Hacked - News Update - kr00k WIFI Vulnerability
Episode Date: March 3, 2020Jordan + Scott discuss the kr00k vulnerability in this trial episode of a Hacked News Update Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
Whatever you're listening to this on right now, it's almost certainly got a Wi-Fi chip in it.
It's almost certainly using something called WPA2, a security method that provides data protection and network control.
Essentially, when you use Wi-Fi, you are sending information flying through the air between your device and your router.
And WPA-2 is the encryption that makes sure all that data flying through the air is secure.
from anyone trying to watch.
Secure enough for consumers sending credit card numbers,
secure enough for governments, secure.
And now that we've established,
just how secure that system is.
It's October 2016, and a video pops up on YouTube.
The video is four minutes long,
narrated by a Belgian guy named Maddie Van Holf.
In the video, Maddie connects to Wi-Fi on an Android device,
and he goes to Match.com.
He then opens up the command line on a computer
and starts to force the random number used in the Wi-Fi encryption
to reset over and over again until he's able to parse out.
I'm not going to pretend to understand what he's doing,
but I understand what he achieves.
At the end of the video, Maddie goes to log into Match.com on his Android device.
He types in his username, he types in his password,
and he clicks login.
And we watch as the username and password he typed in on the phone appears on the screen of the laptop.
We watch as he plucks that encrypted information out of the air and displays it in plain text right on his screen.
We watch as he cuts through encryption seemingly secure enough for personal data and financial information and government documents in four minutes flat.
The discovery was named key reinstillustle.
attack or crack.
There was a bunch of press coverage of Cracked with a K.
People got scared.
Cracked with a K was patched.
All was well.
Until just this week.
When another video went up,
introducing us to something called Crook.
You might notice this episode is coming out
much sooner than our normal schedule.
We're trying something new here.
Today, we're going to have a quick conversation about Crook,
how it works, what it means,
and where it's going.
here on, let's call it a hacked news update.
Jordan has just propped a mic stand against another mic stand
because one is, he broke one, probably in a drunk and fury.
I'm a professional and I will not dignify these spurious accusations.
All right, so I sit down on my laptop.
I connect to Wi-Fi.
I go to Wikipedia.com or whatever.
What's happening in the air between the router and my laptop?
Sure. So let's just not talk about HGDPS encryption. Let's just pretend that the entire internet doesn't have any kind of encryption on it. Just use that as a starting block. That's an easy way to start. Between your computer and the Wi-Fi router, what's happened is you've logged in to the Wi-Fi. You know, we've all had to do that process. Essentially, the Wi-Fi router and your computer kind of go through this handshake process where they pass keys back and forth that allow them to encrypt data.
to send back and forth between each other so that nobody else can kind of see what's going on.
Right. So I log into the Wi-Fi in my apartment. I can see 10 other Wi-Fi networks,
but I obviously can't log into them because they don't have the password,
but I also can't just sort of grab that data that's flying through the air,
out of the air because it's encrypted during this handshake process?
Yeah, yeah. So like going back to our Wi-Fi episode in our kind of original season,
the data traffic is typically encrypted. So WPA-2 personal and enterprise are the most
common kind of Wi-Fi encryption algorithms.
And what they do is they create an encryption key set between your device and the Wi-Fi
router so that nobody else can really see that data.
Why is this called Crook?
The reason it's called Crook, K-R-0-0-K, is similar to crack.
What's happening is when my laptop, say, and the Wi-Fi router, you know, create a set of keys,
they're these unique kind of like long string
encryption keys
but what happens is
is that if my
laptop ever disassociates from the Wi-Fi router
the default protocol is that the keys get replaced
with just zeros hence the KR
00K
which isn't that big a deal
it's kind of a good thing that it does that
except for that all of the remaining packets
in the transmission queue
send out with this kind of new key set.
So they send out over this essentially unencrypted channel.
So you're trying to keep the network in this disassociated state.
So the packets that are in the queue are kind of flying through the air are, you know,
they're decryptable, basically.
You could kind of extend it to that because what you can do is you can actually force the disassociations.
So my laptop will constantly be trying to reassociate with the Wi-Fi router.
And then you just keep forcing the disassociation.
So you can actually send a de-authentication packet.
There's a whole suite of tools that let you kind of manipulate Wi-Fi traffic and listen to Wi-Fi traffic.
Aircrack is the like suite of tools.
And that doesn't let you stretch the window out, but can let you just kind of keep disassociating a device,
resetting the key set, allowing you to read most of the packets.
Is that difficult?
I could probably do it in like 30 minutes.
Really?
Yeah, it's not too crazy.
Oh, interesting.
Is this a thing that the average person we need to worry about, or is this, are there easier
ways to get the traffic that's going from a person's computer?
No, it's probably not an easier way.
It's not super complicated, but you'd have to really be a target.
Somebody would really want to see your data.
It's not like it's you roll into a Starbucks and you pull it your phone and connect
to the router and, you know, somebody's looking at everyone's traffic.
They have to identify you, figure out what the address of your phone is,
you know, force the disassociation, read the packets in.
Like, it's not something that you can do in mass scale.
This is much more of a targeted attack.
This is a vulnerability in the Wi-Fi chips specifically,
like the Broadcom and the Cypress chips.
