A flaw in the encryption used by Broadcom and Cypress Semiconductor left Apple devices vulnerable to having their private data sent over the air decrypted, but Apple says it’s already patched the flaw for affected devices.
The exploit was detailed at the RSA security conference in San Francisco today. ESET Security discovered the issue and named it “Kr00k”, because even security researchers are allowed to have fun some of the time.
Kr00k works by exploiting wireless devices at the time they’re disassociating from a wireless access point ” so, for example if you’re travelling out of range of your home or office Wi-Fi, or jumping between public Wi-Fi points if you like living risky with your data.
It works by sending an all-zero encryption key to the device in that instant. If it succeeds, it’s theoretically possible to intercept and decrypt network packets being sent by an attacked device.
The chipsets used aren’t unique to Apple, and as Cult Of Mac notes, Apple’s October 2019 patches for iOS, iPadOS and macOS directly addressed the issue, so as long as you are up-to-date on your updates, you should be secure.
It’s an issue that goes wider than the Apple walled garden, with ESET’s researchers calling out a number of highly popular devices that use the same chips found in Apple’s iPhone 6 and iPad Mini 2, including the Raspberry Pi 3, Samsung Galaxy S8 and Amazon Kindle 8th Generation devices that were technically vulnerable to the flaw prior to patching.
ESET notes that there are plenty of devices it didn’t test for the vulnerability, but as it’s clearly divulged the flaw prior to making its research public, there’s better scope for it to be already covered by your device’s security updates.
That’s presuming you did run those updates. You have been keeping your tech updated… haven’t you?
[ESET via Cult Of Mac]