Jump to content
Karlston

Flaw in billions of Wi-Fi devices left communications open to eavesdropping

Recommended Posts

Karlston

GOT PATCHES? —

Flaw in billions of Wi-Fi devices left communications open to eavesdropping

Cypress and Broadcom chip bug bit iPhones, Macs, Android devices, Echoes, and more.

Flaw in billions of Wi-Fi devices left communications open to eavesdropping

SAN FRANCISCO — Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.

 

The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter whose Wi-Fi business was acquired by Cypress in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126.

 

Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely.

 

“This results in scenarios where client devices that are unaffected (either patched or using different Wi-Fi chips not vulnerable to Kr00k) can be connected to an access point (often times beyond an individual’s control) that is vulnerable,” Eset researchers wrote in a research paper published on Wednesday. “The attack surface is greatly increased, since an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself).”

A key consisting of all zeros

Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.

 

Disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable client device or access point can easily trigger disassociations by sending what’s known as management frames, which aren’t encrypted and require no authentication. This lack of security allows an attacker to forge management frames that manually trigger a disassociation.

 

With the forced disassociation, vulnerable devices will typically transmit several kilobytes of data that’s encrypted with the all-zero session key. The hacker can then capture and decrypt the data. Eset researcher Robert Lipovsky told me hackers can trigger multiple disassociations to further the chances of obtaining useful data.

 

The following two diagrams help illustrate how the attack works.

figure-1-640x338.png
Eset
figure-2-640x337.png
Eset

Eset researchers determined that a variety of devices are vulnerable, including:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

The researchers also found that the following wireless routers are vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

An Apple spokesman said the vulnerabilities were patched last October with details for macOS here and for iOS and iPadOS here.

 

Manufacturers of other vulnerable devices that still receive patch support couldn't immediately be reached for comment.

 

The researchers tested Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, and Mediatek and found no evidence any of them were vulnerable. Since it was impossible for the researchers to test all devices, it’s possible that other devices using Cypress and Broadcom chips are also affected.

 

While the vulnerability is interesting and users should make sure their devices are patched quickly—if they aren’t already—there are a few things that minimize the real-world threat posed. For one thing, most sensitive communications in 2020 are already encrypted, usually with the transport layer security protocol or by other methods. A glaring exception to this is domain name lookups, which, unless a computer is using DNS over HTTPS or DNS over TLS, are sent entirely over plaintext. Hackers who viewed these requests would be able to learn what domain names users were accessing.

 

Even if a vulnerable device is communicating over HTTP or another unencrypted channel, hackers could recover only several kilobytes of the data flowing over it at any one time. It’s doubtful attackers could time the disassociations in a way that would ensure passwords or other sensitive information would be captured. That means useful attacks would have to involve a large amount of luck or disassociations that occurred over and over in rapid succession.

 

It also seems likely that repeated attacks would be easy to detect since Wi-Fi connections would start and stop repeatedly with no clear reason why.

 

Despite the limited threat posed, readers should ensure their devices have received updates issued by the manufacturers. This advice is most important for users of vulnerable Wi-Fi routers, since routers are often hard to patch and because vulnerable routers leave communications open to interception even when client devices are unaffected or are already patched.

 

 

Source: Flaw in billions of Wi-Fi devices left communications open to eavesdropping (Ars Technica)  

Share this post


Link to post
Share on other sites
zanderthunder
7 hours ago, Karlston said:

Despite the limited threat posed, readers should ensure their devices have received updates issued by the manufacturers. This advice is most important for users of vulnerable Wi-Fi routers, since routers are often hard to patch and because vulnerable routers leave communications open to interception even when client devices are unaffected or are already patched.

Routers supplied and issued by ISP's might need to wait long compared to routers on the market, due to specialized firmware that usually ISP-customized. But on knowing this flaw, ISP should be responsible to work with OEM to provide the updates.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...