This is not that serious though. Quoting from [1]:
~~~
Furthermore, the bug cannot be used part of automated botnet attacks, requires physical proximity to a victim (WiFi network range), and Kr00k cannot retrieve large and long-winded communications streams without the user noticing problems with their WiFi communications.
It’s still serious. For example, consider the potential for industrial espionage. Want to steal some trade secrets? Grab a cantenna and set up shop next door.
Piskvorrr 1351 days ago [-]
Hopefully nobody treats the link layer as secure nowadays, and good luck with the TLS sessions that you've grabbed.
Yeah, I know. "No need to secure the internal traffic: the perimeter is absolutely secure (there's also no way we've left the WPA passphrase laying around on post-it notes that go into the unlocked dumpster out back.)"
xoa 1351 days ago [-]
While your part about limited retrievability is reasonable right now (though as always the fear is that attacks only ever get worse), I'd take some issue with being blasé about this bit:
>Furthermore, the bug cannot be used part of automated botnet attacks, requires physical proximity
I think that needs some real qualifiers. A high percentage of the population, and an even higher percentage of valuable targets, lie within fairly dense urban areas. One of the whole challenges with WiFi there is that there are zero places that don't have many overlapping WiFi networks. That kind of density in turn definitely raise the potential for automation if a widespread enough bug was found that could be used as part of a takeover chain. There are a lot of unpatched systems/IOT/etc out there, so "physical proximity" is a phrase that has to be considered closely. Anyone would have to evaluate not merely their own networks but if they're sure that none of their neighbors have any vulnerable devices, and none of their neighbors' neighbors, that nobody walking by or visiting or visiting within range or the like has been owned, etc. Kr00k by itself may not be enough, but these days lone bugs are almost never enough even locally, full RCEs/rooting and such usually are a chain of exploits where any single one wasn't a real threat, but each brings attackers past one more safeguard.
FWIW, self-propagation in high density areas has been considered and started to see some interesting public research (who knows what state actors are up to with it) over the last few years. An example from 2018 was "IoT Goes Nuclear: Creating a ZigBee Chain Reaction" [0], which focused on the ZigBee protocol.
I do think WiFi is fundamentally better, it has had more development, faced more scrutiny, and in general is part of regular networks that we have far more mature tools and techniques to monitor and secure. Again, I'm not arguing this is something to panic over specifically, but even 'minor' exploits like this shouldn't be left hanging about and should get patches reasonably promptly and upgraded as opportunity allows. "Requires physical proximity" isn't always straightforward.
When Kr00k was released we almost knows that this isn't special "feature" only for Broadcom chips. And was just matter of time Qualcomm to be hit with similar.
teddyh 1351 days ago [-]
I’ve never understood this: When TLS gets updated seemingly yearly, why should we trust crypto implemented in hardware and set in stone by standards ages ago?
gruez 1351 days ago [-]
>I’ve never understood this: When TLS gets updated seemingly yearly
What? We're on TLS 1.3 for years now, and before that, were using TLS for a decade.
I dunno. It certainly feels like I have to edit my server configs at least every year to make something or other stop complaining about the TLS parameters not being secure enough.
grishka 1351 days ago [-]
I've always assumed that WiFi encryption is more about preventing unauthorized access to the network than protecting the data that's being sent.
Jonnax 1351 days ago [-]
The manufacturer of the device relies on their chipset manufacturer to update their drivers.
Also the manufacturer has to them push out that as an update.
ISPs often have custom firmwares on the routers so they need to do an update.
Also every device needs to be able to talk to every device.
Interoperability means that you get breaking changes being only acceptable when you go:
N to AC to Wifi6
WPA3 came out but how many routers will support it?
How many clients?
Rendered at 11:01:33 GMT+0000 (Coordinated Universal Time) with Vercel.
----------
[1] https://raw.githubusercontent.com/eset/malware-research/mast...
~~~
Furthermore, the bug cannot be used part of automated botnet attacks, requires physical proximity to a victim (WiFi network range), and Kr00k cannot retrieve large and long-winded communications streams without the user noticing problems with their WiFi communications.
~~~
----------
[1] https://www.zdnet.com/article/new-kr00k-vulnerability-lets-a...
Yeah, I know. "No need to secure the internal traffic: the perimeter is absolutely secure (there's also no way we've left the WPA passphrase laying around on post-it notes that go into the unlocked dumpster out back.)"
>Furthermore, the bug cannot be used part of automated botnet attacks, requires physical proximity
I think that needs some real qualifiers. A high percentage of the population, and an even higher percentage of valuable targets, lie within fairly dense urban areas. One of the whole challenges with WiFi there is that there are zero places that don't have many overlapping WiFi networks. That kind of density in turn definitely raise the potential for automation if a widespread enough bug was found that could be used as part of a takeover chain. There are a lot of unpatched systems/IOT/etc out there, so "physical proximity" is a phrase that has to be considered closely. Anyone would have to evaluate not merely their own networks but if they're sure that none of their neighbors have any vulnerable devices, and none of their neighbors' neighbors, that nobody walking by or visiting or visiting within range or the like has been owned, etc. Kr00k by itself may not be enough, but these days lone bugs are almost never enough even locally, full RCEs/rooting and such usually are a chain of exploits where any single one wasn't a real threat, but each brings attackers past one more safeguard.
FWIW, self-propagation in high density areas has been considered and started to see some interesting public research (who knows what state actors are up to with it) over the last few years. An example from 2018 was "IoT Goes Nuclear: Creating a ZigBee Chain Reaction" [0], which focused on the ZigBee protocol.
I do think WiFi is fundamentally better, it has had more development, faced more scrutiny, and in general is part of regular networks that we have far more mature tools and techniques to monitor and secure. Again, I'm not arguing this is something to panic over specifically, but even 'minor' exploits like this shouldn't be left hanging about and should get patches reasonably promptly and upgraded as opportunity allows. "Requires physical proximity" isn't always straightforward.
----
0: https://eyalro.net/project/iotworm.html
What? We're on TLS 1.3 for years now, and before that, were using TLS for a decade.
https://en.wikipedia.org/wiki/Transport_Layer_Security#Histo...
Also the manufacturer has to them push out that as an update.
ISPs often have custom firmwares on the routers so they need to do an update.
Also every device needs to be able to talk to every device.
Interoperability means that you get breaking changes being only acceptable when you go: N to AC to Wifi6
WPA3 came out but how many routers will support it? How many clients?