contador Skip to content

Bug in Wi-Fi chips, over 1 billion Android and iOS devices affected

Kr00k is the name of a new one security flaw in Wi-Fi chips various consumer electronics devices, including laptops, smartphones, smart home devices such as the Amazon Echo or Google Nest and routers. It was discovered by ESET researchers, and mainly affects some chips produced by Cypress Semiconductor and Broadcom – which purchased Cypress in 2016. The vulnerability could affect "well over a billion"of devices on the market, says the security company (the billion mark is reached only by counting iPhones, according to the source); tests were positive on the following products:

  • Amazon Echo 2nd gen.
  • Amazon Kindle Jan. 8
  • Apple iPad mini 2, iPad Air
  • Apple iPhone 6, 6s, 8, XR
  • Google Nexus 5, 6 and 6P
  • Raspberry Pi 3
  • Samsung Galaxy S4 and S8
  • Xiaomi Redmi 3S

Not a very updated smartphone park, in short, but it is interesting to observe that it affects both Android and iOS. Developers have corrective patches already made, which will usually (or have already been) distributed with OTA firmware updates; but best wishes to receive them on smartphones six or seven years ago – not to mention routers. It is worth adding that ESET has also tested devices equipped with Wi-Fi chips from other manufacturers, for example Qualcomm, Realtek and MediaTek, without any positive feedback.

Kr00k is a vulnerability related to the Wi-Fi encryption protocol: it is in a sense related to the KRACK vulnerability of the WPA2 protocol, violated in 2017. It occurs when a device disconnects from its Wi-Fi hotspot, and causes the chip send a certain amount of data (those present in the transmission buffer of the chip itself) in an unencrypted way. A hacker could then attempt to force disconnections and intercept information, effectively stealing fragments of secret data.

By repeating this procedure several times, it is theoretically possible to trace sensitive information such as passwords, credit card data and much more. It is important to specify that to conduct the attack it may not even be necessary to know the password of the network to which the victim device is connected, using the RFMON (Radio Frequency MONitor) mode of the network cards.

The investigation into this bug dates back to the third quarter of 2018. Cypress and Broadcom were informed in August 2019, and patches began circulating in the last quarter of 2019.

Credits opening image: Pixabay