2 min read

Have you patched your IoT devices against the KrØØk Wi-Fi chip flaw

Graham CLULEY

March 23, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Have you patched your IoT devices against the KrØØk Wi-Fi chip flaw

Last month security researchers took to the stage of the RSA Conference in San Francisco to reveal details of a previous unknown security flaw in the Wi-Fi chips built into more than one billion devices.

The KrØØk vulnerability (also known as CVE-2019-15126) exists in certain Broadcom and Cypress Wi-Fi chipsets and allows unauthorized decryption of some WPA2-encrypted traffic by causing vulnerable devices to use an easy-to-decrypt all-zero encryption key.

Unpatched IoT gadgets, smartphones, tablets, laptops, Wi-Fi access points and routers with Broadcom chips are all at risk from the KrØØk vulnerability, which is related to the KRACK flaw in the WPA2 protocol discovered in 2017.

Vulnerable devices were said to include:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6P
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

Predictably, other researchers have been exploring how easy it might be to exploit the KrØØk flaw – and a team at security outfit Hexway say that it “didn’t take much time” for it to write proof-of-concept code to steal sensitive data as it was transmitted wirelessly.

The exploit code, which Hexway say they have released for “educational purposes only”, is a Python script they named “R00kie Kr00kie”.

If Hexway found it fairly straightforward to exploit the KrØØk vulnerability, there’s no reason to think cybercriminals couldn’t do just the same.

But don’t panic just yet. You see, more internet communication than ever is using HTTPS/SSL for an additional layer of encryption, limiting opportunities for attackers to steal information through the KrØØk vulnerability. The use of SSH and secure VPNs also adds an additional wrapping of encryption around sensitive data as it is transmitted.

And just like the KRACK flaw, KrØØk requires an attacker to be within close proximity of your Wi-Fi network to launch an attack against it.

Although the KrØØk flaw exists within vulnerable Wi-Fi chips built into devices, the solution does not (thankfully) have to be a hardware fix. Manufacturers of vulnerable devices can push out firmware and driver updates to apply fixes.

Furthermore, the researchers who initially discovered the KrØØk vulnerability, responsibly disclosed the vulnerability to the affected chip manufacturers and other potentially affected parties.

So the message for users is clear. Make sure that your wireless devices are running the latest updates and security patches, and if you are at all concerned – contact the manufacturer to verify if your device is at risk and how to install an update to protect your privacy.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2 Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2
Filip TRUȚĂ

January 27, 2022

2 min read
Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity
Silviu STAHIE

January 26, 2022

1 min read
Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw
Filip TRUȚĂ

January 26, 2022

1 min read