Technical Details on KrØØk WiFi Vulnerability Exploit Released

  • Tracked as CVE-2019-15126, this serious flaw affects both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption. 
  • KrØØk is related to KRACK (Key Reinstallation Attacks), discovered in 2017.

Researchers have demonstrated the proof-of-concept for a recently discovered KrØØk WiFi vulnerability. Tracked as CVE-2019-15126, this serious flaw affects both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption. 

What is KrØØk and why is it important?
KrØØk is related to KRACK (Key Reinstallation Attacks), discovered in 2017. According to details shared by ESET researchers, the flaw causes vulnerable devices to use an all-zero encryption key to encrypt part of the user’s communication. In a successful attack, the vulnerability allows an adversary to decrypt some wireless network packets transmitted by a vulnerable device. 

The flaw affects devices with Wi-Fi chips from Broadcom and Cypress that haven’t been patched. These are the most common Wi-Fi chips used in contemporary WiFi-capable devices such as smartphones, tablets, laptops, and IoT gadgets. 

Some of the affected devices include Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), and Xiaomi (Redmi).

How the flaw is exploited?
In a PoC shared by researchers at HexWay, the exploitation of the flaw is done by a python script called r00kie-kr00kie.py. The script is used to force a device to disassociate from the network. Later, any data packets left in the device’s Wi-Fi chips are encrypted with all zeros so that the attackers can flush them out and read them. 

“After testing this PoC on different devices, we found out that the data of the clients that generated plenty of UDP traffic was the easiest to intercept. Among those clients, for example, there are various streaming apps because this kind of traffic (unlike small TCP packets) will always be kept in the buffer of a WiFi chip,” mentioned researchers in their blog post.

What actions have been taken?
Broadcom and Cypress have subsequently released updates. Additionally, patches for devices by major manufacturers have been released by now. To protect from being affected by the vulnerability, users should ensure that their systems including phones, tablets, and laptops are applied with the latest updates.