patching, ESET found that the following devices were vulnerable to Kr00k:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S
  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

The researchers did not see the vulnerability in products with WiFi chips from Qualcomm, Realtek, Ralink, and Mediatek.

The flaw was disclosed responsibly to Broadcom, Cypress, who issued a firmware fix to vendors. The update should be available for devices that are still in support and users should install it where it is not applied automatically.

The Industry Consortium for Advancement of Security on the Internet (ICASI) was also notified of the problem to make sure that other WiFi chip manufacturers learn about Kr00k and check if their products are vulnerable.

Full details about Kr00k are available on a dedicated page as well as in a technical paper authored by Miloš Čermák, Štefan Svorenčík and Robert Lipovský, in collaboration with Ondrej Kubovič.

ESET is scheduled to present their findings at the RSA Conference today and at Nullcom in early March.