Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability

122 pointsposted 12 hours ago
by pjf
(blog.sonicwall.com)

32 Comments

mmsc

3 hours ago

Can the OP's link be changed to the original source, not the advertisement it currently links to? The exploit is documented https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-20...

armada651

an hour ago

I don't think that link is necessarily better just because it's the original source. The linked article gives a concise overview, while the blog post spends the first paragraph talking about moving and starting a new job.

mmsc

an hour ago

In general, I would wage that HN prefers intellectual curiosity over overviews. Submission guidelines infer that by stating "Please submit the original source. If a post reports on something found on another site, submit the latter."

Namidairo

7 hours ago

Not too surprising given what I've seen of their vendor sdk driver source code, compared to mt76. (Messy would be kind assessment)

Unfortunately, there are also some running aftermarket firmware builds with the vendor driver, due to it having an edge in throughput over mt76.

Mediatek and their WiSoC division luckily have a few engineers that are enthusiastic about engaging with the FOSS community, while also maintaining their own little OpenWrt fork running mt76.[1]

[1] https://git01.mediatek.com/plugins/gitiles/openwrt/feeds/mtk...

dylan604

5 hours ago

Why is it so much of this hardware/firmware feels so much like deploying a PoC to production? Why can't they hire someone that actually knows what they are doing?

jdietrich

an hour ago

The consumer space is brutally competitive - you're working on tight margins and designs become obsolete very quickly. MediaTek's business is built on selling chips with the latest features at the lowest possible price. Everything has to be done at a breakneck pace that is dictated by the silicon. You start writing firmware as soon as the hardware design is finalised; it needs to be ready as soon as the chips are ready to ship. These conditions are not at all suited to good software engineering.

In an ideal world, consumers would be happy to pay a premium for a device that's a generation behind in terms of features but has really good firmware. In the real world, only Apple have the kind of brand and market power to even attempt that.

ta988

4 hours ago

Because you have to over pay all those executives and shareholders.

fragmede

2 hours ago

Hardware companies are bad at making software, and the corollary, software companies are bad at making hardware.

perching_aix

an hour ago

I feel like there's an opportunity for a joke here somewhere along the lines of hardware companies being really terrible at writing software, while software companies being just a normal amount of terrible at writing software.

a_dabbler

an hour ago

A few attempts with chstgpt managed it: "Hardware companies writing software is like watching a train wreck in slow motion. Software companies? They just crash at regular speed."

therein

2 hours ago

In the middle you have Apple that is getting better at making certain kinds of hardware, worse at some hardware and definitely worse in software.

molticrystal

6 hours ago

Is there any news releases or other information about that program, such as their goals, how much of the feed is merged upstream, etc?

hunter-gatherer

7 hours ago

Original blog: https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-20...

userbinator

6 hours ago

The wappd service is primarily used to configure and coordinate the operations of wireless interfaces and access points using Hotspot 2.0 and related technologies. The structure of the application is a bit complex but it’s essentially composed of this network service, a set of local services which interact with the wireless interfaces on the device, and communication channels between the various components, using Unix domain sockets.

On the bright side, it doesn't sound like this is in baseband firmware but instead in a "value add" service that isn't 100% necessary to the functioning of the WNIC itself.

This reminds me of how some devices come with driver packages that include not just the actual driver software that's usually tiny and unobtrusive, but several orders of magnitude larger bloatware for features that 99% of users don't need nor want. Printers and GPUs are particularly guilty of this.

dvh

an hour ago

> The structure of the application is a bit complex

I've done some Android development so let me translate that for you: "layers upon layers of dog shit APIs"

kam

7 hours ago

They say that OpenWrt 19.07 and 21.02 are affected, but as far as I can tell, official builds of OpenWrt only use the mt76 driver and not the Mediatek SDK.

RedShift1

3 hours ago

I've been buying laptops with AMD CPU's but they always come with these trash MediaTek RZ616 Wi-Fi cards, why is that? I've been replacing them with Intel Wi-Fi cards, now I have a pile of RZ616 cards ready to become future microplastics :-(

zokier

35 minutes ago

iwlwifi has its own set of problems, biggest being no AP mode (on 5 Ghz). Also intels firmware license is more restrictive than mediateks, and being fullmac the firmware does lot more of the heavy lifting; I personally prefer softmac more. There simply aren't that many great options out there, gone are the golden days of ath9k.

1oooqooq

7 hours ago

i still cannot fathom why in this day and age where people buy any silicon that's available, these C tier vendors don't adopt the PC strategy and completely open their firmwares for open source community.

userbinator

7 hours ago

FCC regulations around not making it easy to transmit outside of the licensed band tend to cause this.

vlovich123

7 hours ago

Making the code available doesn’t necessarily mean that you can actually flash the image since it can be cryptographically locked down. Or even you support flashing but only let you do certain trusted operations from a signed image.

fn-mote

6 hours ago

I feel like I'm missing something here.

Honestly, if you can't update the firmware you're in the same situation... knowing that you have a critical vulnerability and unable to fix it.

Enforcing trusted operations is definitely more work than they are going to do (if it's even possible to "do this right").

In a semi-ideal world, I would look for a vendor that permits only certain ops from a flashed image and hope that their crappy "restriction enforcing" code is also riddled with vulnerabilites so it's really just "follow the rules please".

xtanx

2 hours ago

I would like to remind people of the 2016 Adups backdoor:

> According to Kryptowire, Adups engineers would have been able to collect data such as SMS messages, call logs, contact lists, geo-location data, IMSI and IMEI identifiers, and would have been able to forcibly install other apps or execute root commands on all devices.

https://www.bleepingcomputer.com/news/security/android-adups...

phh

43 minutes ago

How is this relevant?

usr1106

4 hours ago

IIRC my phone uses a MediaTek chipset. And I vaguely remember the vendor has moved away from MediaTek since because of the ahem quality of those products...

No idea how WiFi is done on a phone though. Is there a way to find out whether the phone is affected? I hardly ever use WiFi because I have unlimited cellular data and good coverage, but would still be good to know.

shadowpho

8 hours ago

Exploit is hard to distinguish between a back door here.

saagarjha

7 hours ago

Posting claims of it being such is pretty easy, though.

pixl97

7 hours ago

There is a better middle ground here by saying the company that made it may not have known, but nation state threat actors most likely do.

When you see actors at this level set up manufacturing thousands of explosive filled devices at very high production quality, inserting some compromised things like printers or routers in a company network wouldn't be and shouldn't be a surprise.

hedora

5 hours ago

If the nation state actors did intentionally backdoor it, then they would have wanted to make it look like incompetence. Here’s a link to the Simple Sabotage Field Manual from the US. It worked well in occupied Europe during WWII:

https://archive.org/details/SimpleSabotageFieldManual