Is this the kind of thing where they release an update
and this problem vanishes?
Yeah, theoretically they should be able to,
but the problem is that it's not the chipmaker
that probably has to release the update.
It then has to trickle through every, you know, hardware provider.
So everything you have that has one of these chips in, it's probably going to need a firmware update.
So, you know, it's not just, you know, Cyprus.
It's the 30,000 companies that make something with a Cyprus chip in it.
Right.
Amazon hasn't updated their echo yet to have a firmware update that addresses Crook.
Therefore, it's still vulnerable to it.
Yeah.
Interesting.
So this is the kind of thing where it's like the person you want to be looking,
the person that you're kind of holding responsible is the technology manufacturer,
who either has or hasn't released a firmware update that addresses this.
Yeah, likely.
I'm sure they will be, and especially the major ones like Amazon,
I can foresee them coming out with solutions to this,
especially seeing as over their bandwidth channels,
they have things running like what people are asking Alexa
and other personal recordings of what we're saying in our homes.
But, yeah, I'm sure there is probably, you know,
come to think of it again,
there probably is a way to do it in a mass scale,
and that would be very complicated.
Like when I said it was very targeted,
I'm sure you could write something
that kind of monitors all of the air traffic around you,
and then sends Dioff and dissociation attacks at everybody,
and then kind of bulk wholesale reads in all of that data.
That would be much more complicated,
but you probably could do that on second thought.
Right.
That state, that zero state, the crook,
with the two O's, you could just create that state on, say, a network that's being used by
tons and tons of people, and you'd be able to see all of that traffic.
Yeah, you'd be a nightmare for the Wi-Fi router because you'd just constantly be bouncing
people off of it, and then reconnecting and just kind of constantly dumping transmission
buffers or cues of packet data in an unencrypted or essentially unencrypted state.
So, yeah, you could probably write a very complicated script and have a very complicated, you know,
kind of device and sit and scrub a whole Wi-Fi network if you really wanted to.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led-by-design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works
with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment
instead of generic assumptions.
The automation frees your concierge security team
to focus on higher value strategy and proactive risk reductions
while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations
actually looks like, go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th.
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Why are people researching for these, like, I understand a hacker going,
looking for one of these vulnerabilities, because then in a sense of you could do something with it.
You could deploy a hack with it.
Why are people going and digging for these kind of mistakes, I guess, for these vulnerabilities,
and then publishing them in YouTube videos and white paper reports for all the world to see?
Yeah, because it's a job now, like security research bug bounty,
all that whole kind of suite of security testing at the development.
level is like a, you know, that's a profession. And, you know, we talked about this, I think,
in the last episode where, you know, people don't intentionally create insecurity. They're
intentionally trying to create a product or service. And by focusing solely on the output goal,
they ignore some things that create insecurity. So there's an entire industry forming kind of
in its wake coming afterwards looking to clean up and patch those insecurities. I think that's how
this bug was determined is literally one of these groups, I believe, was looking at an Amazon Echo,
and they happened to reproduce a similar state to the crack problem in that Wi-Fi chip,
and they were like, holy, it still exists.
You talk about move fast and break things and kind of makes sense there would be a whole
cottage industry that would come along, be like, we're going to trail behind you and fix things.
Yeah, and if you're really good at it, like if you have that skill set and, you know, to logically
rip down where the vulnerabilities could be in test for them and isolate them, you can make a
pretty significant amount of money. This is an interesting hack and a vulnerability that affects
billions and billions of devices, but generally speaking to people need to worry about something
like this? Or is it more interesting in like an intellectual academic sense?
This isn't something that's going to stop me from using Wi-Fi. I don't think there's,
most of the services that we use and that I depend on have a,
secondary layer of encryption. So even if they are sniffing my raw packets, those packets are
encrypted anyway. So then we get into the requirement to do man in the middle attacks and bypass
security checks for man in the middle attacks and all the rest of that jazz. So it's not something
that I'm particularly worried about. Right. It brings us back to the thing that we weren't bringing up
in this, which is HDPS, which is that even if that packet is unencrypted, your traffic itself in the
packet is encrypted? Yeah. So like
HTTP is a web protocol
that encrypts your back and forth
traffic between a web server and your web
browser. So most
of what I do on the internet is web
associated. So
it's all through that kind of HTTP
tunnel. So it's
encrypted. Like
HTTP is now the standard
rather than the alternative.
So
most significant web traffic,
anything important on the internet is going to be
So why is this important? Why is it getting so much coverage?
Because it's like universal in a chip. It's a hardware problem.
This isn't like a small line of code that needs to be changed. This is, you know,
a security issue that comes about in a chip that's so widely used.
A chip that's probably on the device that people are listening to this on.
Yeah, it's literally in my phone.
Hey, everybody. Thanks for listening to this little experiment. If you liked getting this kind of
a news update in between episodes. If this worked for you, or if you've got any feedback at all,
you can find us on Twitter at hacked podcast or reach us via email at get at hackedpodcast.com.
We genuinely want all the feedback we can possibly be getting to make this show as good as it can be.
As always, like and subscribe. And if you do like the show, check us out at patreon.com slash hacked
podcast. Thanks for listening.