A large swath of internet-of-things (IoT) devices are affected by a new vulnerability that could let a criminal or spy decrypt data sent over wireless connections, researchers said Wednesday.
The flaw in widely used Wi-Fi chips made by Broadcom and Cypress essentially disables the encryption key used to secure communications over popular wireless standards. Everything from certain classes of the iPhone to Amazon’s Echo could be vulnerable to attacks tested by researchers at antivirus company ESET, who discovered the vulnerability. One billion devices are affected, ESET estimated.
ESET hasn’t seen any attacks in the wild exploiting this vulnerability.
Yet it’s the latest reminder that, while governments in the U.S., the U.K., and elsewhere are urging IoT vendors to build more security into their products, they are up against a market that often prioritizes low costs, and convenience.
“These consumer IoT devices are expanding the attack surface for enterprises,” said Robert Lipovsky, senior malware researcher at ESET, who presented his findings Wednesday at the RSA Conference in San Francisco. The main vendors affected by the vulnerability have issued security fixes for it.
Crucially, the vulnerability cannot be used break two popular protocols, HTTPs and TLS, which provide an extra layer of encryption for communications. But, according to the ESET researchers, there are still plenty of opportunities for hackers to intercept WiFi data using Krook, as the new vulnerability is called.
Lipovsky’s team wrote an exploit for the bug and tested it out on a variety of devices. Updates for iPhones are easy to apply; a patch issued by Apple in October takes care of the issue. But fixing routers affected by the bug requires manually doing so, meaning it is far less common.
“The usage of TLS has improved over the years…but even in 2020 you can still find services or websites either without it or that are mis-implementing it,” Lipovsky told CyberScoop.
At RSA, Lipovsky planned to show how attackers could intercept data sent by a victim to their smart home device.
This research follows word of a similar Wi-Fi vulnerability and set of potential attacks revealed by a researcher at a Belgian university in 2017. Two years later, devices affected by that vulnerability are still sitting on the internet. Both discoveries demonstrate connected devices that are ubiquitous in homes and corporations are susceptible to attacks.