Security Researchers Discover Vulnerabilities in Popular Realtek Wi-Fi Module

Security researchers have identified a few vulnerabilities within the Realtek RTL8195A Wi-Fi module, which would allow attackers to gain remote root access. The good news is that Realtek already issued patches for the affected devices.

IoT devices have to communicate online by using a dedicated module, such as the Realtek RTL8195A. It’s a dedicated solution for low-power devices, and it’s implemented by many of the major companies such as ARM. Google, Amazon, and others. Because it’s so widespread, the vulnerabilities affecting the devices can deal great harm if exploited.

The module communicates via various protocols, such as Wi-Fi, HTTP, MQTT and others, supporting WEP, WPA and WPA2 authentication modes. Security researchers from Vdoo have discovered that the WPA2 handshake mechanism had a number of vulnerabilities.

“In our security assessment, we have discovered that the WPA2 handshake mechanism is vulnerable to various stack overflow and read out-of-bounds issues,” said the researchers.

“The most severe issue we discovered is VD-1406, a remote stack overflow that allows an attacker in the proximity of an RTL8195 module to completely take over the module, without knowing the Wi-Fi network password (PSK) and regardless of whether the module is acting as a Wi-Fi access point or client.”

The VD-1407 and VD-1411 vulnerabilities can be exploited without knowledge of the security key. The researchers also explained that “VD-1408, VD-1409 and VD-1410 require the attacker to know the network’s PSK as a prerequisite for the attack.”

While the team looked at the RTL8195A, they believe that the same problems affect RTL8711AM, RTL8711AF and RTL8710AF. Also, any chip built after April 21, 2020, is already patched against all vulnerabilities. Finally, one way for users to mitigate some of the problems (VD-1408, VD-1409 and VD-1410) in the absence of a patch is to use a strong WPA2 passphrase.

Add Comment

Your email address will not be published. Required fields are marked *