Taiwanese chip designer Realtek has warned of four recent vulnerabilities in three SDKs in its WiFi modules. Realtek also published an advisory regarding those flaws used in almost 200 products made by multiple vendors.
The vulnerabilities, according to
Also, the flaws can lead to service denial, device crashes, inject arbitrary commands, and finally gaining complete control of the device's highest level of privilege.
, allow remote access without authentication by the attacker.
Conservatively, according to the advisory, almost a million vulnerable devices may be in use, including VoIP devices, wireless routers, repeaters, IP cameras, and smart lighting controls, possibly any WiFi-connected devices with that chip design.
The list of hardware manufacturers affected by Realtek’s vulnerabilities includes ASUS, Belkin, D-Link, Edimax, Logitech, Netgear, ZTE, and more. After IoT Inspector reported the flaws, Realtek immediately responded and provided appropriate patches for the respective WiFi module.
IoT Inspector Research Lab disclosed the vulnerabilities, a security firm focused on IoT, in May. More than 65 hardware vendors use the Realtek chip RTL819xD module, which is widely used for wireless access points and includes one of the vulnerable SDKs.
Those four CVEs are rated as high and critical severity (CVSS score of two 8.1 and two 9.8 accordingly). One requirement for these flaws is the attacker need to be on the same WiFi network as the targeted device. However, if the device can reach over the internet, it is also vulnerable.
As such, these security bugs are possibly to be exploited by malware on someone’s PC to hijack their cable internet router and smart home gear. It can also be used to recruit public Wi-Fi spots, and so on. Unstudied ISP configurations could also expose vulnerable devices directly to the Internet.
More details are available in the Realtek advisory, which lists these versions:
As recognition for supply chain transparency is rising among the security industry, this example is a good showcase of the widespread implications of an obscure IoT supply chain.
This time, these flaws are far less sophisticated, apparently more common, and could be prevented by enforcing better Cyber Hygiene.
To identify devices affected by the vulnerabilities identified, I rely on the famous “IoT Google search engine”— Shodan. According to the advisory, the vulnerability exists in version 1.3 of the SDK, but older versions might also be affected.
The Simple search of “https://www.shodan.io/search?query=RealTek%2Fv1.3” | Screenshot by the author
Shodan exposes the model name, number, and description as the “product” aspect. Therefore, using Shodan can retrieve all vendors and model names exposed over the Internet based on the vulnerable Realtek SDK.
It’s worth noting that even a device does not respond to the search, only saying it is not vulnerable to the Internet directly. But it is still susceptible to attacks over the local network if it uses the vulnerable component.
With the patch is released, there would still be a wide range of devices that remain unpatched — such as the case for public WiFi services, like coffee shops and restaurants.
Moreover, patching an IoT is not like what you do on your computer. After Realtek released the patches, it doesn’t imply product vendors follow; Say ASUS may be able to come up with a patch for the affected router, or at least not as timely. Needless to say, there are multiple vendors involved, with a wide range of products in use.
It is perhaps worth adding that everyone can find affected hardware using the Shodan vulnerability search engine, which means hackers can do the same.
Learning from mistakes, hardware vendors should consider the importance of maintaining a better SDLC with security embedded, not bolted-on. The more significant question, though, is how to push substantive changes — and implement adequate protection— as more and more of these types of vulnerabilities pile up.
Thank you for reading. May InfoSec be with you🖖.
Also published here.