Wi-Fi Firmware Security Bug Could Affect Billions of Game Consoles, Laptops & More


  • The security vulnerability was discovered by research firm Embedi
  • Billions of Wi-Fi-enabled devices are potentially affected
  • An attacker would need to be in physical proximity of a target device

Security research firm has published a report about severe security vulnerabilities it has found in several Wi-Fi controller chips used by billions of the world’s most popular Wi-Fi-enabled products. These include the Microsoft Xbox One, Sony PlayStation 4, and some laptop and smartphone models as well as several routers, embedded devices, and network access hardware. The bugs in question allow malicious attackers to force Wi-Fi-enabled devices to execute arbitrary code simply by being turned on, without requiring any action on the part of the device owner or user. The attack is triggered whenever an affected device searches for available Wi-Fi networks, which is something that is set to happen automatically and repeatedly.

The root of the problem lies in a real-time operating system called ThreadX, which is used as the embedded firmware for many Wi-Fi controllers including the popular Marvell Avastar family used as the subject of Embedi’s research. There are four vulnerabilities in total, which exploit a memory corruption bug referred to as a “block pool overflow” in order to introduce the malicious code onto a device.

One of these bugs is specific to the widely used Marvell Avastar 88W8897 Wi-Fi controller, but the others can affect any device based on ThreadX using the same techniques. Embedi cites ThreadX’s own website as the source of its statement that over six billion devices have been deployed running this firmware.

Because affected Wi-Fi devices are set to scan for new networks every five minutes, regardless of whether or not they are already connected to a Wi-Fi network, this bug “provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection”, according to the published reporter. Once malicious code is introduced onto the Wi-Fi controller, other techniques could be exploited to send data to the device’s application processor.

A hypothetical attacker would not need to know a target’s Wi-Fi SSID name or password, and the target device only needs to be turned on. The attacker would need to broadcast the malicious packets from within physical range of the target device, though.

Embedi tested the vulnerabilities using a Valve Steamlink game streaming device, which is based on the GNU/Linux operating system and features an ARM SoC and the affected Marvell Wi-Fi controller. This device was chosen because it allowed for research tools to run without breaking DRM restrictions.


A Twitter Bug Left Android Users’ Private Tweets Exposed For 4 Years

Twitter just admitted that the social network accidentally revealed some Android users’ protected tweets to the public for more than 4 years — a kind of privacy blunder that you’d typically expect from Facebook.

When you sign up for Twitter, all your Tweets are public by default, allowing anyone to view and interact with your Tweets. Fortunately, Twitter also gives you control of your information, allowing you to choose if you want to keep your Tweets protected.

Enabling “Protect your Tweets” setting makes your tweets private, and you’ll receive a request whenever new people want to follow you, which you can approve or deny. It’s just similar to private Facebook updates that limit your information to your friends only.

In a post on its Help Center on Thursday, Twitter disclosed a privacy bug dating back to November 3, 2014, potentially caused the Twitter for Android app to disable the “Protect your Tweets” setting for users without their knowledge, making their private tweets visible to the public.

The bug only got triggered for those Android users who made changes to their Twitter account settings, such as changing their email address or phone number associated with their account, using the Android app between November 3, 2014, and January 14, 2019.

“We recognize and appreciate the trust you place in us and are committed to earning that trust every day,” Twitter said in its statement. “We’re very sorry this happened, and we’re conducting a full review to help prevent this from happening again.”

Apparently, on January 14, 2019, Twitter rolled out an update for Android application to fix the programming blunder.

Although Twitter did not specify exactly how many Android users were affected by this issue, 4 years is a long time duration, and it’s likely that most users have changed their account settings at least once in that period.

Twitter said the company has reached out to users whom it knows has been affected by the privacy bug.