Posted on February 5, 2021 at 5:21 PM
Critical Flaws In Realtek Wi-Fi Module Expose Hundreds Of IoT Devices
Security researchers have found vulnerabilities in the Realtek RTL8195A Wi-Fi module which gives threat actors access to control the devices’ wireless communications.
Vdoo, an Israeli cybersecurity firm, discovered this vulnerability. According to the firm’s blog post, the affected module is a low-power Wi-Fi module that is targeted at embedded-device users in different sectors. These sectors include security, gaming, health care, smart home, energy, automotive, as well as agriculture.
The module utilizes Realtek’s “Ameba” API, which enables software developers to communicate through MGTT, mDNS, HTTP, and Wi-Fi.
While the bug was only discovered on the RTL8195A module, the security researchers stated that they are also visible in other module extensions, including RTL8710AF, RTL8711AF, and RTL8711AM.
However, Realtek released the update for the Ameba Arduino 2.0.8, providing patches for all the 6 vulnerabilities the researcher found. “An issue was discovered on Realtek devices before 2.0.6,” the firm stated.
Remote stack overflow is the most critical bug
The researchers gave a potential attack scenario, adding that a threat actor with the knowledge of the WPA2 Wi-Fi network passphrase can launch a successful attack on the devices.
They can develop a malicious AP by taking over the network’s Pairwise Transit Key (PTK) and SSID and forcefully connect the target to the new AP.
Among the six vulnerabilities discovered by the researcher, the most critical is a remote stack overflow, which enables a threat actor to take control of an RTL8195 module. The cybercriminal may not necessarily require the Wi-Fi network password (PSK), no matter whether the module is acting as a client or a Wi-Fi access point.
Additionally, two other flaws can be exploited by a cybercriminal without the password, while three other bugs need the PSK of the network before they can be open to attack.
The latest version of the module not affected
The researchers also stated that all the module versions built after April 21 last year are not impacted by the vulnerabilities. They also stated that the versions developed after March 2020 are safe from the most critical stack flow exploits, but still need to be updated because of other flaws.
The patches for the affected Ameba SDK systems are also available on the Realtek website. For the users who are not able to update the device’s firmware, they have been advised to prevent exploitation of the device by using a strong private WPA2 passphrase.
Hundreds of devices possibly affected
Founder and chief technology officer of Cortex Insight Stephen Kapp revealed that hundreds or more devices could be running vulnerable hardware modules, although this depends on the device functions.
He added that the likelihood of seeing vulnerability in IoT devices is high compared to other systems. Due to this, it’s better to treat them as being vulnerable and insecure by default to build security guards around them.
But the problem, according to Kapp, is the fact that there is no way the end-users can know if their devices need any update. As a result, the vendor must release an update that installs the fixed firmware on the device.
The most critical bugs in the Realtek 8195A module do not need any knowledge of Wi-Fi passwords for exploitation to take place. That’s because they make use of affected devices to have access to networks containing the device. As a result, it’s ideal to ensure network-level controls to reduce the risk of the device being utilized as a backdoor into a larger environment, Kapp added.
According to Kopp, the major culprit is the buffer overflow vulnerability (CVE-2020-9395), which gives a close attacker the access to exploit the RTL8195 module. The attacker can also stage a denial of service attack by taking advantage of the device vulnerabilities and allowing the execution of arbitrary code.