Wi-Fi Chip Firmware Flaws Enable Over-the-Air Hacking

Editor’s Note: This post was updated Jan. 29 to include a statement from Marvell

Wi-Fi chips used in several gaming consoles, Chromebooks, streaming boxes, routers and other types of devices have several firmware vulnerabilities that could allow attackers to compromise those systems over the air with no user interaction.

Cloud Native Now

The vulnerabilities were discovered by Denis Selianin, a researcher at security firm Embedi, and are located in the firmware of Marvell Avastar Wi-Fi system-on-a-chip (SoC). This firmware is loaded by the driver installed in the operating system’s kernel and is used to initialize the chip’s functionality during boot.

The Marvell Avastar Wi-Fi chips are used in Valve Steam Link, a now-discontinued streaming device, but also in the PlayStation 4, some Microsoft Surface tablets and laptops, Samsung Chromebooks and other devices.

Selianin performed his research on the Valve Steam Link hardware, because it was running Linux and did not have DRM protection, which made it easier to reverse-engineer. He found that the Avastar firmware was based on ThreadX, a proprietary real-time operating system (RTOS) with more than 6 billion deployments worldwide, so it might be possible for the flaws to affect other chips.

First, Selianin identified two methods of exploiting block pool overflows in ThreadX, one that’s generic and could apply to all ThreadX deployments if they have such a vulnerability and one that’s specific to Marvell’s implementation. He found four memory corruption bugs, but one was very easy to exploit.

“One of the discovered vulnerabilities was a special case of ThreadX block pool overflow,” the researcher said in a blog post. “This vulnerability can be triggered without user interaction during the scanning for available networks. This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network).”

This is a very powerful attack since, unlike other exploits, it doesn’t require pairing the device with an evil Wi-Fi network. The exploitation happens during the Wi-Fi scanning done automatically by devices in the background and only requires placing a specifically crafted access point in its range. Doing this in a crowded area with a lot of wireless networks and targets, such as an airport, can result in a lot of victims.

“Marvell is not aware of any real world exploitation of this vulnerability outside of a controlled environment,” Marvell said in a statement sent via email. “Marvell deployed a fix to address this issue which we have made available in our standard driver and firmware. We have communicated to our direct customers to update to Marvell’s latest firmware and driver to get the most recent security enhancements, including support for WPA3.”

This is not the first vulnerability found in Wi-Fi firmware. Researchers from Google’s Project Zero team found similarly dangerous flaws two years ago in the firmware of Broadcom Wi-Fi chips used in mobile devices.

Wi-Fi is also not the only wireless protocol that allows over-the-air no-interaction attacks. In 2017, researchers found critical vulnerabilities in the Bluetooth implementations of major operating systems that could be exploited to take over systems.

Wi-Fi firmware is usually made up of low-level proprietary code, so it hasn’t been thoroughly scrutinized for flaws by the hacker community as operating systems or popular software applications have. However, just like CPU microcode, wireless technologies and mobile baseband have become interesting areas of research over the past few years, so the industry should expect more vulnerabilities to pop up.

Windows Zero-Days Get Unofficial Micropatches

The two unpatched Windows vulnerabilities disclosed by a security enthusiast in December have received micropatches through 0patch.com, a service that provides in-memory patching of zero-day flaws.

Microsoft did not fix the vulnerabilities in the January Patch Tuesday, which means it’s not likely to receive a patch until Feb. 12. Fortunately, the flaws are race conditions and are not very easy to exploit.

Both vulnerabilities were disclosed by a security enthusiast who uses the online alias SandboxEscaper and who published four Windows privilege escalation bugs since August. The first of them, located in the Windows Task Scheduler, was used by attackers in the wild before Microsoft released a patch for it.

The latest two flaws were released before and after Christmas. One allows attackers with access to a limited account—for example through malware—to read arbitrary files belonging to other users that they shouldn’t normally be able to access. This can lead to sensitive information disclosure.

The second vulnerability allows attackers in control of a limited account to overwrite arbitrary files with data, potentially leading to denial-of-service and, with some effort, privilege escalation.

Micropatching is the technique of patching a binary file while loaded in memory instead of modifying it on disk, as a normal patch does. This means the patch is temporary, but also that it can be easily applied and removed without restarting the affected process. The 0patch.com service requires a free account and installing a small software agent to apply the patches.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin