A security firm called Embedi recently revealed critical vulnerabilities in the ThreadX real-time operating system firmware used in Marvell 88W8897A, a Wi-Fi system-on-chip (SoC), seen in everything from laptops to consoles.
Embedi called special attention to one flaw that “provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network).” This would allow attackers to compromise a device that has just been turned on, Embedi said, before its owner even had a chance to realize they were being targeted.
As if that’s not bad enough news, it gets worse:
- The hack doesn’t require any user interaction.
- It can be triggered every 5 minutes in case of GNU/Linux operating system.
- It doesn’t require the knowledge of a Wi-Fi network name or passphrase/key.
- It can be triggered even when a device isn’t connected to any Wi-Fi network, just powered on.
Sounds fun, right? Well, we haven’t even gotten to the fun part yet. Embedi said the flaw was discovered in firmware used by Marvell’s Avastar Wi-Fi SoC products. Embedi said those products are used in Samsung Chromebooks, Microsoft Surface products, Xbox One and PlayStation 4 consoles and other devices, (including Valve’s Steam Link hardware, which is what this exploit was demonstrated on, but that device was discontinued in 2018).
This isn’t a great look for Marvell and its customers. But the reality is that exploits like this are probably going to be found continuously where wireless connections are used. Being able to experience the magic of beaming information through the air—at least when the Wi-Fi is actually working—means exposing yourself to potential attack. Even if there’s always going to be some risk, though, research like this is vital because it can help mitigate it.
More information about Embedi’s discovery is available on its blog.
Marvell, Samsung, Microsoft, Sony and Valve have yet to respond to the security company’s findings. Hopefully that’s because they’re busy tightening up their security and not because they know that people won’t stop using Wi-Fi any time soon. What are we supposed to do, use up all of our monthly cellular data or find an Ethernet dongle for every device we own? Please.