A new set of significant vulnerabilities in the Realtek RTL8170C Wi-Fi module has been disclosed. These flaws allow an attacker to exploit and therefore gain elevated privileges on a device.
Security researchers from Israeli IoT security firm Vdoo said in a write-up that “Successful exploitation would lead to complete control of the Wi-Fi module and potential root access on the OS (such as Linux or Android) of the embedded device that uses this module”.
The Realtek RTL8710C Wi-Fi SoC serves as the foundation for Ameba, an Arduino-compatible programmable platform with peripheral interfaces for developing a variety of IoT applications through devices in the agriculture, automotive, energy, healthcare, industrial, security, and smart home sectors.
The vulnerabilities affect all embedded and IoT devices that use the component to connect to Wi-Fi networks. An attacker would need to be on the same Wi-Fi network as the devices using the RTL8710C module or know the network’s pre-shared key (PSK), that is a cryptographic secret used to authenticate wireless clients on local area networks.
Wi-Fi module can be hacked without knowing the Router’s password
The findings follow an earlier investigation in February that discovered similar vulnerabilities in the Realtek RTL8195A Wi-Fi module. The most serious vulnerability is a buffer overflow (CVE-2020-9395) that allows an attacker in close proximity to an RTL8195 module to completely hijack the module without knowing the Wi-Fi network password.
Similarly, the WPA2 four-way handshake mechanism of the RTL8170C Wi-Fi module is vulnerable to two stack-based buffer overflow vulnerabilities (CVE-2020-27301 and CVE-2020-27302, CVSS scores: 8.0) that exploit the attacker’s knowledge of the PSK to gain remote code execution on WPA2 clients using this Wi-Fi module.
The researchers demonstrated a proof-of-concept exploit in which the attacker impersonates a valid access point and delivers a malicious encrypted Group Temporal Key (GTK) to any client (called a supplicant) that connects to it via the WPA2 protocol as a possible real-world attack scenario. To protect all multicast and broadcast traffic, a group temporal key is used.
According to Vdoo, there are no known attacks that exploit the vulnerabilities, and firmware versions released after January 11, 2021, provide workarounds that address the vulnerability.
The company highly recommends using a strong, private WPA2 passphrase to prevent exploitation of the above flaws in scenarios where the device’s firmware cannot be updated.