Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

The Kr00k vulnerability disclosed earlier this has only been found to impact devices using Wi-Fi chips from Broadcom and Cypress, but researchers revealed this week that similar flaws have been discovered in chips made by Qualcomm and MediaTek.

The Kr00k vulnerability disclosed earlier this has only been found to impact devices using Wi-Fi chips from Broadcom and Cypress, but researchers revealed this week that similar flaws have been discovered in chips made by Qualcomm and MediaTek.

Cybersecurity firm ESET reported in February that billions of Wi-Fi-capable devices may have been at one point affected by a vulnerability that could have been exploited to obtain sensitive information from wireless communications.

The security hole, named Kr00k and tracked as CVE-2019-15126, caused affected devices to use an all-zero encryption key to encrypt some of a user’s communications. This enabled a malicious actor to decrypt some of the packets transmitted by these devices.New Kr00k vulnerabilities found

Kr00k attacks can be launched when a disassociation occurs. That is when a device is disconnected from a wireless network due to switching access points, signal interference, or when the Wi-Fi feature is disabled. When the device is reassociated, due to the vulnerability, a nearby attacker can capture several kilobytes of potentially sensitive data and decrypt it. In order to increase their chances of success, an attacker could manually trigger disassociations and reassociations.

Broadcom and Cypress released patches after being notified by ESET. Impacted products included laptops, tablets, smartphones, routers and IoT devices made by Amazon, Google, Apple, Samsung, Xiaomi, Huawei, Raspberry Pi Foundation, and Asus.

While Wi-Fi chips from Qualcomm, Ralink, Realtek and MediaTek are not vulnerable to Kr00k attacks, ESET researchers discovered that they are affected by similar flaws.

In the case of Qualcomm — the vulnerability is tracked as CVE-2020-3702 — an attacker can obtain sensitive data after triggering a disassociation, but the difference is that the captured data is not encrypted at all, unlike in the case of Kr00k, where an all-zero key is used for encryption.

“The devices we tested and found to have been vulnerable are the D-Link DCH-G020 Smart Home Hub and the Turris Omnia wireless router. Of course, any other unpatched devices using the vulnerable Qualcomm chipsets will also be vulnerable,” ESET said.

Qualcomm released a patch for its proprietary driver in July, but some devices use open source Linux drivers and it’s not clear if those will be patched as well.

“Providing technologies that support robust security and privacy is a priority for Qualcomm. We commend the security researchers from ESET for using industry-standard coordinated disclosure practices. Qualcomm has already made mitigations available to OEMs in May 2020, and we encourage end users to update their devices as patches have become available from OEMs,” a Qualcomm spokesperson told SecurityWeek.

MediaTek Wi-Fi chips have also been found to use no encryption at all. These chips are used in Asus routers and even in the Microsoft Azure Sphere development kit.

“Azure Sphere uses MediaTek’s MT3620 microcontroller and targets a wide range of IoT applications, including smart home, commercial, industrial and many other domains,” ESET explained.

MediaTek released fixes in March and April, while the Azure Sphere OS was patched in July.

Since several proof-of-concept (PoC) exploits have already been released for the Kr00k attack, ESET has now decided to release a script that tells users if a device is vulnerable to Kr00k or the newer attack variants.

*updated with statement from Qualcomm

Related: Cisco to Release Updates for Wireless Products Affected by Kr00k Vulnerability

Related: Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet