A SECURITY RESEARCHER has discovered a vulnerability in ThreadX – a real-time operating system that’s used as firmware in the WiFi chipset on billions of devices, from your Xbox One to your smartphone.
Denis Selianin of Embedi has published a detailed report explaining exactly how bad the exploit could be. This is down not just to the sheer number of affected devices, but the trivial nature of an attack.
For the purpose of his report, Selianin was working with the Marvell Avastar 88W8897, mainly because it’s an extremely popular chipset found in everything from the Xbox One and PlayStation 4, all the way to Samsung Chromebooks and Microsoft Surface laptops. Though for the purposes of this, he used Valve’s recently discontinued Steam Link thanks to its lack of DRM.
“I’ve managed to identify ~4 total memory corruption issues in some parts of the firmware,” Selianin told ZDNet. “One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks.”
This version of the nightmare is thanks to the firmware directing the chip to scan for new WiFi networks every five minutes. An attacker would just need to send corrupt packets to the device to execute malicious code and have control of the device.
“That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network),” Selianin added.
Selianin explained that he had found two ways of taking advantage of this loophole, and while one was unique to the Marvell chipset, another would work with any ThreadX-based firmware. That’s a big deal, as ThreadX claims to have over 6.2 billion deployments worldwide.
For those with the technical know-how, you can read the full detailed report here, or watch the exploit being executed in the video below.
What you won’t find is proof-of-concept code, for obvious reasons: Selianin doesn’t want 6.2 billion devices to suddenly be up for grabs. Hopefully patches will be incoming soon, though with such a range of diverse devices running ThreadX, a timeline is hard to pinpoint. µ
Source : Inquirer