Is There a Kr00k On Your Network?

Rowell Dionicio

On February 26, 2020, ESET published a PDF on a new Wi-Fi vulnerability, named Kr00k, affecting both access points (APs) and client devices. Their report highlighted those vulnerable to using specific Broadcom and Cypress chipsets using encrypted Wi-Fi networks.

ESET notified both manufacturers and provided them time to create a patch prior to publishing their findings.

Should you be concerned about the vulnerability? You should be aware.

Should you panic and initiate all security protocols to protect yourself? No.

Security should always take a layered approach.

Kr00k targets the way data in the buffer is handled. When a device or AP has a disassociation event, the data in the buffer (previously encrypted), becomes unencrypted. Technically, the encryption keys are zeroed out leaving the data remaining in the buffer unencrypted.

As the device or AP clears the buffer, by transmitting the data, it is sent over-the-air unencrypted.

The data is part of a communication stream between an AP and device. This is the only portion of data not encrypted. The most widely used Wi-Fi security method as of this writing is WPA2 security.

How Can the Kr00k Vulnerability Be Used?

A malicious user can send disassociation frames to trigger a device or AP to disassociate. The malicious user would have to be in close proximity to send the disassociation frames and to sniff the traffic resulting in unencrypted data over-the-air.

The frames that were zeroed out would be vulnerable. A malicious user does not gain access to previously used keys or access to your pre-shared key.

Is there a security patch?

Broadcom and Cypress have worked on a patch prior to the vulnerability being disclosed to the public. This goes to the practice of maintaining devices current with security patches.

Broadcom chipsets are used in many network devices from access points to mobile devices. Cypress chipsets are used with a lot of IoT devices which could be more vulnerable from a security perspective due to how often IoT devices are patched.

Application traffic should be leveraging other forms of secure communications, such as TLS, to encrypt traffic between the application and destination server.

Another option to consider is using 802.11w (Management Frame Protection) which helps prevent disassociation attacks. By enabling 802.11w, it increases the security and confidentiality of management frames, particularly with the frame origin.

The downside of 802.11w is that not all network devices support it. The feature should be tested in a lab environment prior to a mass rollout.

Links & Resources

Leave a Reply

Your email address will not be published. Required fields are marked *