Kr00k: Serious Vulnerability Affected Encryption of Billion+ Wi-Fi Devices

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] do we have any iphone or macbook users listening what about samsung galaxy amazon echo or raspberry pi users now i can't see you as we're streaming virtually but i'm pretty sure a lot of virtual hands were just raised now what if i told you that anyone could break into your encrypted wi-fi communication when you connect to a wpa2 protected encrypted wi-fi network then even without tls on the application layer no one should be able to read the data exchanged between your device and the wireless access point but that was not the case because your devices and not only those that i mentioned had this serious wi-fi vulnerability that was the discovery of eset's iot research team that's dedicated to finding vulnerabilities in popular devices used at home and in the enterprise we feel this type of research is really important we participated on a forester report that went out earlier this year and the conclusions were that consumer iot devices are expanding the enterprise attack surface now couple that with the fact that most consumer iot devices can be exploited and it's a disaster waiting to happen our iot research team found flaws in a bunch of different devices in smart cameras that allowed an unauthorized adversary to see whatever that camera saw you don't want that right in amazon echo in insecure smart home hubs by various different manufacturers and smart home hubs are the gateway to your whole home or potentially your your company if you're using them in a small home office and the effect of that depends on what's connected to that smart home so you can use your imagination but crook is our most impactful discovery yet that's because it goes beyond iot in the sense of cool smart gadgets like your smart watch or your smart toaster crook affected billions of wi-fi capable devices including your laptops tablets and phones i'm robert lipowski he sets senior malware researcher and my co-speaker today is stefan svodenchik hi he says head of experimental research and detection but credit also goes to milos cermak who was the lead researcher behind this discovery as well as issa researcher martin kalosnik this and other types of threat research are in eset's dna and it goes hand in hand with our focus for the past 30 years on proactive detection so this is our agenda for today we'll talk about crook what it is and how it works its impact how it can affect you and the security of your devices and what you can do about it also for the first time we're going to disclose our latest findings into vulnerabilities which aren't strictly crook but are similar now before we get into the specifics of the vulnerability and its impact let's quickly go over some wi-fi security basics which are needed to understand how crook works first i'm going to talk about wi-fi associations and disassociations and the four-way handshake so the first thing that happens when you connect your device to an access point is called the association basically a connection for our purpose when talking about crook we're mostly going to be interested in the reverse disassociations and these happen for a multitude of reasons they can actually occur naturally for example when a client roams from one wi-fi station to another and then we're talking about a reassociation or they happen manually simply when you turn off the wi-fi connection of your device all of these associations and disassociations are governed by so-called management frames and an important thing to note these are most often unauthenticated and unencrypted and also can be triggered manually what could go wrong the four-way handshake establishes secure wireless communication now without going into the technical details or the group key used for multicast and broadcast i'll just mention that the handshake serves two main purposes first it's authentication to ensure that the client is authorized to connect to the wi-fi for example knows the wi-fi password and secondly for confidentiality and integrity so a unique per session encryption key is constructed it's called the pairwise transient key the ptk and a part of that ptk is the tk which stands for temporal key and this is used to encrypt unicast data exchanged between the client and the access point so let's take a closer look at how that tk is used how encryption is done in wpa2 with ccmp which is the most ubiquitous standard today now i'm going to simplify the scheme not going into the details of counter mode and cbc mac here we have some plain text data that we are going to transmit and needs to be encrypted the cipher being used in this scheme is aes so we have that session key the tk which was established in the four-way handshake we have a so-called nonce a number which is only supposed to be used once this also includes the packet number uh these are used to generate the key stream that key stream is then xored with the plaintext data to get the encrypted data then along with the packet header this is then transmitted into the air and the decryption is the reverse and schedule will talk about that in his part so let now that we covered the basics let's get to the main part what is crook aka cve 2019 15 126 this is a typical wi-fi connection between a device and an access point secured by the wpa2 protocol the communication is encrypted using that tk the pairwise session key that was established in the handshake so even if someone else captures those wireless network packets flying through the air they wouldn't be able to decrypt them and read the content right well the crook vulnerability breaks that here's an example of how an attacker could exploit the bug they could transmit a crafted disassociation frame address to the victim the victim device accepts it and disassociates and data transmission stops up to this point everything happened as it should have but after that disassociation one last fragment of data is transmitted only this time as you can see it's encrypted with an all zero trans uh transient key and the attacker can intercept it and easily decrypt the content so how was all that possible well to answer that let's rewind and take a closer look under the hood of that vulnerable device spoiler alert this is the culprit behind crook a full mac wi-fi chip by the way this particular one is from an amazon kindle and it's only an eighth of an inch wide so taking this photograph was took a bit of an effort steven tell us more about these chips so every mobile device your phone your laptop your smart watch which doesn't stop reminding you that you're gonna probably die tomorrow if you don't make those 10 000 steps today and even your intelligent vacuum cleaner if there ever be intelligent enough to vacuum properly everything has his own wi-fi chip which handles all the wi-fi communication in all reasons mobile device is a full mag chip tend to be the most used kind of chips in the market fullmax offer better performance in terms of power consumption and speed and they are easier to integrate in complete products this is a block diagram of one of them as you can see it's fairly complicated this one also includes the bluetooth part but we won't bother with it we'll look only at the small part of it which manages the whole wi-fi encryption and this is where the magic happens this is a mac layer short for media access control architecture these are the small parts which handle all the communication encryption buffers are used to store order communication frames for the time they are being encrypted or decrypted the transmit engine constitutes the transmit data to and from the transmit buffer receive engine does the same for the receive buffer the web engine encapsulates all the hardware accelerators to perform the encryption and encryption it implements all cypher algorithms s wep wpa wpa2 psm is a microcontroller that is highly optimized for flow control operation it also determines based on the frame type and association information the appropriate cipher algorithm to be used so how the encryption goes as robert explained before every time a device is connected or reconnected to an access point after authentication and association a session encryption key is generated which is then used for all the encryption empty location ends the transit buffer is being filled with data frames which need to be send out web engine encrypts the data per frame with the generated encryption key and the transit engine sends them away so what happens after the association occurs the disassociation frame comes through the receive engine to receive buffer state machine evaluates the frame and sends the information up the ladder there the information is interpreted as okay we are about to disconnect let's drop all the encryption keys a command to drop generated session encryption key is then send since in computing you don't erase anything properly you just replace it with zeros decision encryption key is after dissociation overwritten by zeros here comes the term all zero encryption key this is expected behavior as no further data is supposed to be transmitted after the association and it stays that way until a new session is generated after the new reassociation and the new four-way handshake but until that happens the transmit buffer still may contain data the transmit engine needs to send them away and continues to do so as usual so all data which were left in that buffer after dissociation occurred are now sent away encrypted with an all zero encryption key so when you can grab these frames you can easily decrypt them into plugin text data you know the encryption algorithm you know the encryption key you get the nouns from the header and you can easily decrypt them then the question is how do you identify these particular frames in the air the answer is simple you don't you just try to decrypt everything you see with an all zero key and those frames which after description match binary pattern of the plaintext data frames which is something like aaaa03 those are the ones which are formerly encrypted within all zero key one can ask how much data can you decrypt after one disassociation well the transit buffer has a memory space of 32 kilobytes for comparison one kilobyte is a couple of hundred words of plain text so 32 kilobytes will be about 10 to 20 000 words which is quite a few pages of a book but you must understand that the buffer isn't always full when the dissociation happens it really depends on the timing so what can an attack do with this vulnerability well there are two ways to an adversary can eavesdrop on these frames a passive one and an active one let's begin with the passive one as was already mentioned the disassociation occurs naturally moving around changing access points low signal strength or just due to single interference most of the time you won't even notice because of the quick subsequent reassociation so let's do the math since this issue concerns many wi-fi chips somewhere where there are many of these mobile devices in one place like a workspace for example there should be a lot of them vulnerable combining with the fact that natural dissociation occurs quite often there should be all zero encrypted frames just flying around and yes they are so let's grab them so what do you think have we tried to eavesdrow at our workplace of course we did because you know sticking your own into things of people you know is always interesting and what did you saw first we saw all vulnerable devices and access points to which they are connecting but then after decryption we saw what kind of data are actually exposed dns requests tcp http requests website that people owed you name it actually everything that wasn't tls encrypted because that's another layer of encryption on the ip level now when we identified all vulnerable devices we can get them to drop even more than they would normally give up for free how i can trigger this association between them and their access points wherever i want and again and again and just like captain america i can do this all day and this is the most dangerous thing about this vulnerability because now you can gather these partial information let