Security researchers have found a new vulnerability in Wi-Fi chips made by Broadcom and Cypress that reside inside mobile phones, tablet and laptops as pointed out in this media report.
This new security new, discovered by researchers at ESET says that billions of devices are now in danger of getting hacked, since the phone’s secure Wi-Fi setting has been decrypted, allowing anyone to access your device through the decrypted network and steal data if needed.
The report says bug called CVE-2019-15126 has been observed using an all-zero encryption key, which is also present in Wi-Fi routers made by Asus and Huawei. All in all, this bug puts host of devices in danger, including smart speakers as well as Kindle readers.
ESET is calling the vulnerability “Kr00K” which basically makes its impact after a device disassociates itself from a Wi-Fi access point (AP).
Disassociation means when you’re using one Wi-Fi AP and all of a sudden lose connection to the network , the device searches for another AP to connect, which will enable the internet on the phone/tablet or laptop.
After a device disassociates itself from a Wi-Fi network, it usually cleans up the session key stored in the Wireless Network Interface Controller (WNIC) which is a crucial component of a Wi-Fi router when you connect to a network.
However, because of “Kr00K” the researchers found the data, which was supposed to be set to zero, not only got transmitted to the new network, but also provided decrypted plain text version of the key.
This is a serious concern, because, as explained by Steve Vorencik, Researcher, ESET, ‘Kr00K’ can expose data up to 32KB at once, which could be password, credit card details or anything that the user’s device is sending to the internet through the Wi-Fi network they are using.
Thankfully, ESET shared all of these findings about the bug with Broadcom and Cypress who claim to have worked on firmware updates to patch the issue allowing the vulnerability to affect devices.
The report does point out that Wi-Fi chips from Qualcomm and Mediatek are not vulnerable to this bug, which will come as a big relief to the millions of mobile users in the country.
However, the researchers mention the total of billion devices affected is a conservative estimate, which suggests, the real number could be a lot more. User are requested to update their devices immediately to safeguard themselves from possible intrusion.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)