ESET researchers have officially tagged the flaw as CVE-2019-1526, but have also given it the nickname "Kr00k." The flaw, which affects devices using Wi-Fi chips made by Cypress and Broadcom, causes vulnerable devices to use an all-zero encryption key. With this, hackers can easily read data being sent from these devices.
To communicate, wireless chips send data out in chunks called packets. To keep hackers from being able to read what's in these chunks, wireless chips will encrypt them using an encryption key, which is a string of 80 to 128 ones and zeroes that only the sending and receiving chips are supposed to know. With this encryption key, anyone intercepting these packets will not be able to read their contents.
An all-zero encryption key, on the other hand, consists entirely of zeroes. As such, anyone who intercepts these packets can easily read them. It doesn't matter how strong the encryption is, all a hacker needs to do is enter a string of zeroes as the encryption key and they'll be able to access the data.
The Kr00k vulnerability affects more than just one protocol. According to the researchers, the vulnerability affects both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption. Originally developed to replace the less secure WEP (Wireless Encryption Protocol) standard, WPA2 is supposed to offer government grade security by implementing encryption standards specified by the National Institute of Standards and Technology.
Despite this, a number of WPA2 vulnerabilities have been found. In 2017, Mathy Vanhoef discovered one of the most well-known of these, called KRACK (Key Reinstallation Attacks). According to the ESET team, Kr00k is actually related to the KRACK exploit.
Due to the popularity of the chips, the Kr00k exploit affects a wide range of devices. According to the researchers, a number of Wi-Fi access points by Asus and Huawei were particularly vulnerable.
More concerning, however, is the number of consumer devices that are vulnerable to Kr00k. A number of popular devices from tech giants such as Amazon (Echo, Kindle), Apple (iPad, iPhone, MacBook), Google (Nexus), Samsung (Galaxy) and Xiaomi (RedMi) are vulnerable to the exploit. Also vulnerable is the Raspberry Pi 3, the popular single-board computer used by many hobbyists and students. Furthermore, the researchers admitted that they weren't able to test a number of devices from other vendors that use the affected chips from Broadcom and Cypress, and that these could also be vulnerable.
To help address the flaw, the researchers have informed Broadcom and Cypress about the vulnerabilities. These manufacturers have since released updates for the vulnerable chips. The researchers also worked with the Industry Consortium for Advancement of Security on the Internet (ICASI) to make sure that all parties affected were aware of the Kr00k exploit.
The wide reach of Kr00k is a major cause for concern. With popular devices such as the Amazon Echo and Apple iPhone potentially affected, any hacker who's aware of the exploit can use it to steal information that users send over Wi-Fi, including messages, photos and passwords.
Now, the researchers state that most companies should already have a patch out that addresses the Kr00k vulnerability. According to them, simply downloading the latest updates should take care of the vulnerability. That is, if the companies actually did address Kr00k in the patch.
One of the companies involved, Huawei, is seen by many as a huge espionage risk due in part to its links to the Chinese government. The U.S. has already made moves to limit the company's access to American-made chip technology. It's not hard to imagine that Huawei or the other tech giants would keep the vulnerability in place to allow them to spy on people.