me get one thing straight the nature of the data frames which are eventually only a zero key encrypted and can be eventually decrypted to plaintext is quite random it really depends on the timing of the dissociation but if you can now invoke it over and over again the vulnerability will manifest will manifest itself over and over again and now you're in the information gathering business just waiting until something interesting pops out and it always does as much as i enjoyed those animations let's demonstrate that this stuff really works so we prepared a little demo in our lab so you can see the attack in action we're going to use a wireless adapter in a so-called monitor mode now some of you that played around with wireshark are surely familiar with promiscuous mode which is also used for packet sniffing monitor mode is similar but it allows packets to be captured without having to be associated with an access point in other words an attacker can carry out this attack without knowing the wi-fi password okay so this is our would be victim uses his phone is connected to our work wi-fi see work wi-fi and they're gonna check on their smart home so connect to the smart home command interface enters his credentials clicks on login and if those credentials were correct which they were in a moment he's connected and can check up on his smart home see how his nuclear power plant is doing turn it on off whatever now let's switch over to the perspective of the attacker so the attacker has prepared his script for invoking crook uh the parameters there are the victim's mac address which was uh would had to be known in a different way and also uh that wi-fi that targeted wi-fi ssid and know that as i mentioned earlier it doesn't need to know the wi-fi password uh as you can see uh some packets were captured and we're letting the script run so it's running continuously so uh we're continuing to uh capture more packets now let's go back and see what happened over there so in the beginning we sent out that this script sent out that disassociation frame to the victim uh now we can see that the victim reconnected to that wi-fi so the disassociation frame was accepted and and it worked and now we figured that the device is vulnerable because we were able to successfully decrypt uh this packet as shtevo mentioned this is that magic identifier aaaa03 and now we can see we can read it in plain text that we were able to uh decrypt with an all zero key uh this packet okay scroll down there's another packet uh we can choose whichever one is interesting uh is useful for our needs and more packets continue coming in so let's select this one this http packet wireshark helps us parse some of those fields over there so let's let's select that session id so this particular one contains the session id copy to the clipboard switch over to our browser and then the attacker is able without knowing the password to the smart home interface without knowing password to the wi-fi [Music] able to connect to that interface and do whatever malicious mischief and we will be releasing that testing script that we used in the demo on our github after the presentation but that's not all here's a different scenario where it's the access point that is susceptible to this vulnerability similarly to the previous example an attacker would be able to intercept and encrypt private data that was being addressed from the access point to your decline device even if your client device wasn't vulnerable itself he can still get information about your connection directly from the access point the difference is only that he will get to see only responses now dns and http responses for example or a document being sent to wi-fi printer the fact that wireless routers and access points are also affected by this vulnerability greatly increases the scope of the attack and it's also more difficult to protect protect against it since the security of access points is typically beyond your control a solution to this is to treat even wpa2 protected networks as insecure and make sure you always use encryption on the ip level tls or vpn crook affected devices with cyprus and broadcom wi-fi chips and these chips are really prevalent these are just the examples of devices we confirmed to have been vulnerable in our lab but we know there were many more and the total number of affected devices was well over a billion when we were doing our initial crook testing last year we did not see the vulnerability manifest itself on devices with wi-fi chips from other manufacturers like qualcomm realtek raylink or mediatek but we later found out that some of those companies had other similar issues and stefan will tell you more about that in a minute so what happened after that discovery well we work with the affected manufacturers through a responsible disclosure process and considering the complexity of the bug and the two-step patching process involving chip manufacturers and then oems or device manufacturers we agreed on a longer than usual grace period of a 120 days as far as we know most major vendors have released patches now not only would it be difficult for us to communicate with every individual device manufacturer that could possibly be using these chips in their devices it would also be impossible i mean there is no public comprehensive list clients of broadcom in cyprus that's proprietary information of broadcom and cyprus and they didn't tell us so what we did in order to ensure that all possibly affected parties became aware of the bug was we work with ikaze an organization that helps coordinate such complicated disclosures and we strongly encourage other researchers in similar situations to do so they were very helpful now i'm going to go back in time and explain how our research started but more importantly the connections to previous work i'm sure for a lot of you all of this probably reminds you of other weaknesses in wpa2 from the past such as crack crack being short for key reinstallation attacks was researched from 2017 by matthew fanhoff which he also presented at blackhat europe 2017. and the point with