Huawei Permitted Only For 5G Trials so Far: DoT Secretary

Telecom Secretary Aruna Sundararajan on Tuesday said the Indian government has allowed the company only to carry out trials for 5G connectivity as of now.

Amid reports of Chinese technology major Huawei being banned in several countries, including the US, on security concerns, Telecom Secretary Aruna Sundararajan on Tuesday said the Indian government has allowed the company only to carry out trials for 5G connectivity as of now. Speaking to reporters here on the sidelines of a workshop on Internet of Things (IoT) and Machine-to-Machine (M2M) technology, Sundarajan clarified that the government would put the necessary safeguards in place before allowing companies to deploy 5G connectivity and access the core networks.

“We have asked…or rather Huawei has applied to us for participating in the trials, that is different from deployment,” she said. The secretary said that the Department of Telecommunications (DoT) would like to utilise the opportunity to understand Huawei’s archictecture and to what extent it would comply with the networks in India.

“We will be putting in place necessary safeguards. We will be putting in place all necessary safeguards before allowing any access to the core networks”. Along with the US, Canada and the UK some other European countries have raised concerns over snooping by the Chinese major. Local equipment manufacturers have also urged the government to stop the procurement of Huawei products for public sector projects.
Last week, Union Communications Minister Manoj Sinha told Rajya Sabha there is no proposal yet to ban the company in the country.


Vulnerabilities Found in Highly Popular Firmware for WiFi Chips

WiFi chip firmware in a variety of devices used mainly for gaming, personal computing, and communication comes with multiple issues. At least some of them could be exploited to run arbitrary code remotely without requiring user interaction.

The security flaws were discovered in Marvell Avastar 88W8897 SoC (Wi-Fi + Bluetooth + NFC), present in Sony PlayStation 4 (and its Pro variant), Microsoft Surface (+Pro) tablet and laptop, Xbox One, Samsung Chromebook and smartphones (Galaxy J1), and Valve SteamLink.

Marvell’s firmware for the module is based on ThreadX, a real-time operating system (RTOS) developed by Express Logic. The source code for the RTOS is available when purchasing a license.

The vendor claims on their website that ThreadX has over 6.2 billion deployments, being one of the most popular software behind Wi-Fi chips.

WiFi chip initialization process

A WiFi chip is typically initialized by a driver from the manufacturer that loads the firmware image during the startup routine.

With Marvell’s wireless system-on-chip (SoC), there are certain drivers that work with the Linux kernel it uses: ‘mwifiex’ (source available in the official Linux repository), ‘mlan’ and ‘mlinux,’ whose sources are available in the official steamlink-sdk repo.

Both features debug capabilities, allowing reading and writing from and to the WiFi module’s memory.

Controlling memory block allocation

One of the vulnerabilities discovered in the firmware is a block pool overflow that could be triggered when the chip is scanning for available networks, a process that starts every five minutes, even if the device is already connected to a WiFi network; knowledge of the WiFi name or the access password is irrelevant.

“That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network). For example, one can do RCE [remote code execution] in just powered-on Samsung Chromebook,” says Denis Selianin, researcher at Embedi company specialized in the security of embedded devices.

In a report released today by the company, Selianin describes two methods of exploitation, one that works on any ThreadX-based firmware if certain conditions are met, and another typical for Marvell’s implementation of the firmware on its modules; combining the two methods leads to reliable exploitation, the researcher says.

In the generic case, an attacker can overwrite the pointer to the next free block of memory and control the location for allocating the next block.

“By controlling the location of next block allocation, an attacker can place this block to the place where some critical runtime structures or pointers are, thus achieving an attacker’s code execution,“ Selianin explains.

Exploiting the bug on Marvell’s Avastar SoC involved reverse engineering wrapper functions for memory management routines. This works if the next block is occupied.

