So, in March, ESET experts wrote that they tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as for Wi-Fi routers from Asus and Huawei. In total, the Kr00k vulnerability was thought to threaten about a billion different gadgets.

“The Kr00k problem is associated with encryption, which is used to protect data packets transmitted over Wi-Fi. Typically, such packets are encrypted with a unique key, which depends on the Wi-Fi password, which established the user. However, for vulnerable chips, this key is reset to zero in case of the disassociation process, for example a temporary shutdown, which usually occurs due to a bad signal”, – told ESET researchers.

Thus, attackers can provoke the transition of the device into a long dissociation state and receive Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a “zero” key.

Following the release of ESET’s February report, Broadcom and Cypress engineers have released fixes for their products.

However, ESET experts have now warned that the chips from Qualcomm and MediaTek are vulnerable to similar flaws.

In the case of Qualcomm, the vulnerability received the identifier CVE-2020-3702, and using this bug, an attacker (after dissociation) can get access to confidential data.

“The difference with the attack described above is that the data captured in this case is not encrypted at all, while exploiting the original Kr00k problem at least requires the use of a “zero” key”, – said the experts.

Researchers tested this vulnerability using the D-Link DCH-G020 Smart Home Hub and Turris Omnia wireless router as examples. However, any other devices that use vulnerable Qualcomm chips, can be also affected by the new issue.

Qualcomm released a patch for its proprietary driver in July 2020, but the situation is complicated by the fact that some vulnerable devices are using open source Linux drivers, and it is unclear if the problem will be fixed there. Qualcomm said they have already provided OEMs with all the necessary instructions, and users can only wait for the release of patches from specific manufacturers.

In addition, ESET experts found that MediaTek chips, which are widely used in Asus routers, as well as in the Microsoft Azure Sphere development kit, also do not use encryption at all.

“Azure Sphere uses the MediaTek MT3620 microcontroller and targets a wide variety of IoT applications, including smart homes, commercial, industrial and many other sectors”, — write the researchers.

MediaTek released fixes for this issue in March and April, and Azure Sphere received patches in July 2020.

Amid release of a number of exploits for the original Kr00k vulnerability, the researchers have published a special script that will help to find out if the device is vulnerable to the original Kr00k or new variations of this attack.

The post Kr00k problem threatens devices with Qualcomm and MediaTek Wi-Fi chips appeared first on Gridinsoft Blog.

According to analysts, any device that uses the solutions of Cypress Semiconductor and Broadcom, from laptops and smartphones to routers and IoT devices, is susceptible to this problem. Experts tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as Asus and Huawei Wi-Fi routers. In total, vulnerability threatens about a billion different gadgets.

“The main Kr00k problem is encryption, which is used to protect data packets transmitted over Wi-Fi. Typically, such packets are encrypted with a unique key, which depends on the Wi-Fi password set by the user”, — said ESET experts, which discovered the problem.

However, for Broadcom and Cypress chips, this key is reset to zero in case of disassociation process initiation, that is a temporary shutdown, which usually occurs due to a bad signal. Thus, attackers can provoke the transition of the device into a prolonged state of disassociation and receive the Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a “zero” key.

The Infosec Hexway development team has now created an exploit for this vulnerability. Researchers managed to exploit the bug using Raspberry Pi 3 and a Python script. As a result, they were able to extract keys and personal data from Sony Xperia Z3 Compact and Huawei Honor 4X devices using a vulnerable chipset.

“After testing this PoC on different devices, we found that the data of clients that generated a lot of UDP traffic is easiest to intercept. For example, among such clients there are various streaming applications, because this type of traffic (unlike small TCP packets) is always stored in the buffer of the Wi-Fi chip”, — write the researchers.

Additionaly, experts from Thice have already created their own exploit. Unlike colleagues, Thice experts report that the Kr00k problem may not be as dangerous as everyone believes:

“The amount of data that you can steal in this way is limited – only a couple of packets for each disconnection,” – say the experts.

The post Published exploit for Kr00k Wi-Fi vulnerability appeared first on Gridinsoft Blog.

This problem affects any device that uses the solutions of Cypress Semiconductor and Broadcom, from laptops and smartphones to routers and IoT devices. Experts tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as Asus and Huawei Wi-Fi routers. In total, the problem threatens about a billion different gadgets.

The essence of the Kr00k problem comes down to encryption, which is used to protect data packets transmitted via Wi-Fi.

“Typically, data packets are encrypted with a unique key, which depends on the Wi-Fi password set by the user. However, for Broadcom and Cypress chips, this key resets to zero if the process of dissociation, that is, a temporary shutdown, which usually occurs due to a bad signal. The Wi-Fi devices dissociate many times a day and then automatically reconnect to the previously used network”, — say ESET researchers.

According to ESET experts, attackers can provoke the transition of the device into a prolonged state of dissociation and receive Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a “zero” key.

The Kr00k issue affects only Wi-Fi connections using WPA2-Personal and WPA2-Enterprise WiFi with AES-CCMP encryption. Therefore, the inclusion of the WPA3 protocol on the vulnerable device should protect against the attacks described by specialists. In addition, the vulnerability is unlikely to be useful to botnet operators for automated attacks, as it requires the attacker to be close to the victim (within the range of the Wi-Fi network).

Researchers notified manufacturers of the vulnerability two months ago, so by now many devices should have already received patches.

“Depending on the type of device, this may mean installing the latest OS or software updates (Android, Apple, and Windows devices; some IoT devices), but you may also need a firmware update (access points, routers, and some IoT devices)”, – say the experts.

Experts note that the Kr00k problem is in many ways similar to the sensational KRACK vulnerability, discovered in 2017 and forcing manufacturers to hurry up with the transition to WPA3, as well as the DragonBlood problem, which already posed a threat to WPA3. Additionally, security experts recall that recently discovered that the Emotet Trojan, which became the most dangerous threat of 2019, spreads through accessible Wi-Fi networks.

At the same time, it is emphasized that Kr00k is in many ways different from the listed threats and it will be easier to fix the consequences in this case.

The post Kr00k Wi-Fi-chips vulnerability affects over a billion devices appeared first on Gridinsoft Blog.