Launch of r00kie-kr00kie may assist researchers in some cases, but caveats apply
UPDATED A working proof-of-concept exploit for the Kr00k WiFi attack against mobile devices has been released.
The so-called Kr00k vulnerability (PDF) in mobile device chipsets – discovered by security researchers at ESET last month – causes vulnerable devices to use an all-zero wireless encryption key.
An attacker might be able to exploit this flaw (CVE-2019-15126) to easily decrypt wireless network packets transmitted by a vulnerable device.
The fault condition is triggered by specifically timed and handcrafted traffic that causes internal errors in devices that make use of vulnerable WiFi chips by Broadcom and Cypress.
This is an over-the-air vulnerability, which means that when a deauthentication signal is sent, a vulnerable device starts using an all-zero encryption key. As a result, there is effectively no encryption – at least at the network access layer.
“Specifically timed and handcrafted traffic can cause internal errors… in a WLAN device that lead to improper layer two WiFi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic,” the CVE listing explains.
One key caveat to this exploit is that an attacker would typically be required to trick a victim into connecting to a hacker-controlled WiFi hotspot.
Which devices are vulnerable to Kr00k?
Vulnerable chips are present in a wide range of WiFi-capable devices, such as smartphones, tablets, laptops, and IoT gadgets. WiFi network access points and routers with Broadcom chips were also affected.
According to initial tests by ESET, devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), as well as some access points by Asus and Huawei, were vulnerable to Kr00k prior to patching.
Security researchers at Hexway told The Daily Swig that they developed an exploit for the Kr00k attack as a tool to use during penetration tests.
The security services organization decided to release the r00kie-kr00kie utility it had developed to the community because others might need it and no other tools were available.
“The new attack on WiFi networks published by ESET has drawn our attention because wireless networks fall into the scope of the security assessments we perform for our clients,” Hexway explained.
“As with other types of assessment, we have to be able to provide full coverage of the attack surface.
“So, we needed a tool that would allow us to test and identify vulnerable devices. That’s how we created r00kie-kr00kie, and since no other open tools were available, we decided to make it public,” it added.
Hexway went on to play down the significance of the Kr00k attack when asked by The Daily Swig to comment on its seriousness and what steps organizations might want to take to mitigate against it.
“The Kr00k attack, as many have noticed, has a very limited impact and is mostly interesting as an example of a logical flaw,” Hexway explained. “Although, due to the popularity of the vulnerable chipsets, it cannot be ignored.
“As for prevention measures against Kr00k and other unknown attacks of this sort, we recommend implementing all updates from vendors on time.
“Most internet communications are already secured with TLS, so the likelihood of information leaks isn’t high (but it does exist),” the company spokesperson added.
Kr00k is somewhat related to the wireless Key Reinstallation Attack (Krack) technique, which was discovered in 2017 by security researcher Mathy Vanhoef.
Vanhoef played down the significance of the development of a proof of concept exploit for the Kr00k attack.
“The attack is simple, having a proof-of-concept doesn't change much,” Vanhoef told The Daily Swig. “Anyone with a basic understanding of Wi-Fi and programming would be able create of proof-of-concept. This is in contrast with, for example, some remote code execution attacks such as BlueKeep, where making the PoC is a lot of work.”
The impact of Kr00k is, in any case, low.
“In practice several devices seem to be affected, but the impact is fairly low,” Vanhoef explained. “Most website and services use HTTPS, meaning an adversary won't see interesting data. The vulnerability also does not allow an adversary to inject frames into the network.
“So, while everyone should of course patch, there is no need to panic,” the researcher concluded.
This story was updated on March 27 to add comment from Mathy Vanhoef.