NetRise has revealed (PDF) that wireless devices from several manufacturers remain vulnerable to the Pixie Dust exploit disclosed in 2014, even though companies have had over a decade to harden their products against the well-known security flaw.
"Across six vendors, we found 24 devices, including routers, range extenders, access points, and hybrid Wi-Fi/powerline products, with firmware that was released vulnerable to Pixie Dust," NetRise said. "The oldest vulnerable firmware in the set dates to Sept. 2017, nearly three years after public disclosure of the Pixie Dust exploit. On average, vulnerable releases occurred 7.7 years after the exploit was first published."
SecurityWeek reported that Pixie Dust can be "exploited to obtain a router’s [Wi-Fi Protected Setup] PIN and connect to the targeted wireless network without needing its password." All someone has to do to take advantage of this exploit is make sure they're within range of the network they want to access, capture the initial WPS handshake between the network and a client device, and then crack the PIN offline.
Pixie Dust is so well-known that numerous resources use it to demonstrate introductory wireless network hacking techniques. Researchers have also developed several open source tools capable of exploiting Pixie Dust—one of which is highlighted by the security-focused Kali Linux distribution—so manufacturers can't really feign ignorance about the ease with which vulnerable devices can be hacked.
An exploit this old remaining viable on dated hardware wouldn't necessarily come as a surprise; most companies release enough products each year that it would be unreasonable to expect all of them to be fully supported in perpetuity. (Even if there are many people who don't want to upgrade to a newer gizmo.) But that doesn't seem to be what's happening with the devices NetRise scrutinized for its report.
"Of the 24 devices, only four were ever patched, and these patches arrived late," NetRise said. "As of this writing, thirteen devices remain actively supported but unpatched. Another seven reached end of life without ever receiving fixes. In some cases, vendors described fixes vaguely in changelogs as, 'Fixed some security vulnerability,' with no acknowledgement of Pixie Dust."
This means six manufacturers released products with known vulnerabilities and, in many cases, have neglected to update the relevant firmware even though their customers have been assured the products are still being supported. Even the products that received patches did so long after the fact—NetRise said on average Pixie Dust patches arrived 9.6 years after the exploit's public disclosure.
"The Pixie Dust exploit is not an isolated case but a symptom of systemic issues in firmware supply chains, from weak cryptography and poor entropy generation to opaque vendor patch practices," NetRise said. "The lesson is clear: without consistent visibility into firmware, organizations cannot assume that old exploits are gone."
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
