Researchers at Eset new variant (CVE-2020-3702) vulnerabilities , applicable to Qualcomm and MediaTek wireless chips. Like , which Cypress and Broadcom chips were exposed to, a new vulnerability allows decrypting intercepted Wi-Fi traffic protected using the WPA2 protocol.
Recall that the Kr00k vulnerability is caused by incorrect processing of encryption keys when the device is disconnected (dissociated) from the access point. In the first version of the vulnerability, upon disconnection, the session key (PTK) stored in the chip's memory was reset to zero, since no further data will be sent in the current session. At the same time, the data remaining in the transmission buffer (TX) was encrypted with an already cleared key consisting only of zeros and, accordingly, could be easily decrypted upon interception. An empty key only applies to residual data in a buffer that is several kilobytes in size.
The key difference between the second version of the vulnerability, which manifests itself in Qualcomm and MediaTek chips, is that instead of being encrypted with a null key, the data after dissociation is transmitted unencrypted at all, despite the fact that the encryption flags are set. Among Qualcomm-based devices tested for vulnerabilities, D-Link DCH-G020 Smart Home Hub and an open router were noted . From devices based on MediaTek chips, the ASUS RT-AC52U router and IoT solutions based on Microsoft Azure Sphere using the MediaTek MT3620 microcontroller were tested.
To exploit both variants of vulnerabilities, an attacker can send special control frames that cause dissociation and intercept the data sent after them. Dissociation is commonly used in wireless networks to switch from one access point to another while roaming or when the connection to the current access point is lost. Dissociation can be triggered by sending a control frame, which is transmitted unencrypted and does not require authentication (an attacker needs to be able to reach a Wi-Fi signal, but does not need to be connected to a wireless network). An attack can be carried out both when a vulnerable client device accesses an invulnerable access point, and when a device that is not affected by the problem accesses an access point on which the vulnerability manifests itself.
The vulnerability affects encryption at the wireless network level and allows you to analyze only user-established insecure connections (for example, DNS, HTTP and mail traffic), but does not make it possible to compromise connections with encryption at the application level (HTTPS, SSH, STARTTLS, DNS over TLS, VPN and etc.). The risk of attack is also reduced by the fact that an attacker can only decrypt a few kilobytes of data at a time that was in the transmit buffer at the time of detachment. To successfully capture sensitive data sent over an insecure connection, an attacker must either know exactly when it was sent, or constantly initiate a disconnect from the access point, which will catch the user's eye due to constant restarts of the wireless connection.
The issue is fixed in the July Qualcomm Chip Proprietary Driver Update and the April MediaTek Chip Driver Update. A fix for MT3620 was proposed in July. The researchers who identified the problem have no information about the inclusion of fixes in the free ath9k driver. To test devices for exposure to both vulnerabilities in Python.
Additionally, it can be noted researchers from Checkpoint six vulnerabilities in Qualcomm DSP chips, which are used on 40% of smartphones, including devices from Google, Samsung, LG, Xiaomi and OnePlus. Details of the vulnerabilities are not reported until the manufacturers fix the problems. Since the DSP chip is a "black box" that the smartphone manufacturer cannot control, the fix may take longer and require coordination with the DSP chip manufacturer.
DSP chips are used in modern smartphones for operations such as sound, image and video processing, in computing for augmented reality systems, computer vision and machine learning, as well as in the implementation of a fast charging mode. Among the attacks that allow the identified vulnerabilities to be carried out are: Bypassing the access control system - stealthy capture of data such as photos, videos, call recordings, data from a microphone, GPS, etc. Denial of Service - blocking access to all stored information. Hiding malicious activity - creating completely invisible and unremovable malicious components.
Source: opennet.ru