Thursday, February 27, 2020

Kr00k Wi-Fi Vulnerability

Dan Goodin (via Juli Clover):

Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.


Kr00k exploits a weakness that occurs when wireless devices disassociate from a wireless access point. If either the end-user device or the access point is vulnerable, it will put any unsent data frames into a transmit buffer and then send them over the air. Rather than encrypt this data with the session key negotiated earlier and used during the normal connection, vulnerable devices use a key consisting of all zeros, a move that makes decryption trivial.

Disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable client device or access point can easily send disassociation frames to trigger the vulnerability because these frames aren’t authenticated.

Apple has fixed this in macOS 10.15.1, but there doesn’t seem to be an update for Mojave. As Goodin says, most sensitive traffic should already use its own encryption rather than relying on the Wi-Fi network’s, but DNS queries are usually unencrypted.

Update (2020-03-06): Robert Barat:

It looks like they finally put out a fix for Mojave and High Sierra on the 27th

6 Comments RSS · Twitter

Sensitive traffic must use its own encryption (HTTPS or something more robust) whether or not the Wi-Fi network is secure.

Wi-Fi encryption only secures the radio link from the mobile device to the access point. But unless your network service is running in the router itself, the traffic is going to be forwarded elsewhere - probably to a server somewhere on the Internet. If that traffic is not encrypted, then it can be snooped, intercepted or modified by any node along the way.

It looks like they finally put out a fix for Mojave and High Sierra on the 27th

Which models of Mac are affected by this vulnerability?

Wonder why they dropped Catalina from the entry this time? The document says it was fixed back in December, but the entry was added on the 27th. And I think it’s a safe bet that all Macs capable of running High Sierra and above were affected, if not even before that.

Ah, I see it was fixed for Catalina 10.15.1, but not the Security Updates for Mojave & High Sierra at that time. Those were delayed until the next update.

Sören Nils Kuklau

I believe that page says the fix was released in December, but it wasn’t disclosed until now.

Leave a Comment