WiFi firmware security flaws exposes Chromebooks and Microsoft Surface laptops
ThreadX RTOS running on 6.2 billion WiFi-enabled devices worldwide at risk of
Vulnerabilities in WiFi chipsets could expose as many as 6.2 billion mobile devices to attack.
The vulnerabilities have been attributed by the security researcher to configuration issues, rather than security flaws in ThreadX, the real-time operating used in the firmware of the WiFi chipsets.
The flaws have been found by security researcher Denis Selianin of Embedi, a security consultancy focused on smart devices, which has published a report on the security threat. The findings were also demonstrated at the ZeroNights security event in St Petersburg, Russia in November last year.
The research focused on the widely used Marvell Avastar 88W8897 WiFi chipset, which can be found in the Microsoft Surface and Samsung Chromebooks, as well as the Sony PlayStation 4, Microsoft Xbox One and Valve Software's now discontinued SteamLink.
Because the SteamLink is open source, Selianin used it as the basis for his research, uncovering four security flaws in the process.
The most interesting bug, he claimed, is the one that can be triggered when the chip makes a routine scan for available wireless networks - every five minutes in the case of Marvell WiFi chipsets.
There is no authentication routine, an attacker doesn't need to know which network name or SSID the device is connected to and it can be triggered whether a target is connected to a network or not. It does not even require any user interaction. An attacker would simply need to send corrupt packets to the device to execute malicious code to take control of the device.
To demonstrate the threat, Selianin also claimed that he had written two methods for exploiting this particular security flaw, although he has not released the proof-of-concept code. While closed source, there are a number of leaked versions of earlier versions of the ThreadX code available online.
While Selianin's research focused on the Marcell Avastar WiFi chipset, other research has highlighted security flaws in other WiFi chipsets from rivals such as Broadcom.
Edited 22 January 2019: An earlier version of this story suggested that the bug was in ThreadX, rather than Marvell's implementation of ThreadX