A flaw called Kr00k linked to Broadcom and Cypress Semiconductor WiFi chips affects more than a billion devices – mainly iPhone, but also, iPad, Macs, Android smartphones, Raspberry Pi, or Kindle and speakers connected to Amazon Echo. Eset explains that patches are already available from most manufacturers.
Here is the list of devices tested by Eset affected by the flaw:
- Amazon: Echo 2nd gen, Kindle 8th gen
- Apple: iPad mini 2, iPhone 6, iPhone 6S, iPhone 8, iPhone XR, MacBook, iPad Air
- Google: Nexus 5, Nexus 6, Nexus 6P
- Raspberry: Pi 3
- Samsung: Galaxy s4, Galaxy s8
- Xiaomi: Redmi 3S
The problem also seems to affect Asus and Huawei routers. Eset nevertheless specifies that “many other sellers whose products we have not tested use the affected chipsets in their devices”. The vulnerability would however not be present in Qualcomm, Realtek, Ralink, and Mediatek chips.
WiFi flaw affects more than a billion iPhone and Android smartphones
The Kr00k flaw manifests itself when a mobile device with a concerned chipset, mismatch its WiFi connection. This happens several times a day, in case of loss of signal. The chipset then attempts to re-establish the connection automatically. However, thanks to the vulnerabilities of these chipsets, hackers can force a client to disassociate and then transmit poorly encrypted data in a more compatible mode.
Eset has transmitted its findings several months in advance to the affected manufacturers, and a patch is available for most devices in the form of a system update. Whether you are on iPhone, Galaxy S8, or have an Amazon Echo, the best thing to do to protect yourself is, therefore, to make sure you are running the latest version of your operating system.
The investigation into this bug dates back to the third quarter of 2018. Cypress and Broadcom were informed in August 2019, and patches began circulating in the last quarter of 2019. Do you have a device from the list above? let us know in the comments.