Delayed attacks against Realtek chips you’ll find everywhere
8/02/2023 Podcast
In this podcast episode, Felix delves into the topic of delayed attacks against Realtek chips that are commonly found in various devices. The vulnerabilities were discovered back in August 2021 and were researched by a team at One Key. Subsequently, Unit 42 at PaloAlto found evidence of attacks that began around August 2022, approximately a year later. There are four distinct vulnerabilities identified in the RealTek chips, each with a corresponding Common Vulnerabilities and Exposures (CVE) ID. The most severe vulnerability is assigned a CVSS score of 9.8, indicating its criticality.
The scale of the issue is substantial, as approximately 190 different models of devices are affected. These devices come from 66 different manufacturers, indicating that the supply chain problem is widespread. The vulnerable devices encompass a variety of products, including routers, small travel routers, and wireless access points. The vulnerabilities primarily target three components: WiFi Simple Config, the MP Daemon, and the management web interface.
One particularly concerning aspect is that the research team at Unit 42 has already observed a staggering 154 million attacks leveraging these vulnerabilities. However, this number might not represent the complete picture, as not all affected devices might have been accounted for in the logs.
An intriguing point Felix brings up is that the majority of these attacks, approximately 48.3%, originate from the United States. This defies the stereotype that cyber attacks mostly come from ideologically opposed countries like Russia, China, or North Korea. Attackers often utilize infrastructure and equipment located in the United States to launch their attacks, making it challenging to attribute the attacks to a specific country accurately.
Felix emphasizes the importance of updating firmware on devices to protect against these vulnerabilities. However, updating the firmware does not guarantee protection, as it depends on whether manufacturers have issued patches for these vulnerabilities. Sadly, many users neglect firmware updates, either due to the complexity of the process or the fear of accidentally damaging their devices.
Additionally, identifying whether one’s devices are affected by these vulnerabilities can be a daunting task. Manufacturers or large-scale implementers may have access to a Software Bill of Materials (SBOM) that lists the components used in their products. This information can help them connect the dots and identify vulnerable devices. However, for regular consumers or IT departments, it is more challenging to determine the presence of these chips in their devices.
Felix highlights that vulnerability scans and monitoring mailing lists and announcement feeds might offer some insights. Still, it requires technical expertise and proactivity, factors that may prevent many users from taking these measures.
Felix concludes by urging manufacturers and organizations to prioritize security throughout the development life cycle, conduct rigorous testing, and provide timely patches and updates. Enhancing security practices, improving communication, and fostering a culture of accountability can help combat delayed attacks and bolster cybersecurity in the Internet of Things ecosystem.