A vulnerability has been discovered that affects Wi-Fi connections, putting more than 1 billion devices at risk worldwide. This affects equipment that uses Wi-Fi chips from manufacturers Broadcom and Cypress, and as explained, it allows communications from an affected equipment to be encrypted with a cryptographic key that only contains zeros. This makes it possible, in the wake of a successful attack, to access the data by decrypting the communication packets.
And as ESET says, many of the most popular manufacturers and equipment are affected by the vulnerability, which has been named Krk. Among the affected devices are Apple's iPhone, iPad and MacBook, Amazon's Echo speakers and Kindle e-book readers, Google's Nexus smartphones, Raspberry Pi 3, Xiaomi's Redmi devices, as well as wireless access points from Asus and Huawei.
The vulnerability was introduced in the United States during the RSA 2020 cybersecurity conference in So Francisco, which ends today. Their discovery comes after ESET's previous investigation into the vulnerability of Amazon Echo columns to KRACK key reinstallation attacks (Key Reinstallation AttaCKs).
The company says that in a way, Krk and KRACK are related, albeit fundamentally different. ESET researchers have identified Krk as one of the causes behind the re-installation of zero-encryption keys, which had been observed in the KRACK attack tests. Following this investigation, most device manufacturers have released corrections.
However, any equipment that uses chips from manufacturers Broadcom and Cypress, which have not yet been corrected, continue to be affected by Krk. ESET also leaves a request for attention to users who, even if their equipment is updated, if the routers and wireless access points have not been fixed and they are used in these unprotected networks, they will be vulnerable again.
The two companies have already released fixes for their chips, but it is now up to equipment manufacturers to keep their devices up to date.