Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?
Encryption keys forced to zero by chip-level KrØØk flaw
A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims' encrypted Wi-Fi traffic.
The flaw [PDF] was branded KrØØk by the bods at Euro infosec outfit ESET who discovered it. The design blunder is otherwise known as CVE-2019-15126, and is related to 2017's KRACK technique for spying on Wi-Fi networks.
An eavesdropper doesn't have to be logged into the target device's wireless network to exploit KrØØk. If successful, the miscreant can take repeated snapshots of the device's wireless traffic as if it were on an open and insecure Wi-Fi. These snapshots may contain things like URLs of requested websites, personal information in transit, and so on.
It's not something to be totally freaking out over: someone exploiting this has to be physically near you, and you may notice your Wi-Fi being disrupted. But it's worth knowing about.
You can read the above report for the full briefing, though here's a gentle overview. When connected to a protected Wi-Fi network, a device and its access point will decide upon and use a shared encryption key to secure their over-the-air communications. When the device wants to send data over the network, it queues up packets in a transmission buffer in its Wi-Fi controller chip. This chip, when ready, encrypts the buffer's contents with the key and transmits it to the access point.
It is possible to force a device off its Wi-Fi network by sending it special disassociation packets. Anyone can send these special packets over the air to a device; you don't need to be on the same network. When these disassociation packets are received, vulnerable Wi-Fi controllers – made by Broadcom and Cypress, and used in countless computers and gadgets – will overwrite the shared encryption key with the value zero.
Crucially, the chip will continue to empty its transmission buffer, transmitting any outstanding packets with the zeroed encryption key. Anyone within range can receive those radio transmissions and decrypt the data because the key is now known – it's zero. Said data can include things like DNS look-ups, HTTP requests, and so on, allowing eavesdroppers to figure out what the device is up to. Repeat this process over and over to snatch more and more glimpses of a victim's network traffic.
Network traffic already wrapped up encryption prior to transmission – such as HTTPS requests, or stuff traveling via SSH and secure VPNs – remain encrypted. It's just the Wi-Fi encryption that's broken.
Here's how ESET put it on Wednesday:
After a disassociation occurs, data from the chip’s Tx [transmission] buffer will be transmitted encrypted with the all-zero TK [temporary key]. These data frames can be captured by an adversary and subsequently decrypted. This data can contain several kilobytes of potentially sensitive information.
By repeatedly triggering disassociations (effectively causing reassociations, as the session will usually reconnect), the attacker can capture more data frames.
As a result, the adversary can capture more network packets containing potentially sensitive data ... similar to what they would see on an open WLAN network without WPA2.
This silicon-level screw-up is present in a ton of stuff because they all use the same families of Wi-Fi controllers. "KrØØk affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t yet been patched," ESET said. "These are the most common Wi-Fi chips used in contemporary Wi-Fi capable devices such as smartphones, tablets, laptops, and IoT gadgets."
Among equipment confirmed to be using the vulnerable chips are Apple's iPhone 6 or later, the 2018 MacBook Air, Google's Nexus 5 and 6, Amazon's Kindle and Echo gear, and the Raspberry Pi model 3. For wireless access points, the Asus RT-N12, Huawei B612S-25d, Huawei EchoLife HG8245H, and Huawei E5577Cs-321 all have the flaw. Cisco also acknowledged its wireless gear is at risk.
"We have also tested some devices with Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, Mediatek and did not see the vulnerability manifest itself," said ESET.
Even though the security blunder lies within the Wi-Fi chips themselves, the researchers say it can be fixed at the software level. We can imagine such fixes ensure the transmit buffer is not emptied after a disassociation or a key change, and instead dumped. These controllers feature embedded CPU cores directing their operation, and presumably these can be reprogrammed to not flush transmission queues over the air with zeroed encryption keys.
To address KrØØk, therefore, users and admins should, says ESET, look out for driver or firmware updates for affected devices. ESET seems confident fixes are available, though your mileage may vary. The supply chain from the likes of Broadcom and Cypress to manufacturers of Internet-of-Things devices and other wireless-enabled equipment through to end users can be rather long and winding, and there are plenty of places for code updates to snag and never see the light of day.
In the meantime, encrypt as much network traffic as possible, especially over Wi-Fi, using HTTPS, SSH, VPNs, and so on, so that if your network-level encryption is smashed, you're still protected from snoopers at the application layer or thereabouts. ®