A comienzos de 2020, ESET experts spoke about the Kr00k vulnerability (CVE-2019-15126), which can be used to intercept and decrypt Wi-Fi (WPA2) tráfico. Then it was reported that any devices using the solutions of Cypress Semiconductor and Broadcom, desde computadoras portátiles y teléfonos inteligentes hasta enrutadores y dispositivos IoT, are susceptible to this problem. Now there is information that the Kr00k problem threatens devices with Qualcomm and MediaTek Wi-Fi chips.
Así que, en marzo, Expertos de ESET escribió that they tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo y Kindle, Nexus de Google, Samsung galaxia, Xiaomi Redmi, Frambuesa Pi 3, as well as for Wi-Fi routers from Asus and Huawei. En total, the Kr00k vulnerability was thought to threaten about a billion different gadgets.
“The Kr00k problem is associated with encryption, que se utiliza para proteger los paquetes de datos transmitidos a través de Wi-Fi. Típicamente, dichos paquetes están cifrados con una clave única, which depends on the Wi-Fi password, which established the user. Sin embargo, for vulnerable chips, this key is reset to zero in case of the disassociation process, for example a temporary shutdown, que suele ocurrir debido a una mala señal», – told ESET researchers.
De este modo, attackers can provoke the transition of the device into a long dissociation state and receive Wi-Fi packets intended for it. Entonces, explotando el error Kr00k, attackers can decrypt Wi-Fi traffic using a «zero» llave.
Following the release of ESET’s February report, Broadcom and Cypress engineers have released fixes for their products.
Sin embargo, Expertos de ESET have now warned that the chips from Qualcomm and MediaTek are vulnerable to similar flaws.
In the case of Qualcomm, the vulnerability received the identifier CVE-2020-3702, and using this bug, un atacante (after dissociation) can get access to confidential data.
«The difference with the attack described above is that the data captured in this case is not encrypted at all, while exploiting the original Kr00k problem at least requires the use of a “zero» key”, – dijeron los expertos.
Researchers tested this vulnerability using the D-Link DCH-G020 Smart Home Hub and Turris Omnia wireless router as examples. Sin embargo, any other devices that use vulnerable Qualcomm chips, can be also affected by the new issue.
Qualcomm released a patch for its proprietary driver in July 2020, but the situation is complicated by the fact that some vulnerable devices are using open source Linux drivers, and it is unclear if the problem will be fixed there. Qualcomm said they have already provided OEMs with all the necessary instructions, and users can only wait for the release of patches from specific manufacturers.
Además, ESET experts found that MediaTek chips, which are widely used in Asus routers, as well as in the Microsoft Azure Sphere development kit, also do not use encryption at all.
«Azure Sphere uses the MediaTek MT3620 microcontroller and targets a wide variety of IoT applications, including smart homes, commercial, industrial and many other sectors», — escriben los investigadores.
MediaTek released fixes for this issue in March and April, and Azure Sphere received patches in July 2020.
Amid release of a number of exploits for the original Kr00k vulnerability, the researchers have published a special script that will help to find out if the device is vulnerable to the original Kr00k or new variations of this attack.
