Yet another major firmware bug has been found that leaves billions of phones, routers, and other wireless devices from Apple, Google, Amazon open to spying.
The bug, known as “Kr00k,” was discovered by the ESETt data security firm and disclosed in a recent paper. Kr00k affects the way certain wifi chips encrypt data; when an affected wifi device is disconnected, in-progress communications are left improperly encrypted with a key of only 0s, which can be easily decrypted. Hackers can destabilize a wifi signal to trigger the bug, then intercept and read bits of the vulnerable data. (Ars Technica’s report on the Kr00k bug has further technical details for those interested.)
While it would be hard for the information collected this way to be successfully leveraged by hackers, it’s still a big a security threat and users should take the necessary steps to ensure their devices are safe by installing the latest updates. While most of your devices can (or have been) fixed with a software patch, you’ll want to make sure you’re using the latest firmware for your wifi routers, at least—as they don’t often automatically update themselves
Here’s a list of products confirmed to have the Kr00k bug:
- Amazon Kindle 8th gen
- Google Nexus 5, 6, and 6S
- iPad mini 2
- iPhone 6, 6S, 8, XR
- Samsung Galaxy S8, and S4 GT-I9505
- Xiaomi Redmi 3S
- Asus RT-N12
- Huawei B612S-25d
- Huawei EchoLife HG8245H
- Huawei E5577Cs-321
- Amazon Echo 2nd gen smart speaker
- Apple MacBook Air Retina 13-inch (2018)
- Raspberry Pi 3
It’s possible other devices carry the bug, too, so you should make sure your wifi-loving devices are using the latest firmware or software updates from their manufacturers. And if there aren’t any recent ones available, make a note to check back in a month or so (just in case).
It’s also recommended that users turn on DNS over HTTPS (DoH) on their device’s web browser(s), if available, to keep any attackers from seeing what websites you visit. You can check our DoH and wifi security guides for more information.