crack as the acronym suggests it's all about reinstalling an already in-use encryption key but resetting that nonce that i mentioned in the beginning and in the beginning of our research we discovered that amazon echo the first generation was vulnerable to crack so we did responsible disclosure and while amazon was working on the patch we were looking into the second generation of echo now the second generation was not vulnerable to the original crack attack but it was vulnerable to a modification of that attack and this modification led to an all-zero key being installed and the cause of that was you guessed it crook so we continued our discussions with amazon we continued our research until we came to realize that the problem was actually in the wi-fi chip itself in the case of this device the chip by cyprus now cyprus bought the iot division of broadcom and from our perspective or from the perspective of the crook vulnerability the chips are basically the same but since broadcom chips were so widespread even more so than cyprus that's when we realized the scale of this vulnerability and that's how cracking amazon echo brought us to discovering crook i put together this table to explain how the two are related and how they differ both of them could lead to similar outcomes unauthorized decryption of encrypted wireless traffic but there are also two separate issues crack is an attack an exploit and crook as we've explained is a vulnerability a bug the point with crack is that a nonce is being reused to acquire the key stream with crook it's about data being encrypted with an all zero session key crack is triggered during that four-way handshake crook is triggered after a disassociation as far as the impact crack affected most wi-fi capable devices because it was about the protocols themselves crook affected most most widespread wi-fi chips out there by broadcom and cyprus now the most severe manifestation of crack is the installation of an all-zero key and crook is also one of the possible reasons why encryption with an all-zero key can happen so that's something they have in common too i mentioned that our initial scripts for testing crook didn't reveal the vulnerability on other chipsets than broadcom or cyprus that was true but we did find something nevertheless and stefan will tell you more so after our former rsa presentation in february the issue was brought to attention of many other chipset manufacturers one of the chips we were looking into aside from broadcom and cyprus were from qualcomm our investigation found that their wifi chips are also vulnerable but the exploit manifests itself differently this is wireshark lock of a residual frame after the association was invoked on a qualcomm router as you can see protected flag is set true and the frame appears to have a ccmp parameter but the data aren't encrypted at all as they should be this frame is an icmp echo from ping command we reported this the issue to them and they approached it as a crook variant and assigned cve 2020 3702 the affected chip was qca 9531 which is a highly integrated and feature-rich system-on-chip for advanced wi-fi platforms it is used mainly in network routers they resolve the issue with updating their proprietary linux driver in july the only problem is that not all devices with qualcomm chips use this proprietary driver in some cases open source linux drivers are also used such as upstream adh9k driver for example so a word of caution that these may or may not be patched yet the good news is the new mobile devices with integrated system on chips specific specifically for android and windows on snapdragon should be not affected by this issue other widespread wi-fi chips that were that we looked into were from mediatek we observed a vulnerable behavior very similar to the one observed on qualcomm devices on an older asus router but what was far more interesting we observed it on the current microsoft azure sphere development kit which uses mediatek mt-3630 microcontroller the mt3620 is a highly integrated high-performance iot mcu with the high level of security necessary for modern rubbers internet connected devices it targets wide range of iot applications including smart homes commercial industrial and many other domains we've contacted mediatek about this discovery discovered vulnerabilities mediatek has informed us that they aware of the issue and reviewed all wi-fi products and the corresponding software patches to impacted projects have been released to different customers around march and april already a separate question remains whether all device manufacturers have implemented these patches with regard to other sphere mt3620 the patch should be integrated in the latest operational system update and how the one liberty manifested itself on mediatek devices very similar as on the qualcomm devices this is a very sharp lock of a residual frame after dissociation was invoked on azure sphere mt-3620 as you can see the protected flag is set through but the frame doesn't have any ccmp parameters and the beginning of the data is falsely identified as a wep header here we didn't use icmp echo because of the device limitations but an application which sends udp friends with a simple pattern as you can see the frame isn't encrypted okay let's wrap up first a hat tip to matthew fanhof whose great research on crack brought us here in the first place then to all these companies with whom the cooperation went really smoothly and they responded to our disclosures professionally especially amazon the joint effort trying to get to the bottom of what was going on was stellar and there are a lot of other companies with whom we did not have that much cooperation but they also handled the situation well released patches and so on and we've been providing links to any security advisories we could find to our crook web page so what are the takeaways for you the source of crook and the other related vulnerabilities is the wi-fi chip unfortunately you don't have to go and replace the chips on all your devices how would you do that and you don't have to be throwing away your