Kr00k WiFi Vulnerability

by Robinson Roca
Practice Leader – Network Infrastructure

A new vulnerability which affects any wireless device with Broadcom and Cypress WiFi chips has been announced.  Most company’s do not track what WiFi chips are used to connect to the network.  There can be countless affected WiFi devices in the network.  The vulnerability has been confirmed to affect Apple iOS, iPadOS, macOS, Amazon Fire OS,  Google Nexus, Samsung Galaxy and some Xiaomi devices.  That may only be the beginning of the named list, as there is a wide array of wireless devices.

This vulnerability is called “Kr00k”.  The CVE for Kr00k is (CVE-2019-15126).  It can be used by an attacker to intercept and decrypt WiFi traffic encrypted using the ubiquitous WPA-2 AES encryption.

Here’s how the vulnerability works.  Devices disassociate from the network all the time, as all WiFi devices do when the user walks around with them. When the vulnerable device disassociate they reset their known WiFi key (password) to all zeros.  This makes the key known to anyone aware of this vulnerability, thus opening the door to capturing data when reconnecting to a network that has been deemed trusted.  If all communication using a vulnerable device is over HTTPS gets captured by an attacker, the data will still be secured as it’s encrypted with SSL encryption, but the hacker still has the data in hand which is not a desirable outcome.

Many of the above vendors have put out patches to fix this vulnerability, but most companies don’t have the resources to follow up with every single vendor to ensure all end node WiFi devices were patched.  If you plan to mitigate the issues in-house you’ll have the peace of mind in knowing that security is not in the hands of your various vendors.  Especially in BYOD scenarios.

Helient’s recommendations are the following:

  • Use 802.1x authentication with certificate encryption wherever possible.
  • Put all IoT devices into a dedicated DMZ, with internet access only, this protects your firm from hijacked devices entering your internal Network.
  • Use WPA-3 Enterprise if possible and where available.
  • Ensure your wireless uses its own dedicated Layer 3 boundary, as it makes it easier to apply network layer policies if necessary
  • Guest wireless should never have a Layer 3 interface on your production Core (even with Access-Lists applied).
  • If guest traffic lands on production equipment and not on dedicated guest Network hardware, make sure the Layer 3 boundary stops at a security hardened device, like a firewall with policies applied.
  • Utilizing dedicated internet service for Guest traffic would be excellent, as it ensures the efficacy of the traffic leaving your production network.

Of course, Helient is always prepared to assist with keeping your network safe.  If you would like assistance or have questions, please reach out to Helient today.