Research by ESET shows that more than a billion devices were at risk due to a security problem with WiFi chips. iPhones and Samsung Galaxy smartphones, among others, were vulnerable due to the error, which resulted in heaps of data on the streets to be picked up free of charge by cyber criminals.
The error, which ESET named Kr00k, appeared in chips from Broadcom and Cypress. In addition to iPhones and Samsung smartphones, these chips can also be found in iPads, Macbooks, Amazon Echo speakers, Amazon Kindle readers and certain routers, including models by Asus and Huawei. This means that all these devices were open and exposed to third parties.
According to ESET, the problem arises at the end of a wifi session, when a chip should no longer send any data. However, it was discovered that data frames were still being sent, which was then no longer properly encrypted, making it easier for cyber criminals to access that data. Moreover, it is not necessary to be connected to the relevant WiFi network in order to intercept the data, which means that good security of your WiFi network makes no sense at all (for this particular problem).
ESET states that vulnerable routers are a specifically problematic case because the intervals between updates are much longer than with smartphones. Broadcom and Cypress have now published patches, but this happens much less frequently for routers. Therefore, even if a smartphone is well secured, if a router is used, and thus a WiFi network, which is not well secured, third parties can still get hold of the data downloaded or viewed by a user.
According to ESET, for now it is especially important to have the latest updates installed. “To protect yourself as a user, it is best to make sure that all devices with WiFi access, including phones, tablets, laptops, smart IoT devices and WiFi access points and routers are updated and use the latest firmware version”, Robert Lipovský, researcher at the security firm, advises.