Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firmware Vulnerability In Popular Wi-Fi Chipset Affects Laptops, Smartphones, Routers, Gaming Devices (zdnet.com)

Posted by BeauHD on from the zero-click-interaction dept.

Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.

15 of 100 comments (clear)

  1. Re:Fantasy by Desler · · Score: 2

    They've been upgradeable for decades.

  2. Express Logic Announces THREADX® MISRA Compli by Pinky's+Brain · · Score: 4, Funny

    https://rtos.com/news/express-...

    Once again proving, the only way to safely use C is by only hiring 200 IQ coders who have been developing firmware for 30 years and have never created an exploitable bug in their entire life. Like all the developers who will argue me on this ... there's just not enough of you guys to go around though.

  3. Re:Don't use wifi by jfdavis668 · · Score: 3, Funny

    For real security, go back to Token-Ring.

  4. Re:Express Logic Announces THREADX® MISRA Com by Desler · · Score: 2

    So by this logic Java is also not safe for anyone to use either, no?. You didn't forget that the massive Equifax hack was due to a remote code execution vulnerability in Apache Struts which is written entirely in Java, right?

    https://blogs.apache.org/found...

  5. ThreadX RTOS by duke_cheetah2003 · · Score: 4, Interesting

    If I'm reading this correctly, the blame for these exploits is being squarely placed on this ThreadX RTOS thing.

    Well, you signed up for proprietary operating system, this is what you get when you do that. This is the downside of using code you can't look at and assess yourself, or have it assessed by professionals. You just have to take their word for it that it's security, stable and good. Obviously, this particular proprietary operating system is not secure.

    Must say, I'm mildly surprised. Checking out ThreadX RTOS website, they seem to have all sorts of fancy certifications which I have no idea what mean, but surely they mean something? Just not secure and exploit free operating system?

    1. Re:ThreadX RTOS by thegarbz · · Score: 2

      Well, you signed up for proprietary operating system, this is what you get when you do that.

      What makes you think that if the OS were non proprietary that the companies in question would have bothered to go through and debug the source code? The many eyes theory has been proven false over and over again in open source.

      Have *you* gone through the Linux kernel line by line? Or are you making an assumption that someone, somewhere who is competent has done a good job?

  6. Oh dear by Anonymous Coward · · Score: 4, Insightful

    Certified by SGS-TUV Saar for use in safety-critical systems and achieved EAL4+ Common Criteria security certification. Oops. There goes your pacemaker.

  7. Re:Express Logic Announces THREADX® MISRA Com by Waffle+Iron · · Score: 2

    You seem to really be obsessing over this issue.

    It's like arguing that cars shouldn't have safety belts and airbags, since you can never rule out the chance that you might die of a heart attack wile you're driving.

  8. Re:Were are Marvell chipsets popular? by Anonymous Coward · · Score: 5, Informative

    Realtek is the lowest end. Those are the NICs you find on eBay or Amazon for a few bucks that usually have a name randomly generated from a syllable table. You'll also find them rebranded in non-dedicated-IT physical stores for $30. They shift a lot of them because they are the cheapest of the cheap and practically every no-name device has a little RTL crab in it somewhere. Many cheapo all-in-one motherboards have them too and a handful of other integrated devices.

    Marvell are still cheap and cheerful but a lot more popular for integrated devices. Marvell not so much for NICs, though I have seen a few. They're a lot more popular in cheap APs and other network devices than RTL as well. A lot more integrated devices are sold these days than discrete NICs.

    Atheros, Broadcom and Intel is where midrange (or the low end of enterprise), starts. Atheros and Broadcom do also have a fair representation in the consumer space, but they're seen in the high end enthusiast stuff rather than budget conscious, high volume garbage.

  9. 2-4KB of RAM & $300 million risk limits OS cho by raymorris · · Score: 4, Interesting

    > they seem to have all sorts of fancy certifications which I have no idea what mean, but surely they mean something?

    Mostly they mean that you can depend on it running perfectly reliably, so you can trust your $300 million space probe to ThreadX.

    You may have also noticed ThreadX takes 2KB of memory.

    When your system requirements are the kind of thing ThreadX is designed for, you don't have a ton of options. Maybe three will be worth considering, and likely one will be the best fit, just on technical considerations.

  10. Re:Express Logic Announces THREADX® MISRA Com by Pinky's+Brain · · Score: 3, Insightful

    You can interpret data in an incoming packet as code for a domain language in any programming language. There is no language feature which caused this and for which alternatives have been actively researched for decades but held back by curmudgeons.

    The same can not be said for buffer overflows.

  11. Re:2-4KB of RAM & $300 million risk limits OS by AmiMoJo · · Score: 2

    It makes me wonder if they really needed an RTOS for this. In my experience often the RTOS is just a crutch for programmers who don't know how to survive without an OS. It's actually needed for what they want to do, and in fact tends to just make things worse.

    Of course there are times when you want one. Stuff that takes a long time and which you can't easily break up into smaller steps, which wifi stuff seems like it might be a good fit for.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  12. Re:2-4KB of RAM & $300 million risk limits OS by thegarbz · · Score: 2

    Abstraction adds safety. The closer to your hardware you get the more complicated and quirky edge cases you need to handle and debug. The library principle applies here too. e.g. you don't want every idiot reinventing openssl the end result would be very bad. Instead by abstracting yourself and building on the platform of others you have not only reduced the chance of bugs in your code, you've increased consistency between your products and platforms while also dramatically simplifying the process of bug fixing.

  13. Re:2-4KB of RAM & $300 million risk limits OS by Ungrounded+Lightning · · Score: 2

    It makes me wonder if they really needed an RTOS for this.

    Running on an RTOS ENORMOUSLY simplifies things when you have multiple, independent (or mostly independent), things you have to manage in real time.

    The task or task set managing each of these independent things can be written without regard for any of the other stuff going on, except for those tiny and well-contained places where it must communicate with another task handling something related. Meanwhile the OS handles the resource allocation, scheduling, and inter-task communication.

    With a good set of patterns to program to, everything gets broken into simple and tiny pieces, small enough to understand and make reliable. The simplicity letts you avoid gobs of on-the-fly checking program bloat, and get a lot done very quickly with minimal resource.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  14. Re:Were are Marvell chipsets popular? by Dustie · · Score: 2

    Realtek is the lowest end.

    Many cheapo all-in-one motherboards have them too

    Some (most?) of the best motherboards (for builders, overclockers, ect.) has Realtek net and audio. Mine has Realtek and some crappy extras besides what the chipset supports for USB, SATA, net, etc. Those crap ones are Marvell and an Intel NIC that is even worse than going back to token ring. Saying "Intel > Marvell > Realtek" tells me you have no clue what you are talking about. That's like saying a rocket is faster than a spoon. Well not for eating with!