Critical Flaw Found In Billions Of Wi-Fi Devices That Lets Hackers Easily Access Data

A new Wi-Fi vulnerability has been discovered by researchers that allows hackers in the vicinity of an affected device to decrypt sensitive data sent over the air. The vulnerability, though new found, has already affected millions of devices across the globe, including smartphones, laptops, voice assistants like Amazon Echo as well as wireless routers.

Eset, the security company behind the discovery of the vulnerability highlighted that the vulnerability primarily exists with Cyperess¡¯ and Broadcom¡¯s FullMAC WLAN chips, which are already in use in billions of devices. Eset has named the vulnerability Kr00k, and is tracking it as CVE-2019-15126.

As for the devices affected, Eset lists them to include iPhones, iPads, Macs, Android devices, Amazon Echos and Kindles, Raspberry Pi 3¡¯s, as well as Wi-Fi routers from Asus and Huawei. OEMs of these devices have now started sending patches for the affected devices to counter the vulnerability. The ones still at risk though are the wireless routers.

A research paper published by Eset on Wednesday mentions that ¡°this results in scenarios where client devices that are unaffected (either patched or using different Wi-Fi chips not vulnerable to Kr00k) can be connected to an access point (often times beyond an individual¡¯s control) that is vulnerable.¡±

(Representative Image: Reuters)

¡°The attack surface is greatly increased, since an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself),¡± the paper further explains.

In essence, Kr00k plays on a weakness that occurs when wireless devices disassociate from a wireless access point. However, for it to work, either the end-user device or the access point has to be vulnerable. If so, Kr00k puts any unsent data frames into a transmit buffer at the time of disassociation and then sends them over the air.

Due to this, the data frames are not encrypted in the usual way. Instead, the vulnerable devices then use a key consisting of all zeros to encrypt the data, thus making the data¡¯s decryption a very easy task.

The disassociation mentioned above can be caused by multiple reasons, like when a device shifts from one Wi-Fi access point to another, experiences signal interference, or has its Wi-Fi turned off.

To instigate this, hackers within the vicinity of a vulnerable device or access point send disassociation frames to trigger the vulnerability as these frames aren't authenticated. The forced disassociation then makes the vulnerable devices act as mentioned above, transmitting several kilobytes of data encrypted with the all-zero session key.

The hackers can then capture this data and easily decrypt it. A report mentions that the hackers can trigger multiple disassociations to increase the chances of getting their hands on the data being transmitted.

The vulnerability seems to be limited to Cyperess¡¯ and Broadcom¡¯s FullMAC WLAN chips. Other chips from the likes of Qualcomm, Realtek, Ralink, and Mediatek were also checked by the researchers and were found to be invulnerable to Kr00k.

The impact of this hack cannot be too large. That is because only kilobytes worth of data is sent over the air at the time of disassociation. To garner any workable data like passwords or more, hackers will have to be lucky to time the disassociation right and will probably have to do so in multiple successions.

That being said, no one should ignore this vulnerability and make sure that the patches issued by manufacturers of the affected devices are on their device. This especially goes for vulnerable Wi-Fi routers that leave the communications open to interception even when devices are unaffected or patched.

Here is a list of devices that have been affected by the Kr00k:

Amazon Echo 2nd gen, Amazon Kindle 8th gen, Apple iPad mini 2, Apple iPhone 6, 6S, 8, XR, Apple MacBook Air Retina 13-inch 2018, Google Nexus 5, Google Nexus 6, Google Nexus 6S, Raspberry Pi 3, Samsung Galaxy S4 GT-I9505, Samsung Galaxy S8, Xiaomi Redmi 3S

Wireless routers vulnerable:

Asus RT-N12, Huawei B612S-25d, Huawei EchoLife HG8245H, Huawei E5577Cs-321