Security flaws in components, communications, or protocols most commonly used in the industry can have disastrous consequences. Experts in ethical hacking from security firm ESET reported the finding of a critical vulnerability in multiple WiFi chips that causes exposed devices to use an all-zero encryption key to encrypt some of the users’ communications. According to the report, successful exploitation of this flaw would allow a threat actor to decrypt some network packets transmitted via the vulnerable device.
The vulnerability, tracked as CVE-2019-15126, is present on devices with Broadcom and Cypress WiFi chips with no updates. It should be noted that these chips are the most used by manufacturers of WiFi-capable devices, such as smartphones, Internet of Things (IoT) devices, laptops, tablets and more. The flaw was dubbed as KrØØk by ESET researchers.
In addition, the flaw does not only affect customer devices, but extends to Broadcom WiFi access points and chip routers, so business and government environments could also be affected.
Regarding the affected devices, ethical hacking specialists say that many of today’s most employed technology developments are vulnerable to these flaws. Affected devices include manufacturers such as:
- Amazon (Echo & Kindle)
- Apple (iPhone, iPad, MacBook)
- Google (Nexus)
- Samsung (Galaxy)
- Xiaomi (Redmi)
The flaw affects WPA2-Personal and WPA3-Enterprise protocols, with AES-CCMP encryption. According to the researchers’ estimates, more than one billion actively used devices worldwide would be exposed to the exploitation of KrØØk, and that’s just users’ devices; the compromised access points’ calculation is still missing.
Ethical hacking specialists say this flaw is related to key reinstallation attacks (KRACK), detected a couple of years ago, albeit with some key differences. “Initially, we found that KrØØk was one of the possible causes of the KRACK attacks, thanks to the finding of a vulnerability in Amazon Echo,” the ESET report mentions.
The International Institute of Cyber Security (IICS) mentions that the flaw was reported to affected manufacturers in a timely manner, so updates must already have been installed on most vulnerable devices. Users are encouraged to verify that there are no pending updates for their devices.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.