New Wi-Fi chip bug affects everything from Amazon’s Echo to home routers

An estimated 1 billion devices are affected.
MoFi Networks
The research points to a longstanding yet unresolved issue: how to incentivize security among vendors who sell routers in a market that prizes affordability and convenience. (Getty)

A large swath of internet-of-things (IoT) devices are affected by a new vulnerability that could let a criminal or spy decrypt data sent over wireless connections, researchers said Wednesday.

The flaw in widely used Wi-Fi chips made by Broadcom and Cypress essentially disables the encryption key used to secure communications over popular wireless standards. Everything from certain classes of the iPhone to Amazon’s Echo could be vulnerable to attacks tested by researchers at antivirus company ESET, who discovered the vulnerability. One billion devices are affected, ESET estimated.

ESET hasn’t seen any attacks in the wild exploiting this vulnerability.

Yet it’s the latest reminder that, while governments in the U.S.the U.K., and elsewhere are urging IoT vendors to build more security into their products, they are up against a market that often prioritizes low costs, and convenience.


“These consumer IoT devices are expanding the attack surface for enterprises,” said Robert Lipovsky, senior malware researcher at ESET, who presented his findings Wednesday at the RSA Conference in San Francisco. The main vendors affected by the vulnerability have issued security fixes for it.

Crucially, the vulnerability cannot be used break two popular protocols, HTTPs and TLS, which provide an extra layer of encryption for communications. But, according to the ESET researchers, there are still plenty of opportunities for hackers to intercept WiFi data using Krook, as the new vulnerability is called.

Lipovsky’s team wrote an exploit for the bug and tested it out on a variety of devices. Updates for iPhones are easy to apply; a patch issued by Apple in October takes care of the issue. But fixing routers affected by the bug requires manually doing so, meaning it is far less common.

“The usage of TLS has improved over the years…but even in 2020 you can still find services or websites either without it or that are mis-implementing it,” Lipovsky told CyberScoop.

At RSA, Lipovsky planned to show how attackers could intercept data sent by a victim to their smart home device.


This research follows word of a similar Wi-Fi vulnerability and set of potential attacks revealed by a researcher at a Belgian university in 2017. Two years later, devices affected by that vulnerability are still sitting on the internet. Both discoveries demonstrate connected devices that are ubiquitous in homes and corporations are susceptible to attacks.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts