Photo by Daniele Levis Pelusi on Unsplash Taiwanese chip designer Realtek has warned of four recent vulnerabilities in . Realtek also published an advisory regarding those flaws used in three SDKs in its WiFi modules almost 200 products made by multiple vendors. Also, the flaws can lead to service denial, device crashes, inject arbitrary commands, and finally gaining complete control of the device's highest level of privilege. The vulnerabilities, according to Realtek’s advisory , allow remote access without authentication by the attacker. Conservatively, according to the advisory, , including possibly any WiFi-connected devices with that chip design. almost a million vulnerable devices may be in use VoIP devices, wireless routers, repeaters, IP cameras, and smart lighting controls, The list of hardware manufacturers affected by Realtek’s vulnerabilities includes , and more. After IoT Inspector reported the flaws, Realtek immediately responded and provided appropriate patches for the respective WiFi module. ASUS, Belkin, D-Link, Edimax, Logitech, Netgear, ZTE Findings IoT Inspector Research Lab disclosed the vulnerabilities . More than 65 hardware vendors use the Realtek chip RTL819xD module, which is widely used for wireless access points and includes one of the vulnerable SDKs. , a security firm focused on IoT, in May Those four CVEs are rated as high and critical severity ( ). One requirement for these flaws is the attacker need to be on the same WiFi network as the targeted device. However, if the device can reach over the internet, it is also vulnerable. CVSS score of two 8.1 and two 9.8 accordingly (High — ‘WiFi Simple Config’ stack buffer overflow via UPnP) CVE-2021–35392 (High — ‘WiFi Simple Config’ heap buffer overflow via SSDP) CVE-2021–35393 (Critical — MP Daemon diagnostic tool command injection) CVE-2021–35394 (Critical — management web interface multiple vulnerabilities) CVE-2021–35395 As such, these security bugs are possibly to be exploited by malware on someone’s PC to hijack their cable internet router and smart home gear. It can also be used to recruit public Wi-Fi spots, and so on. Unstudied ISP configurations could also expose vulnerable devices directly to the Internet. Affected Versions More details are available in the Realtek , which lists these versions: advisory rtl819x-SDK-v3.2.x Series rtl819x-SDK-v3.4.x Series rtl819x-SDK-v3.4T Series rtl819x-SDK-v3.4T-CT Series rtl819x-eCos-v1.5.x Series Fixed Versions Realtek SDK branch 2.x: no longer supported by Realtek Realtek “Jungle” SDK: patches will be provided by Realtek and needs to be backported Realtek “Luna” SDK: version 1.3.2a contains fixes Key Takeaways — Not Another Sunburst Incident but Deadly As recognition for supply chain transparency is rising among the security industry, this example is a good showcase of the widespread implications of an obscure IoT supply chain. Unlike recent supply chain attacks such as or , attackers try all their effort to infiltrate the vendor’s release processes and place covert backdoors in product updates. Kaseya Solar Winds This time, apparently more common, and could be prevented by enforcing better Cyber Hygiene. these flaws are far less sophisticated, For Realtek: lacking secure software development practices, particularly insufficient security testing and code review, resulted in dozens of critical security issues remaining untouched in Realtek’s codebase ( ). for more than a decade from 2.x branch through “Jungle“ SDK to “Luna” SDK For product vendors: it is alarming that (a requirement to build Realtek SDK binaries for their platform). Which they missed verifying their supply chain left the issues unnoticed adequately. As a result, they spread the vulnerabilities to hundreds of thousands of end customers — manufacturers have access to the Realtek source code leaving millions of devices vulnerable to attacks. Supply chain attacks can go upstream, too. Without proper software development lifecycle practices, As a result, issues fixed in vendors’ product level do not feedback Realtek, thus exposing others. the problems previously identified by security researchers relying on the Realtek SDK did not link back to the root. Identifying Affected Vendors To identify devices affected by the vulnerabilities identified, I rely on the famous “IoT Google search engine”— . According to the advisory, the vulnerability exists in version 1.3 of the SDK, but older versions might also be affected. Shodan The Simple search of “ ” | Screenshot by the author https://www.shodan.io/search?query=RealTek%2Fv1.3 as the “product” aspect. Therefore, using Shodan can retrieve all vendors and model names exposed over the Internet based on the vulnerable Realtek SDK. Shodan exposes the model name, number, and description It’s worth noting that even a device does not respond to the search, only saying it is not vulnerable to the Internet directly. But it is still susceptible to attacks over the local network if it uses the vulnerable component. Final Words With the patch is released, there would still be a wide range of devices that remain unpatched — such as the case for public WiFi services, like coffee shops and restaurants. Moreover, patching an IoT is not like what you do on your computer. After Realtek released the patches, it doesn’t imply product vendors follow; Say ASUS may be able to come up with a patch for the affected router, or at least not as timely. Needless to say, there are multiple vendors involved, with a wide range of products in use. It is perhaps worth adding that , which means hackers can do the same. everyone can find affected hardware using the Shodan vulnerability search engine Learning from mistakes, hardware vendors should consider the importance of maintaining a better SDLC with security embedded, not bolted-on. The more significant question, though, is how to push substantive changes — and implement adequate protection— as more and more of these types of vulnerabilities pile up. Thank you for reading. May InfoSec be with you🖖. Also published here.

Crack Open the IoT Vulnerabilities of Realtek

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

10 Steps to Ensuring Cyber Security for a Small Business

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

108 Stories To Learn About Cybersecurity Tips

10 Ways to Mitigate Cybersecurity Risks and Prevent Data Theft

10 Tips For Securing Zoom Meetings

10 Things I Did To Increase CloudTrail Logs Security

10 Steps to Ensuring Cyber Security for a Small Business

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps