A bug called Kr00k that is present in the WiFi chips Broadcom and Cypress Semiconductor is affecting more than a billion devices – mainly iPhones, but also iPads, Macs, Android smartphones, Raspberry Pi or Kindle and speakers connected to the Amazon Echo. The ESET explains that the patches for the problem in Wi-Fi are available in most manufacturers.
Wi-Fi problem leaves thousands of smartphones at risk
In fact, there are many devices that ESET has tested and found to be vulnerable. The main highlights are for the Galaxy S8, for iPads and iPhones, but neither do the Nexus nor the Redmi 3S from Xiaomi.
Here is the full list:
- Amazon: 2nd generation eco, Kindle 8th generation
- Apple: iPad mini 2, iPhone 6, iPhone 6S, iPhone 8, iPhone XR, MacBook, iPad Air
- Google: Nexus 5, Nexus 6, Nexus 6P
- Raspberry Pi 3
- Samsung Galaxy s4, Galaxy s8
- Xiaomi Redmi 3S
The problem also appears to affect ASUS and Huawei routers. ESET, however, specified that “many other manufacturers whose products we have not tested use the affected chipsets on their devices”. However, the vulnerability is not present in Qualcomm, Realtek, Ralink, and Mediatek chipsets.
The failure known as Kr00k manifests itself when a mobile device with the affected chipset fails to establish a Wi-Fi connection. This happens several times a day, in the event of a signal loss. At that time, the chipset tries to reconnect automatically. However, thanks to the vulnerabilities of these chipsets, malicious users can force a client to disconnect and transmit data in a less secure manner.
ESET transmitted its findings several months in advance to the affected manufacturers, and a patch is now available for most devices in the form of a system update. Whether on the iPhone, Galaxy S8 or Amazon Echo, the best way to protect yourself is to ensure that you are running the latest version of the operating system.
The investigation into this bug dates back to the third quarter of 2018. Cypress and Broadcom were informed in August 2019 and patches began to circulate in the last quarter of 2019. However, there are thousands of devices that remain unprotected.