KrØØk WiFi vulnerability affected WiFi encryption on over a billion devices

Posted on Mar 11, 2020 by Caleb Chen


A vulnerability in Broadcom and Cypress WiFi chips makes it possible for attackers on your local WiFi network to decrypt your WPA2 encrypted internet traffic. The vuln, known as the KrØØk (kr00k) vulnerability, has the designation CVE-2019-15126, ESET, the discoverer of the kr00k vulnerability, estimated that over a billion devices were affected. Apple products such as iPhone, iPad, and Macs were all affected; however, Apple has since patched the issue for iOS and MacOS so make sure that you are up to date on your updates. Even with quick action to correct the vulnerability by affected parties, there will still be millions of devices that won’t be patched and will remain vulnerable. What KrØØk really does is remind us as internet users why properly implemented encryption is important.

How does the kr00k vulnerability decrypt WPA2 WiFi encryption?

Apple described the impact of the kr00k vulnerability as such when they patched this vulnerability in October 2019:

“An attacker in Wi-Fi range may be able to view a small amount of network traffic.”

The Broadcom and Cypress WiFi chips have a built in feature that resets the encryption key to all zeroes in the event of a connection break between the access point and the target device. The thing is, some WPA2 “encrypted” packets from the target device would still continue to be sent during that time and an attacker could intercept and decrypt those by using an all-zeroes encryption key. Since the disconnection can be triggered at will by the attacker, this attack can be extremely targeted to decrypt a WiFi user’s internet activity at will.

While the attacker might not be able to decrypt HTTPS encrypted data and information that is sent to HTTPS sites that you’re visiting – like your banking website – they still would be able to intercept domain name system (DNS) or server name indication (SNI) requests and know what websites you’re visiting even if they’re otherwise secured through HTTPS.

Millions of devices remain unpatched and may never be patched

While the CVE worked as intended and the main companies with affected chips were able to push out patches to fix the vuln, it’s still possible that there are unpatched devices out there for whatever reason. The researchers at ESET emphasized in their reporting:

“KrØØk affects devices with Wi-Fi chips by Broadcom and Cypress that haven’t yet been patched. These are the most common Wi-Fi chips used in contemporary Wi-Fi capable devices such as smartphones, tablets, laptops, and IoT gadgets.”

It’s best to assume that WiFi encryption is incomplete and that WPA2 is not enough encryption to protect your internet traffic when you’re on WiFi. Before kr00k, there was also the KRACK WPA2 WiFi vulnerability which affected even more devices. Even when you’re on 4G networks, there are 4G vulnerabilities that allow decryption, tracking, spoofing, and spamming – and some of them even remain unpatched. This isn’t the first and it won’t be the last vulnerability affecting WiFi encryption.

VPN Service