Results 1 to 5 of 5
  1. #1
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,786

    Default Network vulnerability for Asus Routers (and many others)

    I'm reposting this here because I know there are people on the forums with Asus routers from back when Untangle was playing with an ARM port, and Asus routers were specifically mentioned in the article:

    https://arstechnica.com/information-...-eavesdroppng/

    Lots of other stuff is vulnerable, as well (basically anything with a Broadcom/Cypress chip), but it's the routers most people will need to patch on their own.

    The meat of the issue is the firmware for the chips was not handling dissociation from APs correctly, where the encryption key for any data remaining in the send buffer was zeroed out, but the data was still transmitted into the open air. An attacker can then use one of several techniques to force dissociation for target devices or APs until they manage to record data with something sensitive... ie the attack is replayable until successful. Therefore, your connection might become vulnerable merely by connecting to a vulnerable router, even if your own device is otherwise safe.
    Last edited by jcoehoorn; 02-26-2020 at 06:54 PM.
    Jim.Alles likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  2. #2
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,520

    Default Kr00k

    Thanks for posting this.

    If you are in a public place, and using VPN from your device, your connection is probably still safe.

    However, I would assume that gaining access with an an (all 0) encryption key would allow someone onto your private network. So, it might be worth paying attention to this.

    Keep an eye out for available patches.

    I haven't seen anyone mention other major manufacturers; that Realtek, Qualcomm and Intel chips are likely not affected.
    It appears that current versions of Ubiquity UniFi devices use Qualcomm chips, and are not vulnerable.
    https://community.ui.com/questions/About-the-kr00k-wifi-chip-vulnerability
    Last edited by Jim.Alles; 02-26-2020 at 03:52 PM.
    If you think I got Grumpy

  3. #3
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,286
    Jim.Alles likes this.

  4. #4
    Untanglit
    Join Date
    Sep 2019
    Posts
    26

    Default

    It's an interesting vulnerability, with the key being reset to zeros until the buffer is run out how much data can a eavesdropper really receive until the new key and association is established. I can see this being issue for control systems that use Wifi where a malicious person could force disconnects and collect command sequences if they were persistent enough. In a starbucks etc...not so sure.

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,786

    Default

    There's not much... usually just a couple KB.

    The problem is, the attack is replayable. That is, the attacker can force the dissociation for anyone connected to a vulernable AP and grab what they can to evaluate. At this point, most clients will automatically look around and try to reconnect to the best available AP, which is likely to either be the same AP or another that's just as vulnerable. If the client doesn't do this, the user sitting at the machine will. Now the attacker is all set up to run again and get another small set of data. They can do this as many times as they need.

    One example of something they may try to grab in this way is a session cookie. These cookies often need to be transmitted to a web site with each http request, of which there are many. If the attacker is able to grab such a cookie, they may be able to impersonate the user on that web site. More recent security practices also require a CSRF token to help protect against this kind of issue, but many web sites are still vulnerable to the attack, and a crafty attacker may also be able to steal the token.
    Last edited by jcoehoorn; 02-28-2020 at 08:21 AM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2