iphones either um no you can mitigate the vulnerabilities with a firmware or or driver update the obvious advice that arose from our initial crook discovery was make sure that all of your devices with broadcom or cypress chips are running the latest software versions now that device has its limitations though first as a regular user you often have no way of knowing what vendor made the chip in your device and secondly as it turned out other similar vulnerabilities affected chips by other manufacturers so we're going back to the almighty advice just better to make sure to keep all of your devices up to date and it goes for access points in wi-fi routers too because as stable talked about crook affects those too and it also affects wpa2 enterprise now in case you're a manufacturer of wi-fi capable devices yourself and you're hearing about crook for the first time i highly recommend you get in touch with the wi-fi alliance and your chip manufacturer a final general note many of those devices we talked about that were vulnerable like smartphones they get over-the-air updates automatically or the user is at least prompted to install them but others like some wi-fi routers for example need to be updated manually and this is often problematic it could lead to attack scenarios like those stefan talked about and this is cause for concern in normal situations but even more so when more people are working from home due to covet 19. so these are employees accessing corporate resources that are responsible for their own home wi-fi security so crook is something that company csos definitely need to be paying attention to for more technical details on the crook vulnerability check out our research paper for up-to-date information frequently asked questions the script that we used in the demo and links to vendor advisories go to this web page we created dedicated to crook thank you for watching do make sure to check out our lab's twitter account at eset research and our blog we livesecurity.com for the latest research updates and now we will take questions if there are any okay so thanks for watching the talk uh to answer the questions i think some were answered already so the first question with the with the eight a thumbs up uh yes that was answered in the presentation so it was passion software no need to throw your devices away um then there was the other question uh that you need to know the mac address in order to carry out the attack but that's easy to get um how do you know short of running the crook script against the device how do you know if it's been patched um that's a very good question and and we're not aware of like any good way apart from testing it or asking your device vendor so ask your device vendor um we are hosting the advisories that we're aware of on the website in case there are any uh manufacturers in the audience and you want your advisory listed there feel free to reach out to us too um so what else is there uh is it also feasible for 802.11 ax chips um that's also a really good question it's and it's hard to answer uh because these are really fast and we did not have the hardware to test that i mean capturing them and and basically do performing the attack uh causing the dissociate disassociations on these types of chips would require uh much faster hardware than we had access to um we answered that um since the packet is still valid for the receiver would a man in the middle would a man in the middle be possible to recreate the original packet and put malicious in oh i think they're asking about the injection injection yeah yeah yeah uh the injection part is uh not possible we actually broke it up uh with broken and they assured us that the uh this is not possible what's it there are other factors that that come into play uh there you need to recreate some parameters uh of the data frames and and injection it requires a lot more seven is altogether a lot more difficult um [Music] where will the poc be posted um if you go to the links that we have in the presentation i think that should be available or if you just google crook eset it should guide you to a web page we have dedicated to this and from there uh you will see that or we also have it on our blog wheel of security and then on he said he said research his github page the script will be there and i believe we answered all the questions i was thinking at first that it was a wi-fi chip implemented by specific any ideas why it showed up in okay that's a good question um well we have to say that crook that specific cde that we talked about in the beginning that did not manifest itself on on uh qualcomm and mediatek uh so that was also assigned a different cve um they're similar but they they manifest themselves differently we haven't we don't know all the details about the chipset architecture of every single chipset manufacturer of course we do think that the source also is similar in that they're you know the the actual transmit buffers but yeah yeah the thing is in the buffers they handle probably the different size of the buffers and that's the that's the point that uh we saw the mitigation of the attack a bit later a bit but yeah there were similar architecture uh venetia is asking tls so tns can help a lot of course because as as we mentioned in the in the presentation crook does not break tls uh so when you when you're using tls or when you're using a vpn that should protect you from from this so those of really really crook uh breaks uh the level of encryption that wpa2 itself is supposed to give you uh but tls does protection from a different layer um no no it's not plausible for this attack to be executed remotely uh the attacker needs to be in close proximity of the wi-fi signal that's actually actually as in stefan's home in bratislava slovakia the hammock okay so um that's all the questions i believe thank you very much for listening and enjoy the rest of the conference [Music] bye

Info

Channel: Black Hat

Views: 2,126

Rating: undefined out of 5

Keywords:

Id: iclIChl1Imw

Channel Id: undefined

Length: 40min 48sec (2448 seconds)

Published: Fri Feb 26 2021