[German]Security researchers at ESET have discovered a vulnerability in Broadcom and Cypress WLAN chips that could compromise the WPA2 encryption of millions of devices (routers). Here is some information on the subject.
I already came yesterday across the first tweets and this Bleeping Computer article about this vulnerability, which draws attention to the problem.
The vulnerability is that during a WiFi disassociation state, Broadcom and Cypress chips allow the use of an all-zero key to decrypt WiFi packets
— Catalin Cimpanu (@campuscodi) February 26, 2020
ESET security researchers describe the Kr00K vulnerability in this document. Kr00k – formally known as CVE-2019-15126 – is a vulnerability in the Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of a portion of WPA2 encrypted traffic.
Specially timed and hand-crafted data sets transmitted over a Wi-Fi connection can cause internal errors (in terms of state transitions) in a Wi-Fi device. As a result, an inadmissible Layer 2 Wi-Fi encryption error occurs. As a result, it is possible to decrypt information encrypted with WPA2 in a Wi-Fi network. 2019-9502 and CVE-2019-9503.
Who is affected?
The vulnerability affects all unpatched devices with Broadcom and Cypress FullMac Wi-Fi chips. These are the most commonly used Wi-Fi chips in today’s client devices, and are built into devices from major manufacturers such as Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), and many other brands.
Wi-Fi access points and routers using these chips are also affected by Kr00k. The problem is that even environments with patched client devices are then vulnerable to the vulnerability. The researchers write that there were more than a billion affected devices before the patching.
On NIST.GOV there are indications that Apple and Cisco have already patched this vulnerability.
- For example, Apple has published this page dated October 28, 2019, which indicates fixes for devices running iOS 13.2 and iPadOS 13.2.
- The same applies to a fix in macOS Catalina 10.15.1.
- Cisco has published this security advisory on February 27, 2020.
Thus, a number of end devices have already been patched with respect to this vulnerability.
What can I do?
ESET experts recommend that you ensure that all Wi-Fi enabled devices, including smartphones, tablet PCs, notebooks and Wi-Fi access points and routers, are updated to the latest operating system, software and/or firmware versions. According to the information provided by security researchers, patches have now been released for devices from major manufacturers.
The vulnerability rating ranges from ‘serious’ (ESET) to ‘low’ (NIST). NIST comes to this conclusion because an attack can be quite costly. In addition, the attacker must be near the wireless network.