2 min read

Have you patched your IoT devices against the KrØØk Wi-Fi chip flaw

Graham CLULEY

March 23, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Have you patched your IoT devices against the KrØØk Wi-Fi chip flaw

Last month security researchers took to the stage of the RSA Conference in San Francisco to reveal details of a previous unknown security flaw in the Wi-Fi chips built into more than one billion devices.

The KrØØk vulnerability (also known as CVE-2019-15126) exists in certain Broadcom and Cypress Wi-Fi chipsets and allows unauthorized decryption of some WPA2-encrypted traffic by causing vulnerable devices to use an easy-to-decrypt all-zero encryption key.

Unpatched IoT gadgets, smartphones, tablets, laptops, Wi-Fi access points and routers with Broadcom chips are all at risk from the KrØØk vulnerability, which is related to the KRACK flaw in the WPA2 protocol discovered in 2017.

Vulnerable devices were said to include:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6P
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

Predictably, other researchers have been exploring how easy it might be to exploit the KrØØk flaw – and a team at security outfit Hexway say that it “didn’t take much time” for it to write proof-of-concept code to steal sensitive data as it was transmitted wirelessly.

The exploit code, which Hexway say they have released for “educational purposes only”, is a Python script they named “R00kie Kr00kie”.

If Hexway found it fairly straightforward to exploit the KrØØk vulnerability, there’s no reason to think cybercriminals couldn’t do just the same.

But don’t panic just yet. You see, more internet communication than ever is using HTTPS/SSL for an additional layer of encryption, limiting opportunities for attackers to steal information through the KrØØk vulnerability. The use of SSH and secure VPNs also adds an additional wrapping of encryption around sensitive data as it is transmitted.

And just like the KRACK flaw, KrØØk requires an attacker to be within close proximity of your Wi-Fi network to launch an attack against it.

Although the KrØØk flaw exists within vulnerable Wi-Fi chips built into devices, the solution does not (thankfully) have to be a hardware fix. Manufacturers of vulnerable devices can push out firmware and driver updates to apply fixes.

Furthermore, the researchers who initially discovered the KrØØk vulnerability, responsibly disclosed the vulnerability to the affected chip manufacturers and other potentially affected parties.

So the message for users is clear. Make sure that your wireless devices are running the latest updates and security patches, and if you are at all concerned – contact the manufacturer to verify if your device is at risk and how to install an update to protect your privacy.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read
$5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees $5 Million Worth of Bored Ape NFTs Stolen by Scammers Pretending to Return Gas Fees
Silviu STAHIE

May 05, 2022

1 min read