LIFARS Advisory: Kr00k – CVE-2019-15126

US Department of the Interior failed its latest cybersecurity assessment

CVE-2019-15126 nicknamed as “Kr00k“ is a new vulnerability in Broadcom and Cypress Wi-Fi chips. The vulnerability was disclosed by ESET on RSA 2020 conference.

How Attack Works

Kr00k is a vulnerability that permits attackers to force Wi-Fi systems into dissociative states, granting the opportunity to decrypt packets sent over WPA2 Personal/Enterprise Wi-Fi channels. The attacker does not need to be connected to the victim’s wireless network

The attacker can use Kr00k to force a device to disconnect. After the device is disconnected, the Wi-Fi chip clears the session key in the memory and sets it to zero, but the chip transmits all data frames left in the buffer with an all-zero encryption key even after the disassociation.

List of client devices that ESET confirmed were vulnerable to Kr00k:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

The researchers also found that the following wireless routers are vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

How Dangerous is the attack?

Kr00k affected billions of devices. As the attacker needs to have physical proximity to the Wi-Fi router, the risk of the exploit is considered low.

To receive a patch from the vendor, is it recommended to turn on automatic software updates on all devices as a best-practice.


Contacting LIFARS is Your Next (First?) Step for Handling Cyber Incidents.