SAN FRANCISCO - Encryption is good for protecting data in transit, except when that data is encrypted with all zeros [According to ESET researchers who disclosed the flaw at the RSA conference here today (Feb 26), unfortunately, a newly revealed Wi-Fi chip vulnerability does just that [The vulnerability could compromise Apple iPhones, iPafds, and Macs; Amazon Echo and Kindle; Samsung Galaxy phones and tablets; Raspberry Pi 3; older Google Nexus phones; and some Wi-Fi from Asus and Huawei routers, and more than one billion consumer devices will be at risk

ESET researchers named the flaw Kr00k (formally CVE-2019-15126) because of its similarity to the previous Key Reinstallation Attack (often referred to as KRACK)

The vulnerability exists in Wi-Fi chips manufactured by Broadcom and Cypress, which acquired Broadcom's Internet of Things division in 2016, and affects devices that connect using the mostly common WPA2 standard

Many device manufacturers update their software, so users should make sure their devices are updated to the latest version possible (Apple appears to have fixed this flaw in iOS 132 and macOS 10151 Catalina) However, it can be difficult to determine whether a router has the latest firmware, for example

A successful attack that exploits the vulnerability will force the targeted device, such as a smartphone, to disconnect from the Wi-Fi access point

When the device automatically reconnects, the last few kilobytes of data from the previous Wi-Fi session are encrypted and sent again with an easy-to-guess all-zero encryption key instead of a complex, random encryption key

Hackers can use Kr00k to force the device to repeatedly disconnect and reconnect, pushing more data into a less secure buffer This will eventually provide enough data for the hacker to bypass the Wi-Fi network's encryption key and be able to read data from other users on the same Wi-Fi network

ESET researchers have worked on this vulnerability for over a year and have confirmed that manufacturers using Broadcom and Cypress chips have developed and released patches for this vulnerability This includes Amazon and Apple, but applying patches to the vast number of affected devices is complex

On the other hand, according to ESET researchers, if consumers do not update their devices with the latest patches, they remain exposed to a relatively simple attack

The risk of an exploit is considered relatively low because an attacker would need to be in physical proximity to the Wi-Fi router in order to force the device to disconnect from the Wi-Fi router But that could be as simple as walking into a coffee shop and attacking the local network [Robert Lipovsky, senior malware researcher at ESET and one of Kr00k's principal researchers, warns that data in transit being compromised due to weaker encryption means consumers need to seriously consider patching their devices He states

"Hackers can get usernames, passwords, session IDs, and anything else that is transmitted," he says

One of the problems with relying on consumers to patch their devices is that not all devices patch automatically; best practice is to enable automatic updates, as Apple devices do by default considered, but policies vary from manufacturer to manufacturer

Lipovsky recommends that consumers manually check their devices and Wi-Fi routers to ensure that the latest updates are installed, as it is difficult to determine if vulnerabilities are being actively exploited

"There's no way to know if it's being exploited in the wild," Lipovsky said