insights

Take my Wi-Fi. No please, take it.

March 13, 2020

If January 2020 was a month of bugs in enterprise and desktop kit, spring has been about a spate of vulnerabilities in various bits of Wi-Fi kit.

Researchers from ESET presented at the RSA Conference on a new vulnerability, which they’ve called kr00k. It affected devices using Wi-Fi chips made by two big manufacturers, Broadcom and Cypress. The issue relates to when a device is disassociated from a network: when it happens, the memory used to store the encryption key is zeroed out, but Wi-Fi frames are still transmitted, using this now all-zero key. This means these frames can be decrypted by anyone who collects the traffic and tries the all-zero key. Crucially, devices can be disassociated from a Wi-Fi network with an unauthenticated packet, meaning this attack can be triggered by anyone in Wi-Fi range of a target device, without having to be on the Wi-Fi network. For a full write-up, see their paper.

This is an example of a more traditional attack against Wi-Fi: one aimed at breaking the encryption used to provide confidentiality, allowing someone collecting the traffic to decrypt and read it. Other examples include KRACK, and the now well-established attacks against WEP. However, other recent vulnerabilities have been even worse: they attack the device itself, not just its Wi-Fi traffic. This is part of a trend in offensive security research, particularly against mobile devices. As the traditional attacks against the browser become harder due to new security measures, the other attack surfaces become more interesting. This is particularly true as many of the Bluetooth, Wi-Fi or baseband chips in use don’t yet have the modern exploit protections such as ASLR and DEP that are standard on the main application processors. This makes the process of exploitation easier, if you can find a vulnerability.

Functionality such as Wi-Fi is a prime target as it has been around a long time and is ubiquitous. Of course, hacking a device over Wi-Fi has its own requirements, chief amongst them being within radio range of the target, so it’s only ever going to enable attacks over a limited range. The other major challenge is that exploiting a Wi-Fi chip doesn’t get you much, as an attacker wants more than just the Wi-Fi data. So, the logical next problem is how to jump to the application processor, once you’ve compromised the Wi-Fi chip. Typically, Wi-Fi chips are connected to the main processor by at least a couple of buses, one of which is normally a complicated, high-speed bus that supports DMA.

Solving this exact problem is something that was first done publicly three years ago by a Google Project Zero researcher. This kind of work is obviously continuing, as last week another P0 researcher released a Proof-of-Concept exploit that showed how a vulnerability in the iPhone’s peer-to-peer Wi-Fi (AWDL, the transmission channel used for AirDrop) could be exploited to dump memory from the iPhone.

And finally, in other worrying Wi-Fi news, the infamous Emotet malware has a neat new module that allows it to jump across Wi-Fi networks, if they’re using easy to guess passwords. See this article for more details. Without wanting to tempt fate, some really nice (read: terrible) malware functionality would be to use all the infected machines to spread out password or encryption key cracking.

For our latest research, and for links and comments on other research, follow our Lab on Twitter.

Scott Lester
Cyber Lab Manager