Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Wireless Networking Bug Software Technology

Firmware Vulnerability In Popular Wi-Fi Chipset Affects Laptops, Smartphones, Routers, Gaming Devices (zdnet.com) 100

Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device.
Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.
This discussion has been archived. No new comments can be posted.

Firmware Vulnerability In Popular Wi-Fi Chipset Affects Laptops, Smartphones, Routers, Gaming Devices

Comments Filter:
  • Enjoy some of the security of ethernet.
    • by jfdavis668 ( 1414919 ) on Friday January 18, 2019 @10:26PM (#57985538)
      For real security, go back to Token-Ring.
      • by Anonymous Coward

        For actual security, I do all my internet browsing offline, inside a Faraday cage, deep underground in my backyard bunker.

        • You can download and browse the entire Wikipedia offline. It all will fit on a medium sized SD card on your phone.

          • Funny how the definition of "medium sized SD card" changes with each passing year.

  • Fantasy (Score:2, Insightful)

    by eclectro ( 227083 )

    Patches are reportedly being worked on.

    Since when are any of these consumer devices' firmware actually upgradable??

    Maybe we need to have manufacturers buy everyone new devices so they'd actually learn their lesson.

    • by Desler ( 1608317 )

      They've been upgradeable for decades.

    • They all are - most firmware is loaded at runtime like a windows modem - it's just a matter of the manufacturer putting out a software update, which probably brings us to your point...
    • by Kaenneth ( 82978 )

      Just drive around with the exploit, and when you have taken control, patch it.

    • by tlhIngan ( 30335 )

      Patches are reportedly being worked on.

      Since when are any of these consumer devices' firmware actually upgradable??

      Maybe we need to have manufacturers buy everyone new devices so they'd actually learn their lesson.

      Why? I'm sure Sony and Microsoft will update their game consoles - both are supported devices still and can be updated during the next software update that gets pushed out. I'm pretty certain the Microsoft Surface will be updated as well.

      Ditto the Chromebook since that gets regular updates.

      Maybe

  • by Pinky's Brain ( 1158667 ) on Friday January 18, 2019 @10:20PM (#57985520)

    https://rtos.com/news/express-... [rtos.com]

    Once again proving, the only way to safely use C is by only hiring 200 IQ coders who have been developing firmware for 30 years and have never created an exploitable bug in their entire life. Like all the developers who will argue me on this ... there's just not enough of you guys to go around though.

    • by Desler ( 1608317 )

      So by this logic Java is also not safe for anyone to use either, no?. You didn't forget that the massive Equifax hack was due to a remote code execution vulnerability in Apache Struts which is written entirely in Java, right?

      https://blogs.apache.org/found... [apache.org]

      • by Desler ( 1608317 )

        Oh and even Heartbleed can claim but a small fraction of the damage that the Struts bug did with the breadth of the Equifax breach.

      • Type errors are unavoidable, buffer overflows are unavoidable in (MISRA) C.

        • by Desler ( 1608317 )

          [quote]Type errors are unavoidable,[/quote]

          And yet in the real world they aren't as numerous CVEs can attest. I can also find numerous other causes of security vulnerabilities due to SQL injection, etc. as well. All in software supposedly written by the cream of the crop of these "safe" languages.

          It's almost as if the entire base of your argument is bullshit.

          • Oh yeah, SQL has been nearly as destructive as C ... no argument there. The native use of it in web front ends makes certain types of disastrous errors very easy to make.

    • the only way to safely use C

      I know. Our firmware should be coded by highschoolers using Rust. Then it'll be 100% bug free and safe.

      • Firmware relevant to your well-being will get coded by the equivalent of those highschoolers any way. You celebrate the continued use of C and giving those kids all the tools to harm you with. I think the necessity for replacing C in most fields should have been clear to the industry since before the current crop of highschoolers was born.

        • Take away people's guns and they'll just stab you. Your notion that if avoid writing in C (especially in low level systems like this) everything will be better is just stupid.

  • ThreadX RTOS (Score:5, Interesting)

    by duke_cheetah2003 ( 862933 ) on Friday January 18, 2019 @11:03PM (#57985666) Homepage

    If I'm reading this correctly, the blame for these exploits is being squarely placed on this ThreadX RTOS thing.

    Well, you signed up for proprietary operating system, this is what you get when you do that. This is the downside of using code you can't look at and assess yourself, or have it assessed by professionals. You just have to take their word for it that it's security, stable and good. Obviously, this particular proprietary operating system is not secure.

    Must say, I'm mildly surprised. Checking out ThreadX RTOS website, they seem to have all sorts of fancy certifications which I have no idea what mean, but surely they mean something? Just not secure and exploit free operating system?

    • by raymorris ( 2726007 ) on Saturday January 19, 2019 @01:10AM (#57985996) Journal

      > they seem to have all sorts of fancy certifications which I have no idea what mean, but surely they mean something?

      Mostly they mean that you can depend on it running perfectly reliably, so you can trust your $300 million space probe to ThreadX.

      You may have also noticed ThreadX takes 2KB of memory.

      When your system requirements are the kind of thing ThreadX is designed for, you don't have a ton of options. Maybe three will be worth considering, and likely one will be the best fit, just on technical considerations.

