Unpatched wireless device vulnerability revealed a decade ago persists in certain products – discovered in hardware of six suppliers and 24 devices, including routers and range extenders
In a recent report by cybersecurity firm NetRise, it was revealed that wireless devices from six vendors continue to be vulnerable to the Pixie Dust exploit, first disclosed in 2014. This exploit, well-known for demonstrating introductory wireless network hacking techniques, is a symptom of systemic issues in firmware supply chains.
The oldest vulnerable firmware in the set dates back to September 2017, nearly three years after the public disclosure of the Pixie Dust exploit. This prolonged exposure to a known vulnerability is a concern in the firmware supply chain, as without consistent visibility into firmware, organizations cannot assume that old exploits are gone.
The Pixie Dust exploit can be exploited to obtain a router's Wi-Fi Protected Setup (WPS) PIN and connect to the targeted wireless network without needing its password. This makes it easier for someone to take advantage of this exploit by capturing the initial WPS handshake between the network and a client device and then cracking the PIN offline.
It is not uncommon for older devices to remain vulnerable to known exploits, but it seems that the devices NetRise scrutinized for its report have not been adequately addressed. Three of the six manufacturers of NetRise-reported devices remained unpatched beyond 2022 regarding the Pixie Dust exploit vulnerability. Moreover, seven devices reached end of life without ever receiving fixes for Pixie Dust vulnerabilities.
Researchers have developed several open source tools capable of exploiting Pixie Dust, making it easier for malicious actors to exploit these vulnerabilities. Manufacturers can't feign ignorance about the ease with which vulnerable devices can be hacked using Pixie Dust.
In some cases, vendors only vaguely described fixes in changelogs without acknowledging Pixie Dust. This lack of transparency adds to the concern about the security of these devices. On average, vulnerable releases occurred 7.7 years after the exploit was first published, indicating a need for more proactive and consistent patching practices.
Weak cryptography and poor entropy generation are among the systemic issues in firmware supply chains. These issues, if not addressed, could lead to more vulnerabilities and exploits in the future. As of now, thirteen devices remain actively supported but unpatched, posing a potential risk to their users.
However, it's not all bad news. Four out of 24 devices were ever patched, but the patches arrived late. This shows that while progress is being made, there is still a need for vendors to prioritize security and respond more quickly to known vulnerabilities.
In conclusion, the Pixie Dust exploit serves as a reminder of the importance of securing firmware in the face of known vulnerabilities. Vendors must take a more proactive approach to patching and transparency to ensure the security of their devices and the safety of their users.
Read also:
- Expanded Criticism of Human Rights Protections - Specialists Criticize Russia's Intensified Crackdown on Virtual Private Networks and Encrypted Applications
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
