We have identified serious security weaknesses in chipsets used by a significant number of Wi-Fi capable devices. Specifically, we discovered that FullMAC Wi-Fi chipsets by Broadcom/Cypress – and possibly other manufacturers – are vulnerable to encrypting packets in a WPA2-protected network with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt some wireless network packets. The number of affected devices is likely over a billion including devices by Apple, Samsung, Amazon, and others that use the vulnerable chipsets.
The chipset-level, all-zero-key vulnerability has been assigned CVE-2019-15126. For easier reference and distinction from previous research, we dubbed it Kr00k.
Our research began with the discovery that some versions of the popular Amazon Echo and Kindle devices were vulnerable to Key Reinstallation Attacks (KRACK). After reporting that to Amazon, we investigated further, also looking into the all-zero encryption key modification of KRACK. Further vulnerable devices were discovered, reported and patched by the vendor.
But the most significant finding was that the crux is not in software, but in the hardware – the Wi-Fi chipsets themselves. Hence, the issue affects a much wider range of devices. We will detail our responsible disclosure process and how we successfully cooperated with Amazon while it prepared patches.
The presentation will include technical details and a demonstration, where we will show how we were able to trigger a reassociation to set an all-zero encryption key and decrypt intercepted packets.
We will also discuss the potential impact of these vulnerabilities, along with the limitations of exploiting them.