Skip to main content

Billions of Wi-Fi devices left open via security flaw

(Image credit: Mediacom)

Security researchers from Eset have claimed “billions of devices” - including some from the world’s largest hardware manufacturers - were vulnerable to a Wi-Fi exploit that allowed hackers to decrypt sensitive data.

The vulnerability, labelled CVE-2019-15126, is colloquially referred to as Kr00k.

Researchers say chips made by Cypress Semiconductor and Broadcom are among those vulnerable to attack. Companies that use these chips in their products include Apple, Amazon, Huawei, Asus and Raspberry, to name just a few.

Hardware makers have all released patches for the vulnerability, but Eset says it's likely not all devices have been patched by users. This is especially the case with routers, which are rarely ever patched.

“This results in scenarios where client devices that are unaffected (either patched or using different Wi-Fi chips not vulnerable to Kr00k) can be connected to an access point (often times beyond an individual’s control) that is vulnerable,” said a paper published by Eset researchers.

“The attack surface is greatly increased, since an adversary can decrypt data that was transmitted by a vulnerable access point to a specific client (which may or may not be vulnerable itself).”