Proof-of-concept exploit code has emerged for last month's data-leaking KrØØk vulnerability present in a billion-plus Wi-Fi-connected devices and computers.
The team at infosec outfit Hexway told The Register on Friday it has crafted a working exploit for the flaw which is present in equipment that uses Broadcom's communications chipsets. This design blunder can be abused by nearby miscreants to snatch snapshots of private data, such as web requests, messages, and passwords, over the air from devices as they are transmitted, if said data is not securely encrypted using an encapsulating protocol, such as HTTPS, DNS-over-HTTPS, a VPN, and SSH.
Crucially, to pull this off, a hacker does not need to be on the same Wi-Fi network as the victim: just within radio range of a vulnerable phone, gateway, laptop, or whatever is being probed.
"Among the devices vulnerable to this attack are the ones from Samsung, Apple, Xiaomi and other popular brands," Hexway told The Register. "To perform the KrØØk attack, a hacker just needs his or her victim to be connected to the Wi-Fi."
Designated CVE-2019-15126, the KrØØk bug revolves around the transmission data buffers in Broadcom chips. Researchers at ESET found that, in specific circumstances, an attacker can force a nearby device to disconnect from its Wi-Fi point, causing it to emit any data still in its transmit buffer with an encryption key value of zero. Thus a nearby snooper can decrypt this transmitted information flushed from the buffer. If the data isn't wrapped up in additional encryption, such as HTTPS, it can be read as plain text.
Hexway has managed to weaponize the design error in Broadcom's hardware by using a Raspberry Pi 3 with a Python script. This setup was able to yield keys and private data from a Sony Xperia Z3 Compact and Huawei Honor 4X, because they use the vulnerable chipset.
Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?READ MORE
It is also believed that certain models of Amazon Echo and Kindle, Google Nexus smartphones, and both the iPad and iPhone are vulnerable to the flaw.
"After testing this PoC on different devices, we found out that the data of the clients that generated plenty of UDP traffic was the easiest to intercept," Hexway said in an advisory accompanying its code.
"Among those clients, for example, there are various streaming apps because this kind of traffic (unlike small TCP packets) will always be kept in the buffer of a Wi-Fi chip."
The Thice report includes further details on the flaw, which may not be as bad as feared.
"So, yeah, KrØØk is real and not that hard to exploit when a vulnerable router is involved," says the Thice recap. "However, the amount of data that you can steal this way is limited since it is only a couple of packets per disconnect."
If you haven't already done so, and if you're able to, and if it's necessary, check for and install software patches from your devices' manufacturers to address the KrØØk vulnerability. ®