Security research firm Embedi has published a report about severe security vulnerabilities it has found in several Wi-Fi controller chips used by billions of the world’s most popular Wi-Fi-enabled products. These include the Microsoft Xbox One, Sony PlayStation 4, and some laptop and smartphone models as well as several routers, embedded devices, and network access hardware. The bugs in question allow malicious attackers to force Wi-Fi-enabled devices to execute arbitrary code simply by being turned on, without requiring any action on the part of the device owner or user. The attack is triggered whenever an affected device searches for available Wi-Fi networks, which is something that is set to happen automatically and repeatedly.
The root of the problem lies in a real-time operating system called ThreadX, which is used as the embedded firmware for many Wi-Fi controllers including the popular Marvell Avastar family used as the subject of Embedi’s research. There are four vulnerabilities in total, which exploit a memory corruption bug referred to as a “block pool overflow” in order to introduce the malicious code onto a device.
One of these bugs is specific to the widely used Marvell Avastar 88W8897 Wi-Fi controller, but the others can affect any device based on ThreadX using the same techniques According to Embedi researcher Denis Selianin, who wrote the report, the vulnerabilities were disclosed to Marvell in early May 2018. He presented his findings and a proof of concept at the Zero Nights security conference in late November 2018 and has only just published all his research, including a video showing the attack in progress.