The new variants of the KrØØk attack vulnerability discovered by ESET researchers Robert Lipovský and Štefan Svorenčík had impacted Qualcomm and MediaTek Wi-Fi chips.
KrØØk, a security vulnerability disclosed by ESET in February 2020 and reported as CVE-2019-15126, could be used by attackers to decrypt some WPA2-encrypted wireless network packets transmitted by compromised devices after effective exploitation, requiring them to use all-zero encryption keys to encrypt part of the exchanged traffic.
On this page you can find a list of advisories describing security patches targeting KrØØk that holds a list of software fixes issued by vendors to fix the vulnerability.
Exploiting KrØØk allows adversaries to intercept and decrypt (potentially sensitive) data of interest and, when compared to other techniques commonly used against Wi-Fi, exploiting KrØØk has a significant advantage: while they need to be in the range of the Wi-Fi signal, the attackers do not need to be authenticated and associated to the WLAN. In other words, they don’t need to know the Wi-Fi password.
“Our tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to KrØØk,” ESET said at the time.
In all, according to a conservative estimate provided by ESET, the number of Wi-Fi – enabled devices exposed to KrØØk attacks exceeded one billion.
Qualcomm and MediaTek Wi-Fi-enabled devices prove vulnerable
While ESET initially said that only devices with Broadcom and Cypress Wi-Fi chips were affected, Lipovský and Svorenčík discovered new KrØØk variants which also affected the Qualcomm and MediaTek radios used in cars, navigation systems, watches, laptops , smartphones, routers and other devices.
“The vulnerability we discovered (which was assigned CVE-2020-3702) was also triggerable by a disassociation and led to undesirable disclosure of data by transmitting unencrypted data in the place of encrypted data frames – much like with KrØØk.”
“We also observed the manifestation of a similar vulnerability (i.e. lack of encryption) on some Wi-Fi chips by MediaTek,” including the ASUS RT-AC52U route and the Microsoft Azure Sphere development kit that utilizes the MT3620 microcontroller also used in smart home, commercial, and industrial solutions.
New KrØØk variants are already being patched
Qualcomm released a fix for the proprietary driver affected in July by the newly discovered KrØØk attack, and during March and April 2020, MediaTek fixed the flaw.
A security update was released later , in July, with Azure Sphere OS version 20.07, which fixed the bug impacting the MT3620 microcontroller.
When left unpatched, these new results dramatically increase the number of susceptible devices to attacks from KrØØk and their variants.
Lipovský and Svorenčík have released a proof-of-concept testing script for triggering and detecting the KrØØk vulnerability on unpatched devices.