The functions use in the beginning of each ThreadX block a metadata header with special pointers that are called before freeing a block. This information is sufficient to allow code execution on a wireless SoC.

execution of an arbitrary pointer

Selianin used a custom tool to dump the WLAN chip’s firmware from a Valve Steam Link hardware device (no longer manufactured, but still supported) and checked it for potentially exploitable issues with afl-unicorn fuzzing tool. He was able to find about jfour memory corruption issues.

Stack-based buffer overflow

The researcher was able to execute code on the processor of Valve’s gadget by exploiting a security bug in the device’s application processor driver, with the help of a second escalation vulnerability. Leveraging this flaw is similar to the previous exploit.

“The only difference is that an attacker sends data from a controlled Wi-Fi SoC over SDIO bus, not over the network,“ Selianin explains, adding that because a driver acts as a bridge between the device and the operating system (OS), it should get data from a device, parse and pass it to the OS.

The code Marvell Wi-Fi driver uses for these operations should be able to process a large variety of message types composed of information elements (IEs), making for a wide attack surface

Another vulnerability the researcher found is a stack-based buffer overflow, which is dead-easy to exploit, according to Selianin, because the Linux kernel (’3.8.13-mrvl’) used by Marvell does not include mitigations for exploiting the binary.

Converting Wi-Fi signals to electricity with new 2D materials

Imagine a world where smartphones, laptops, wearables, and other electronics are powered without batteries. Researchers from MIT and elsewhere have taken a step in that direction, with the first fully flexible device that can convert energy from Wi-Fi signals into electricity that could power electronics.

Devices that convert AC electromagnetic waves into DC electricity are known as “rectennas.” The researchers demonstrate a new kind of rectenna, described in a study appearing in Nature, that uses a flexible radio-frequency (RF) antenna that captures electromagnetic waves — including those carrying Wi-Fi — as AC waveforms.

The antenna is then connected to a novel device made out of a two-dimensional semiconductor just a few atoms thick. The AC signal travels into the semiconductor, which converts it into a DC voltage that could be used to power electronic circuits or recharge batteries.

In this way, the battery-free device passively captures and transforms ubiquitous Wi-Fi signals into useful DC power. Moreover, the device is flexible and can be fabricated in a roll-to-roll process to cover very large areas.

“What if we could develop electronic systems that we wrap around a bridge or cover an entire highway, or the walls of our office and bring electronic intelligence to everything around us? How do you provide energy for those electronics?” says paper co-author Tomás Palacios, a professor in the Department of Electrical Engineering and Computer Science and director of the MIT/MTL Center for Graphene Devices and 2D Systems in the Microsystems Technology Laboratories. “We have come up with a new way to power the electronics systems of the future — by harvesting Wi-Fi energy in a way that’s easily integrated in large areas — to bring intelligence to every object around us.”

Promising early applications for the proposed rectenna include powering flexible and wearable electronics, medical devices, and sensors for the “internet of things.” Flexible smartphones, for instance, are a hot new market for major tech firms. In experiments, the researchers’ device can produce about 40 microwatts of power when exposed to the typical power levels of Wi-Fi signals (around 150 microwatts). That’s more than enough power to light up a simple mobile display or silicon chips.

Another possible application is powering the data communications of implantable medical devices, says co-author Jesús Grajal, a researcher at the Technical University of Madrid. For example, researchers are beginning to develop pills that can be swallowed by patients and stream health data back to a computer for diagnostics.

“Ideally you don’t want to use batteries to power these systems, because if they leak lithium, the patient could die,” Grajal says. “It is much better to harvest energy from the environment to power up these small labs inside the body and communicate data to external computers.”

All rectennas rely on a component known as a “rectifier,” which converts the AC input signal into DC power. Traditional rectennas use either silicon or gallium arsenide for the rectifier. These materials can cover the Wi-Fi band, but they are rigid. And, although using these materials to fabricate small devices is relatively inexpensive, using them to cover vast areas, such as the surfaces of buildings and walls, would be cost-prohibitive. Researchers have been trying to fix these problems for a long time. But the few flexible rectennas reported so far operate at low frequencies and can’t capture and convert signals in gigahertz frequencies, where most of the relevant cell phone and Wi-Fi signals are.

