In February 2020, information security specialists spoke at the RSA 2020 conference about the new Kr00k vulnerability (CVE-2019-15126), which can be used to intercept and decrypt Wi-Fi traffic (WPA2). Now it became known that has been published an exploit for Kr00k Wi-Fi vulnerability.According to analysts, any device that uses the solutions of Cypress Semiconductor and Broadcom, from laptops and smartphones to routers and IoT devices, is susceptible to this problem. Experts tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as Asus and Huawei Wi-Fi routers. In total, vulnerability threatens about a billion different gadgets.
“The main Kr00k problem is encryption, which is used to protect data packets transmitted over Wi-Fi. Typically, such packets are encrypted with a unique key, which depends on the Wi-Fi password set by the user”, — said ESET experts, which discovered the problem.
However, for Broadcom and Cypress chips, this key is reset to zero in case of disassociation process initiation, that is a temporary shutdown, which usually occurs due to a bad signal. Thus, attackers can provoke the transition of the device into a prolonged state of disassociation and receive the Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a “zero” key.
The Infosec Hexway development team has now created an exploit for this vulnerability. Researchers managed to exploit the bug using Raspberry Pi 3 and a Python script. As a result, they were able to extract keys and personal data from Sony Xperia Z3 Compact and Huawei Honor 4X devices using a vulnerable chipset.
“After testing this PoC on different devices, we found that the data of clients that generated a lot of UDP traffic is easiest to intercept. For example, among such clients there are various streaming applications, because this type of traffic (unlike small TCP packets) is always stored in the buffer of the Wi-Fi chip”, — write the researchers.
Additionaly, experts from Thice have already created their own exploit. Unlike colleagues, Thice experts report that the Kr00k problem may not be as dangerous as everyone believes:
“The amount of data that you can steal in this way is limited – only a couple of packets for each disconnection,” – say the experts.