      • by AmiMoJo ( 196126 )

        It makes me wonder if they really needed an RTOS for this. In my experience often the RTOS is just a crutch for programmers who don't know how to survive without an OS. It's actually needed for what they want to do, and in fact tends to just make things worse.

        Of course there are times when you want one. Stuff that takes a long time and which you can't easily break up into smaller steps, which wifi stuff seems like it might be a good fit for.

        • Abstraction adds safety. The closer to your hardware you get the more complicated and quirky edge cases you need to handle and debug. The library principle applies here too. e.g. you don't want every idiot reinventing openssl the end result would be very bad. Instead by abstracting yourself and building on the platform of others you have not only reduced the chance of bugs in your code, you've increased consistency between your products and platforms while also dramatically simplifying the process of bug fi

          • by AmiMoJo ( 196126 )

            That works on bigger systems where you have hardware support for abstraction, things like memory protection.

            Without it the abstraction doesn't help. A bad pointer can still trash another task. Maybe other tasks can still run even if one hangs, but now you need a two level watchdog system to save that task and to save the OS in case that gets stuck.

            As for libraries, sure for openssl, but does openssl need an RTOS just to be ported? And are you going to maintain that port? Makes more sense to shove stuff like

            • A bad pointer can still trash another task. Maybe other tasks can still run even if one hangs, but now you need a two level watchdog system to save that task and to save the OS in case that gets stuck.

              What we could do is collect all of these functions in a common structure and run it on our hardware. Let's give it a fancy name like "Operating System".

        • It makes me wonder if they really needed an RTOS for this.

          Running on an RTOS ENORMOUSLY simplifies things when you have multiple, independent (or mostly independent), things you have to manage in real time.

          The task or task set managing each of these independent things can be written without regard for any of the other stuff going on, except for those tiny and well-contained places where it must communicate with another task handling something related. Meanwhile the OS handles the resource allocation, sched

    • Well, you signed up for proprietary operating system, this is what you get when you do that.

      What makes you think that if the OS were non proprietary that the companies in question would have bothered to go through and debug the source code? The many eyes theory has been proven false over and over again in open source.

      Have *you* gone through the Linux kernel line by line? Or are you making an assumption that someone, somewhere who is competent has done a good job?

      • [quote]The many eyes theory has been proven false over and over again in open source.[/quote]

        In fact it has been proven TRUE over and over again in open source. When a project is popular and well used, bugs (which all are security risks; the only difference between them is magnitude) get rooted out very efficiently.

        And wifi modules are incredibly popular. If these had been running an open source OS, immense amounts of scrutiny would have been applied.

        Sure, unpopular projects and products do not get a lot of

        • In fact it has been proven TRUE over and over again in open source. When a project is popular and well used, bugs (which all are security risks; the only difference between them is magnitude) get rooted out very efficiently.

          Look just claiming something doesn't make it so. Maybe have data to back it up? I know I know you would struggle to prove a false, but if the CVEs on OpenSSL, and Bash (just to name 2 very high profile cases recently) are anything to go by your statement could not be more wrong.

          Now to be fair the bugs are shallow statement is misrepresented. Linus's law specifically talked about beta testing and problems, not covert security vulnerabilities. But the misrepresented version has been proven false over and over

          • Linus does not differentiate between bugs and bugs. They are all bugs.

            And yes, I did look over open source code.And my employer did, on my recommendation. Some of those applications are now in-house maintained, as they have been abandoned. Others, the patches have been given back to the project.

            The point is not that security reviews are performed on open source software. I have not claimed that routinely happens (though companies I have worked for do them all the time). The point is, when I need to use a pr

    • by Anonymous Coward

      I used ThreadX back in the day. Not sure this is still the case but they used to give you a copy of the source code when licensed. It was proprietary but you could definitely look at the source.

    • by dog77 ( 1005249 )

      Well, you signed up for proprietary operating system, this is what you get when you do that. This is the downside of using code you can't look at and assess yourself, or have it assessed by professionals.

      ThreadX does distribute its source.

      From https://en.wikipedia.org/wiki/... [wikipedia.org] ThreadX is distributed using a marketing model in which source code is provided and licenses are royalty-free.

    • by dog77 ( 1005249 )

      If I'm reading this correctly, the blame for these exploits is being squarely placed on this ThreadX RTOS thing.

      I think you are reading it incorrectly and the summary is misleading. This is NOT a ThreadX bug:

      From https://embedi.org/blog/remote... [embedi.org]
      So, we have 2 techniques to exploit ThreadX block pool overflow. One is generic and can be applied to any ThreadX-based firmware (in case it has a block pool overflow bug, and the next block is free). **Emphasis on: "in case it has a block pool overflow bug"

  • Oh dear (Score:4, Insightful)

    by Anonymous Coward on Friday January 18, 2019 @11:24PM (#57985774)

    Certified by SGS-TUV Saar for use in safety-critical systems and achieved EAL4+ Common Criteria security certification. Oops. There goes your pacemaker.

  • Then proceeds to only list a few devices using that chipset, not a complete list.

    What the fuck are we supposed to do with this information?

  • Guess what chipset the newest HP printers are using?

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...