To build their rectifier, the researchers used a novel 2-D material called molybdenum disulfide (MoS2), which at three atoms thick is one of the thinnest semiconductors in the world. In doing so, the team leveraged a singular behavior of MoS2: When exposed to certain chemicals, the material’s atoms rearrange in a way that acts like a switch, forcing a phase transition from a semiconductor to a metallic material. This structure is known as a Schottky diode, which is the junction of a semiconductor with a metal.

“By engineering MoS2 into a 2-D semiconducting-metallic phase junction, we built an atomically thin, ultrafast Schottky diode that simultaneously minimizes the series resistance and parasitic capacitance,” says first author and EECS postdoc Xu Zhang, who will soon join Carnegie Mellon University as an assistant professor.

Parasitic capacitance is an unavoidable situation in electronics where certain materials store a little electrical charge, which slows down the circuit. Lower capacitance, therefore, means increased rectifier speeds and higher operating frequencies. The parasitic capacitance of the researchers’ Schottky diode is an order of magnitude smaller than today’s state-of-the-art flexible rectifiers, so it is much faster at signal conversion and allows it to capture and convert up to 10 gigahertz of wireless signals.

“Such a design has allowed a fully flexible device that is fast enough to cover most of the radio-frequency bands used by our daily electronics, including Wi-Fi, Bluetooth, cellular LTE, and many others,” Zhang says.

The reported work provides blueprints for other flexible Wi-Fi-to-electricity devices with substantial output and efficiency. The maximum output efficiency for the current device stands at 40 percent, depending on the input power of the Wi-Fi input. At the typical Wi-Fi power level, the power efficiency of the MoS2 rectifier is about 30 percent. For reference, today’s best silicon and gallium arsenide rectennas made from rigid, more expensive silicon or gallium arsenide achieve around 50 to 60 percent.

There are 15 other paper co-authors from MIT, Technical University of Madrid, the Army Research Laboratory, Charles III University of Madrid, Boston University, and the University of Southern California.

The team is now planning to build more complex systems and improve efficiency. The work was made possible, in part, by a collaboration with the Technical University of Madrid through the MIT International Science and Technology Initiatives (MISTI). It was also partially supported by the Institute for Soldier Nanotechnologies, the Army Research Laboratory, the National Science Foundation’s Center for Integrated Quantum Materials, and the Air Force Office of Scientific Research.

Nearly 20,000 Orange Modems Leaking Wi-Fi Passwords

Nearly 20,000 Orange modems are being targeted thanks to a vulnerability leaking their SSID and Wi-Fi passwords, researchers at Bad Packets have warned.

The firm’s honeypots first picked up the attack traffic targeting Orange Livebox ADSL modems. After conducting a simple Shodan search, chief research officer, Troy Mursch found 19,490 such devices leaking their Wi-Fi credentials in plain text.

In addition, over 2000 were not leaking information but still classed as exposed to the internet.

“Many of the devices found to be leaking their WiFi password use the same password to administer the device (password reuse) or have not configured any custom password – so the factory default ‘admin/admin’ credentials are still applied,” he explained.

“This allows any remote user to easily access the device and maliciously modify the device settings or firmware. In addition, they can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository.”

Most of the affected devices were located in Spain, and the attack traffic was also linked back to an IP address associated to a Telefonica Spain customer.

“While we can only guess what the motive was behind these scans, it’s interesting to find the source is physically closer to the affected Livebox ADSL modems, than say a threat actor in another country,” Mursch continued. “This could allow them to connect to the WiFi network (SSID) if they were near one of the modems indexed by their scans.”

The flaw in question has been assigned as CVE-2018-20377. At the time of writing Orange had acknowledged the flaw and claimed it was investigating.

Home routers and modems continue to be a major security risk for consumers and remote workers, and a threat to organizations. Just last month researchers uncovered a new botnet of 100,000 compromised machines, comprised mainly of UPnP-enabled home routers.