Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks
The Kr00k vulnerability disclosed earlier this has only been found to impact devices using Wi-Fi chips from Broadcom and Cypress, but researchers revealed this week that similar flaws have been discovered in chips made by Qualcomm and MediaTek.
Cybersecurity firm ESET reported in February that billions of Wi-Fi-capable devices may have been at one point affected by a vulnerability that could have been exploited to obtain sensitive information from wireless communications.
The security hole, named Kr00k and tracked as CVE-2019-15126, caused affected devices to use an all-zero encryption key to encrypt some of a user’s communications. This enabled a malicious actor to decrypt some of the packets transmitted by these devices.
Kr00k attacks can be launched when a disassociation occurs. That is when a device is disconnected from a wireless network due to switching access points, signal interference, or when the Wi-Fi feature is disabled. When the device is reassociated, due to the vulnerability, a nearby attacker can capture several kilobytes of potentially sensitive data and decrypt it. In order to increase their chances of success, an attacker could manually trigger disassociations and reassociations.
Broadcom and Cypress released patches after being notified by ESET. Impacted products included laptops, tablets, smartphones, routers and IoT devices made by Amazon, Google, Apple, Samsung, Xiaomi, Huawei, Raspberry Pi Foundation, and Asus.
While Wi-Fi chips from Qualcomm, Ralink, Realtek and MediaTek are not vulnerable to Kr00k attacks, ESET researchers discovered that they are affected by similar flaws.
In the case of Qualcomm — the vulnerability is tracked as CVE-2020-3702 — an attacker can obtain sensitive data after triggering a disassociation, but the difference is that the captured data is not encrypted at all, unlike in the case of Kr00k, where an all-zero key is used for encryption.
“The devices we tested and found to have been vulnerable are the D-Link DCH-G020 Smart Home Hub and the Turris Omnia wireless router. Of course, any other unpatched devices using the vulnerable Qualcomm chipsets will also be vulnerable,” ESET said.
Qualcomm released a patch for its proprietary driver in July, but some devices use open source Linux drivers and it’s not clear if those will be patched as well.
“Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from ESET for using industry-standard coordinated disclosure practices. Qualcomm has already made mitigations available to OEMs in May 2020, and we encourage end users to update their devices as patches have become available from OEMs,” a Qualcomm spokesperson told SecurityWeek.
MediaTek Wi-Fi chips have also been found to use no encryption at all. These chips are used in Asus routers and even in the Microsoft Azure Sphere development kit.
“Azure Sphere uses MediaTek’s MT3620 microcontroller and targets a wide range of IoT applications, including smart home, commercial, industrial and many other domains,” ESET explained.
MediaTek released fixes in March and April, while the Azure Sphere OS was patched in July.
Since several proof-of-concept (PoC) exploits have already been released for the Kr00k attack, ESET has now decided to release a script that tells users if a device is vulnerable to Kr00k or the newer attack variants.
*updated with statement from Qualcomm