TL;DR
We created and published a PoC exploit of the kr00k
attack (CVE-2019-15126): https://github.com/hexway/r00kie-kr00kie
All technical details can be found in the Process section.
INTRODUCTION AND MOTIVATION
In February 2020, ESET released the KR00K – CVE-2019-15126 SERIOUS VULNERABILITY DEEP INSIDE YOUR WI-FI ENCRYPTION research. The vulnerability works as follows:
- The victim connects to a WiFi hotspot
- The adversary sends disassociation requests to the client and, by doing so, disconnects the victim from the hotspot
- Wireless Network Interface Controllers (WNIC) WiFi chip of the client clears out a session key (Temporal Key) used for traffic decryption
- However, data packets, which can still remain in the buffer of the WiFi chip after the disassociation, will be encrypted with an all-zero encryption key and sent.
- The adversary intercepts all the packets sent by the victim after the disassociation and attempts to decrypt them using a known key value (which, as we remember, is set to zero)
- PROFIT
The following devices were claimed vulnerable:
- Amazon Echo 2nd gen
- Amazon Kindle 8th gen
- Apple iPad mini 2
- Apple iPhone 6, 6S, 8, XR
- Apple MacBook Air Retina 13-inch 2018
- Google Nexus 5
- Google Nexus 6
- Google Nexus 6P
- Raspberry Pi 3
- Samsung Galaxy S4 GT-I9505
- Samsung Galaxy S8
- Xiaomi Redmi 3S
So, since we have Raspberry Pi 3
ready at hand, let’s find out whether Kr00k
actually works. Surely, ESET researchers or some community members have already published a PoC, haven’t they?
Umm, Google found nothing but a pile of FUDs and an empty GitHub repository.
Ok, let’s make it ourselves.
UPDATE: while we were drawing the logo for this publication, Thice Security posted a PoC as well.
RESULTS
The kr00k
attack is quite straightforward. So, it didn’t take much time for us to write our PoC.
To check whether a device is vulnerable, it’ll suffice to run the r00kie-kr00kie.py python script with bssid, channel number, and the victim’s mac address used as parameters and to have a bit of patience.
->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11
DETAILS
After testing this PoC on different devices, we found out that the data of the clients that generated plenty of UDP traffic was the easiest to intercept. Among those clients, for example, there are various streaming apps because this kind of traffic (unlike small TCP packets) will always be kept in the buffer of a WiFi chip.
BTW, here is another couple of devices we’ve used to prove the attack does work:
- Sony Xperia Z3 Compact (D5803)
- Huawei Honor 4X
All in all, now you have another tool you can use during one of your Red Team projects or security assessments of your clients’ WiFi networks: https://github.com/hexway/r00kie-kr00kie
Do not forget to have a look at the Process section. There you’ll find more details about this PoC development and the way it works.
You are welcome!