Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
KrØØk vulnerability in billions of Wi-Fi devices left communications open to eavesdropping due to encryption flaw: CVE-2019-15126
14 views
Skip to first unread message
Arlen Holder
Feb 27, 2020, 12:43:39 AM2/27/20
to
Dateline today...
"The krook vulnerability affects both WPA2-Personal & WPA2-Enterprise
protocols, with AES-CCMP encryption."
o What is Kr00k?
<https://www.eset.com/int/kr00k/>
"The vulnerability affects all unpatched devices with Broadcom
and Cypress FullMac Wi-Fi chips. These are the most common Wi-Fi chips
used in today's client devices, made by well-known manufacturers
including Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook),
Google (Nexus), Samsung (Galaxy) as well as devices under many
other brands. Wi-Fi Access points and routers are also affected
by Kr00k, making even environments with patched client devices
vulnerable. All-in-all, before patching there were more than
a billion affected devices."
o Serious vulnerability affected encryption of billions of WiFi devices
<https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/>
"ESET researchers discovered a previously unknown vulnerability
in Wi-Fi chips and named it Kr00k. This serious flaw, assigned
CVE-2019-15126, causes vulnerable devices to use an all-zero encryption
key to encrypt part of the user's communication."
"Kr00k affects devices with Wi-Fi chips by Broadcom and Cypress that
haven't yet been patched. These are the most common Wi-Fi chips used
in contemporary Wi-Fi capable devices such as smartphones, tablets,
laptops, and IoT gadgets."
o Kr00k: How KRACKing Amazon Echo Exposed a Billion+ Vulnerable WiFi Devices
<https://www.rsaconference.com/usa/agenda/kr00k-how-kracking-amazon-echo-exposed-a-billion-vulnerable-wifi-devices>
o Flaw in billions of Wi-Fi devices left communications open to
eavesdropping Cypress and Broadcom chip bug bit iPhones, Macs, Android
devices, Echoes, and more
<https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/>
"The affected devices include iPhones, iPads, Macs, Amazon Echos
and Kindles, Android devices, Raspberry Pi 3's, and Wi-Fi routers
from Asus and Huawei."
"Manufacturers have made patches available for most or all of the
affected devices, but it's not clear how many devices have installed
the patches. Of greatest concern are vulnerable wireless routers,
which often go unpatched indefinitely."
o Broadcom chip flaw left select iPhones vulnerable to network eavesdropping
<https://9to5mac.com/2020/02/26/iphone-fixed-broadcom-chip-flaw/>
"The affected Apple devices included:
iPad mini 2
iPhone 6, 6S, 8, and XR
MacBook Air 2018"
o New Kr00k vulnerability lets attackers decrypt WiFi packets
<https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/>
"All in all, the Kr00k vulnerability should be easier to protect
against than KRACK -- a major vulnerability that impacted the
WPA2 WiFi protocol and forced most device vendors to switch to
using WPA3 by default."
--
Only 2 types of people are on Usenet: those who add value & those who can't.
"The krook vulnerability affects both WPA2-Personal & WPA2-Enterprise
protocols, with AES-CCMP encryption."
o What is Kr00k?
<https://www.eset.com/int/kr00k/>
"The vulnerability affects all unpatched devices with Broadcom
and Cypress FullMac Wi-Fi chips. These are the most common Wi-Fi chips
used in today's client devices, made by well-known manufacturers
including Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook),
Google (Nexus), Samsung (Galaxy) as well as devices under many
other brands. Wi-Fi Access points and routers are also affected
by Kr00k, making even environments with patched client devices
vulnerable. All-in-all, before patching there were more than
a billion affected devices."
o Serious vulnerability affected encryption of billions of WiFi devices
<https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/>
"ESET researchers discovered a previously unknown vulnerability
in Wi-Fi chips and named it Kr00k. This serious flaw, assigned
CVE-2019-15126, causes vulnerable devices to use an all-zero encryption
key to encrypt part of the user's communication."
