Flaw in billions of Wi-Fi devices left communications open to eavesdropping
Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.
The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter whose Wi-Fi business was acquired by Cypress in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126.
Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely.
“This results in scenarios where client devices that are unaffected (either patched or using different Wi-Fi chips not vulnerable to Kr00k) can be connected to an access point (often times beyond an individual’s control) that is vulnerable,” Eset researchers wrote in a research paper published on Wednesday. “The attack surface is greatly increased, since an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself).”
Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.
Disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable client device or access point can easily send disassociation frames to trigger the vulnerability because these frames aren't authenticated.
With the forced disassociation, vulnerable devices will typically transmit several kilobytes of data that’s encrypted with the all-zero session key. The hacker can then capture and decrypt the data. Eset researcher Robert Lipovsky told me hackers can trigger multiple disassociations to further the chances of obtaining useful data.
MTCHT
ICT
TECHNOLOGICAL INNOVATIONS
POST
ABOUT US
NEWS
INTERESTING
INTERVIEW
ANALYSIS
ONLAIN LESSONS