The new affected devices use Qualcomm and MediaTek WiFi chips. Originally, researchers Lipovský and Svorenčík stated that only devices with WiFi chips from Broadcom and Cypress were affected. However, now the other two companies have joined, in chips that are currently used in mobiles, cars, watches, tablets, routers, computers, etc.
They can spy on your WiFi network without knowing your password
The new vulnerability, code CVE-2020-3702, works similarly to the original vulnerability on devices with Qualcomm chips, where a device can be forced to emit unencrypted instead of encrypted data. Something similar also happens in MediaTek, where ESET claims that there are routers like the ASUS RT-AC52U or the Microsoft Azure Sphere development kit that use the MT3620 affected. It is also used in IoT devices and industrial devices.
Qualcomm launched in July a patch for fix the vulnerability on the affected proprietary drivers, and MediaTek fixed the bug in March and April. A patch was also released in July to fix the bug in the MT3620 microcontrollers. The problem is that these patches do not reach a large majority of devices due to a poor update policy on the part of the manufacturers, so a large number of them will remain vulnerable. Also, some devices using the affected chips use open source Linux drivers, such as ath9k, and it is up to the community to update or not.
Many mobile devices will not receive the patch
The failure is really dangerous, since an attacker only has to have our devices within reach, and does not have to know the password of the WiFi network to which we are connected. Being nearby, it can introduce the malicious packets to generate the packets without encryption and spy on our connections.
Thus, the total number of devices affected by the vulnerability now exceeds one billion worldwide. This is really serious, since the update policies of many devices today are horrendous. On Android, updates typically don’t last more than two years, with manufacturers like Samsung having pledged to do so for at least three years. Mobile phones are becoming more powerful and last longer in the hands of their buyers, so the number of vulnerable devices does not stop growing.
Currently, the devices affected by Krook include Amazon Echo, Kindle, iPhone, iPad, MacBook, Google Pixel, Samsung Galaxy, Raspberry Pi, Xiaomi, as well as routers from ASUS and Huawei. Routers, despite being key in our networks, are one of the most neglected devices in terms of software updates, since for example companies such as Netgear do not patch devices that are older than three years. As if having to worry about maintaining security on public WiFi networks was not enough.