"Kr00k affects devices with Wi-Fi chips by Broadcom and Cypress that
haven't yet been patched. These are the most common Wi-Fi chips used
in contemporary Wi-Fi capable devices such as smartphones, tablets,
laptops, and IoT gadgets."
o Kr00k: How KRACKing Amazon Echo Exposed a Billion+ Vulnerable WiFi Devices
<https://www.rsaconference.com/usa/agenda/kr00k-how-kracking-amazon-echo-exposed-a-billion-vulnerable-wifi-devices>
o Flaw in billions of Wi-Fi devices left communications open to
eavesdropping Cypress and Broadcom chip bug bit iPhones, Macs, Android
devices, Echoes, and more
<https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/>
"The affected devices include iPhones, iPads, Macs, Amazon Echos
and Kindles, Android devices, Raspberry Pi 3's, and Wi-Fi routers
from Asus and Huawei."
"Manufacturers have made patches available for most or all of the
affected devices, but it's not clear how many devices have installed
the patches. Of greatest concern are vulnerable wireless routers,
which often go unpatched indefinitely."
o Broadcom chip flaw left select iPhones vulnerable to network eavesdropping
<https://9to5mac.com/2020/02/26/iphone-fixed-broadcom-chip-flaw/>
"The affected Apple devices included:
iPad mini 2
iPhone 6, 6S, 8, and XR
MacBook Air 2018"
o New Kr00k vulnerability lets attackers decrypt WiFi packets
<https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/>
"All in all, the Kr00k vulnerability should be easier to protect
against than KRACK -- a major vulnerability that impacted the
WPA2 WiFi protocol and forced most device vendors to switch to
using WPA3 by default."
--
Only 2 types of people are on Usenet: those who add value & those who can't.
Libor Striz
Feb 27, 2020, 4:18:08 AM2/27/20
to
Arlen Holder <arlen.geo...@is.invalid> Wrote in message:
I was in past monitoring and reporting advices about published
relevant vulnerabilities for SW portfolio of some big global
engineering company.
Such HW related vulnerabilities always stir
the steady pond waters of high mgmt,
who got already used to "normal" critical vulnerabilities.
> Only 2 types of people are on Usenet: those who add value & those who can't.
There are many who can, but do not,for many reasons.
There are many who do and do not, dependent.
There are many, whose contribution is evaluated
as adding value by some, but not by some others.
--
Poutnik ( the Wanderer )
I was in past monitoring and reporting advices about published
relevant vulnerabilities for SW portfolio of some big global
engineering company.
Such HW related vulnerabilities always stir
the steady pond waters of high mgmt,
who got already used to "normal" critical vulnerabilities.
> Only 2 types of people are on Usenet: those who add value & those who can't.
There are many who do and do not, dependent.
There are many, whose contribution is evaluated
as adding value by some, but not by some others.
--
Poutnik ( the Wanderer )
R.Wieser
Feb 27, 2020, 4:10:09 PM2/27/20
to
Libor,
>> Only 2 types of people are on Usenet: those who add value & those who
>> can't.
>
> There are many who can, but do not,for many reasons.
I suggest you ignore the kid.
He's the kind of leech for which there really only are those two types:
Those who are providing stuff that /he/ can use, and the ones who he thinks
he can taunt/cajole into doing the same.
Or maybe more correct: he only recognises /one/ kind of people: those who
give him what he needs. At this moment, or in the very near future.
The ones he already squeezed dry or refuse to be (any longer) used like that
simply do not exist. Other than to ridicule perhaps.
Regards,
Rudy Wieser
>> Only 2 types of people are on Usenet: those who add value & those who
>> can't.
>
> There are many who can, but do not,for many reasons.
He's the kind of leech for which there really only are those two types:
Those who are providing stuff that /he/ can use, and the ones who he thinks
he can taunt/cajole into doing the same.
Or maybe more correct: he only recognises /one/ kind of people: those who
give him what he needs. At this moment, or in the very near future.
The ones he already squeezed dry or refuse to be (any longer) used like that
simply do not exist. Other than to ridicule perhaps.
Regards,
Rudy Wieser
0 new messages