Kr00k: Serious Vulnerability Affected Encryption of Billion+ Wi-Fi Devices

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 12:30 p.m. (40 minutes)

We identified Kr00k (CVE-2019-15126) – a previously unknown vulnerability in chips used by a significant proportion of all Wi-Fi capable devices. Specifically, we discovered that Wi-Fi chips by Broadcom and Cypress – and possibly other manufacturers – could be forced to encrypt some packets in a WPA2-protected network with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt some wireless network packets. The number of affected devices was likely over a billion as the vulnerable chips are used in devices from Apple, Samsung, Google, Amazon, and many others.

The presentation will include technical details and a demonstration, where we will show how we were able to trigger Wi-Fi reassociations on the targeted device, force setting the all-zero encryption key and decrypt intercepted packets. We will also discuss the potential impact of these vulnerabilities, along with the limitations of exploiting them.

This new research follows our earlier discovery that some versions of the popular Amazon Echo and Kindle devices were vulnerable to Key Reinstallation Attacks (KRACK), which were discovered by Mathy Vanhoef in 2017. We will explain how Kr00k is related to the previously known research – and how it differs.

Exclusively for Black Hat USA, we will also cover our most recently discovered Wi-Fi encryption vulnerabilities affecting other chip manufacturers, including Qualcomm.

Finally, we will discuss and release our proof-of-concept testing script designed trigger and detect the Kr00k vulnerability on unpatched devices.

Presenters:

• Stefan Svorencik - Senior Detection Engineer, ESET
  Stefan Svorencik is a Senior Detection Engineer in ESET's Security Research Laboratory, with more than 10 years' experience with malware, vulnerability and exploit research. He currently leads the Experimental Research and Detection Team at ESET headquarters in Bratislava, which focuses on vulnerability research and advanced detection methods.
• Robert Lipovsky - Senior Malware Researcher, ESET
  Robert Lipovsky is a Senior Malware Researcher for ESET, with more than 12 years' experience in cybersecurity. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava. He is a regular speaker at security conferences, including Black Hat USA, RSAC, Virus Bulletin, Blue Hat, Gartner Security & Risk Management Summit, Hacktivity, Code Blue, and various NATO-organized conferences. He also teaches reverse engineering at the Slovak University of Technology – his alma mater, and at Comenius University. When not bound to a keyboard, he enjoys traveling, playing guitar and flying single-engine airplanes.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#kr00k-serious-vulnerability-affected-encryption-of-billion-wi-fi-devices-20414

Similar Presentations:

• Black Hat Europe 2017 / Wi-Fi Direct to Hell: Attacking Wi-Fi Direct Protocol Implementations
• Black Hat Asia 2020 Virtual / Kr00k: How KRACKing Amazon Echo Exposed a Billion+ Vulnerable Wi-Fi Devices
• Black Hat Europe 2021 / BadMesher: New Attack Surfaces of Wi-Fi Mesh Network