Inspecting — KrØØk Vulnerability

If you are reading this article, I believe you have connected to a Wi-Fi network, and there are chances that you are vulnerable to a new security issue called — “ The Kr00k Vulnerability ”, which could decrypt the WPA-2 encryption without any authorization. Below I have provided an overview & shortcomings of the same.

How does Wi-Fi Work?

I want to focus on how WiFi work, as this would be the prerequisite to understanding why Kr00k is so vulnerable. The moment you connect to a wireless network, a bunch of requests are ready to be executed in the background, which is technically interesting!

Imagine you have connected to a wired network — with your host system that somewhat looks like:

Scenario 1 — Wired Connection to the Internet

Now think what would be the change if the host wants to connect to the internet wirelessly?

The answer hides with a hardware mechanism called Access Point, which provides wireless network access to all WiFi devices nearby. Now the picture slightly gets changed.

Scenario 2 — Wireless Connection to the Internet

When a device ( like mobile phones) connects to a wifi network, it first establishes a connection with AP (Access Point).

“ This connection establishment is called Association and disconnection of a device from the Wifi network is called Disassociation. A combination of both is called Reassociation.”

Each Request has a binary value assigned by the Management Frames. These are as follows:

The following frames are sent and responded to bridge a wireless network between a device and an access point.

WAP — Authentication and Association Process

1. Probe Request and response are sent and received, requesting information about the access point.
2. Authentication happens mutually.
3. Finally, the client sends association requests(0x0000) and association responses(0x0001).

If it is successful, the data gets transferred seamlessly. But, the most important thing to consider here is:

“ These Binary values and Requests are un-encrypted and un-authenticated ”

Now the Hacker comes into play, modifies the binary values, decrypts the WPA-2 encryption and sniffs all the network packets.

Attacking with Kr00k:

This vulnerability was first identified in Broadcom WiFi chipsets by ESET researchers, later named CVE-2019–15126. Within every WiFi chipset, we can find a 128-bit Temporal Key, used to encrypt the data frames during a transmission.

To understand, Let’s relate this temporal key to a session variable used in web browsers.

When the session ends, these session variables are cleared either when the browser is closed or due to a time-out.

Similarly, the Temporal Key is cleared and set to Zero during disassociation (i.e disconnection from the WiFi network).

When the temporal key is zero, No data can transmit until it is associated again.

Data transmitted is encrypted with a zero — encryption key that anyone can decrypt by providing the zero.

Now it’s a cakewalk for the hackers. They can manually trigger a disassociation to make the Temporal key a Zero-Encrypted key and decrypt the data frames by providing the zeroes.

source: www.eset.com/int/kr00k

This leads to unauthorized reading and decryption of data packets.

Conclusion:

As stated by ESET, this vulnerability affects Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), as well as devices under many other brands.

Patches for the affected devices have been released. Ensure that you use the updated Patches for all the WiFi devices, firmware, and software.

And remember — “One single Vulnerability is all a hacker Needs”.

So Stay Safe & Secured 🙂

Reach out to me:

https://www.instagram.com/vasanth_vanan/

https://twitter.com/vasanth__vanan

Vasanth Vanan - Bengaluru, Karnataka, India | Professional Profile | LinkedIn