Kr00k: Serious Vulnerability Affected Encryption of Billion+ Wi-Fi Devices

Conference:  BlackHat USA 2020



The presentation discusses the Crook vulnerability affecting Wi-Fi chips and provides advice on how to mitigate the vulnerability.
  • The source of Crook and related vulnerabilities is the Wi-Fi chip.
  • The vulnerability can be mitigated with firmware or driver updates.
  • Keeping devices up to date is important.
  • Manual updates for some devices can be problematic.
  • The vulnerability affects smartphones, Wi-Fi routers, and WPA2 enterprise.
  • Manufacturers should contact the Wi-Fi Alliance and their chip manufacturer.
  • Users should check for updates and contact their device vendor.
  • The presentation provides a web page with technical details and links to vendor advisories.
The presenter mentions the cooperation of companies in responding to disclosures professionally, particularly Amazon's joint effort to investigate the issue. However, some devices require manual updates, which can lead to attack scenarios, as discussed by another presenter. This is especially concerning as more people work from home due to COVID-19, accessing corporate resources and responsible for their own home Wi-Fi security.


We identified Kr00k (CVE-2019-15126) – a previously unknown vulnerability in chips used by a significant proportion of all Wi-Fi capable devices. Specifically, we discovered that Wi-Fi chips by Broadcom and Cypress – and possibly other manufacturers – could be forced to encrypt some packets in a WPA2-protected network with an all-zero encryption key. In a successful attack, this allows an adversary to decrypt some wireless network packets. The number of affected devices was likely over a billion as the vulnerable chips are used in devices from Apple, Samsung, Google, Amazon, and many others.The presentation will include technical details and a demonstration, where we will show how we were able to trigger Wi-Fi reassociations on the targeted device, force setting the all-zero encryption key and decrypt intercepted packets. We will also discuss the potential impact of these vulnerabilities, along with the limitations of exploiting them.This new research follows our earlier discovery that some versions of the popular Amazon Echo and Kindle devices were vulnerable to Key Reinstallation Attacks (KRACK), which were discovered by Mathy Vanhoef in 2017. We will explain how Kr00k is related to the previously known research – and how it differs.Exclusively for Black Hat USA, we will also cover our most recently discovered Wi-Fi encryption vulnerabilities affecting other chip manufacturers, including Qualcomm.Finally, we will discuss and release our proof-of-concept testing script designed trigger and detect the Kr00k vulnerability on unpatched devices.