What is Kr00k?
Kr00k is a security vulnerability that affects some Wi-Fi chips made by Broadcom and Cypress. It allows an attacker to decrypt some Wi-Fi traffic that is encrypted with WPA2, a common protocol for securing wireless networks. Kr00k was discovered by security researchers from ESET in 2019 and assigned the identifier CVE-2019-151261.
How does Kr00k work?
Kr00k exploits a flaw in the way the Wi-Fi chips handle a process called “disassociation”. Disassociation is a temporary interruption of the Wi-Fi connection that can happen due to low signal, interference, or switching to another network. When a device disassociates from a network, the Wi-Fi chip clears the encryption key that is used to protect the Wi-Fi packets. However, due to the flaw, the Wi-Fi chip sets the encryption key to a fixed value of all zeros, instead of a random value. This means that any packets that are still in the chip’s buffer can be encrypted with the zero key and sent over the air. An attacker who is within the Wi-Fi range can capture these packets and decrypt them using the same zero key2.
What devices are affected by Kr00k?
Kr00k affects devices that use Broadcom and Cypress Wi-Fi chips, which are widely used in smartphones, tablets, laptops, routers, and IoT devices. ESET researchers tested and confirmed that Kr00k affects devices from Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), and Xiaomi (Redmi), as well as routers from Asus and Huawei3. They estimate that over a billion devices are vulnerable to Kr00k, but this is a conservative number, as other Wi-Fi chip manufacturers may also be affected4.
What can an attacker do with Kr00k?
An attacker who exploits Kr00k can intercept and decrypt some Wi-Fi traffic that is sent or received by a vulnerable device. This can include sensitive information such as passwords, credit card numbers, personal messages, or web browsing history. However, the attacker cannot decrypt all the Wi-Fi traffic, as only the packets that are in the chip’s buffer at the time of disassociation are affected. Moreover, the attacker cannot inject or modify the Wi-Fi traffic, as this would require a valid encryption key. Furthermore, the attacker cannot decrypt Wi-Fi traffic that is protected by additional encryption layers, such as HTTPS, VPN, or TLS.
How to protect the router from Kr00k?
The best way to protect the router from Kr00k is to update its firmware to the latest version that patches the vulnerability. Router manufacturers should provide firmware updates that fix the flaw in the Wi-Fi chip or implement a workaround that prevents the zero key from being used. Users should check the router’s website or contact the router’s support to find out if there is a firmware update available and how to install it. Alternatively, users can replace the router with a newer model that uses a different Wi-Fi chip or supports the WPA3 protocol, which is not affected by Kr00k.
Another way to protect the router from Kr00k is to enable additional encryption layers on the devices that connect to the router. For example, users can use a VPN service that encrypts all the internet traffic, or use HTTPS websites that encrypt the web traffic. This way, even if an attacker captures and decrypts the Wi-Fi packets, they will not be able to access the actual data that is encrypted by the VPN or HTTPS.
Conclusion
Kr00k is a serious vulnerability that affects many Wi-Fi devices that use Broadcom and Cypress Wi-Fi chips. It allows an attacker to decrypt some Wi-Fi traffic that is encrypted with WPA2, exposing sensitive information. Users should update their router’s firmware to the latest version that patches the vulnerability, or use additional encryption layers to protect their Wi-Fi traffic.