• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Don’t Let Kr00k Bend You Out of Shape

February 28, 2020 By Trevor Collins

Byline to Matthew Terry

 

Kr00k, a recent vulnerability found by Eset, causes devices sending traffic over Wi-Fi to send unencrypted data, like in the KRACK vulnerability. While a separate vulnerability, KRACK exploits devices by installing an all-zero encryption key, among other vulnerabilities, whereas Kr00k exploits a timing issue where the client or access point (AP) removes the key before finishing its connection leading to an all-zero encryption key. With both vulnerabilities the result leads to traffic sent unencrypted over Wi-Fi. Eset estimated that billions of devices with Broadcom and Cypress Wi-Fi chips send unencrypted traffic over WI-FI when exploited with this vulnerability. We have confirmed that no WatchGuard devices use Broadcom or Cypress chips, so no WatchGuard devices are vulnerable. Connected devices may still fall victim to this attack though.

Wi-Fi communication typically works by having clients and their connected access point take turns speaking and listening. Unless you use an Open Wi-Fi network, the devices communicate securely over the air using standards like WPA2 or WPA3, where the client and AP will create a unique key to encrypt the communication (derived from the pre-shared key (PSK) of your Wi-Fi network, or from extensible  authentication protocol (EAP) parameters in a Wi-Fi network authenticating with 802.1x). While a device waits for its turn to communicate, it stores the chunks of data in a buffer. Then, when the device’s turn comes up, it will encrypt the data using the negotiated key and send it.

This communication can continue with each device taking turns sending and receiving data. The communication between a client and AP stops when one device decides that is wants to disconnect from the network. When this happens, usually one of the devices sends a message to disconnect from the wireless network.

When connecting or disconnecting, the AP and client authenticate or deauthenticate. When the session ends, the client deauthenticates with the AP using Management Frames. Additionally, a client or AP sending Management Frames over Wi-Fi must not encrypt this traffic since they haven’t negotiated a key yet. Therefore, you can spoof a deauthentication packet to disconnect a client. Kr00ck further exploits some devices by timing the deauthentication packet. When some Broadcom or Cypress chips receive a deauthnetication packet with data in the transmit buffer, it will clear the key then send the data in the transmit buffer, leading to traffic in the transmit buffer sent unencrypted.

An adversary could easily exploit this vulnerability with a simple device like a Wi-Fi pineapple. One only needs to send deauthnetication packets and monitor the traffic. Typically, the buffer will hold up to a few kilobytes of data. While that doesn’t sound like a lot, if timed correctly, for example, one could catch login details. Attackers could also repeatedly exploit the issue to build up significant leaked data over time.

We find Kr00k a less severe vulnerably than KRACK since the client would only send a small amount of traffic unencrypted. Additionally, no one could reasonably determine when the client sends traffic with the client personal information. But this attack affects billions of devices and only a minimal amount of knowledge is needed to exploit it. The ease and reliability of this exploit make gathering information simple, even with a low success rate for the exploit, to capture personal details for every try.

Broadcom and Cypress have released patches so venders can implement them. Consumers can mitigate against Kr00k, outside of patches from vendors, by configuring the use of WPA3 only, or enabling 802.11w protected Management Frames on their Wi-Fi SSID. WatchGuard also supports enabling 802.11w protected Management Frames with our Wi-Fi Cloud solution. Also, while Wireless Intrusion Prevention System (WIPS) cannot prevent attackers from sending deauthentication or disassociation frames to clients and access points, WatchGuard’s Wi-Fi Cloud managed access points have the capability of detecting and notifying administrators about deauthentication flood attacks, which happen when an attacker attempts to take advantage of this vulnerability. On the client side, SSL encryption in HTTPS traffic does keep most data safe from this exploit, but for unencrypted traffic you can use a trusted VPN to help protect the traffic.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use