Security research firm Embedi has published a report about severe security vulnerabilities it has found in several Wi-Fi controller chips used by billions of the world's most popular Wi-Fi-enabled products. These include the Microsoft Xbox One, Sony PlayStation 4, and some laptop and smartphone models as well as several routers, embedded devices, and network access hardware. The bugs in question allow malicious attackers to force Wi-Fi-enabled devices to execute arbitrary code simply by being turned on, without requiring any action on the part of the device owner or user. The attack is triggered whenever an affected device searches for available Wi-Fi networks, which is something that is set to happen automatically and repeatedly.
The root of the problem lies in a real-time operating system called ThreadX, which is used as the embedded firmware for many Wi-Fi controllers including the popular Marvell Avastar family used as the subject of Embedi's research. There are four vulnerabilities in total, which exploit a memory corruption bug referred to as a “block pool overflow” in order to introduce the malicious code onto a device.
One of these bugs is specific to the widely used Marvell Avastar 88W8897 Wi-Fi controller, but the others can affect any device based on ThreadX using the same techniques. Embedi cites ThreadX's own website as the source of its statement that over six billion devices have been deployed running this firmware.
Because affected Wi-Fi devices are set to scan for new networks every five minutes, regardless of whether or not they are already connected to a Wi-Fi network, this bug “provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection”, according to the published report. Once malicious code is introduced onto the Wi-Fi controller, other techniques could be exploited to send data to the device's application processor.
A hypothetical attacker would not need to know a target's Wi-Fi SSID name or password, and the target device only needs to be turned on. The attacker would need to broadcast the malicious packets from within physical range of the target device, though.
Embedi tested the vulnerabilities using a Valve Steamlink game streaming device, which is based on the GNU/Linux operating system and features an ARM SoC and the affected Marvell Wi-Fi controller. This device was chosen because it allowed for research tools to run without breaking DRM restrictions.
According to Embedi researcher Denis Selianin, who wrote the report, the vulnerabilities were disclosed to Marvell in early May 2018. He presented his findings and a proof of concept at the Zero Nights security conference in late November 2018 and has only just published all his research, including a video showing the attack in progress. As of now, no fixes have been issued but according to the November presentation, work was in progress.