Protecting Wi-Fi chipsets with hardware-based security cores

This entry was posted on Friday, February 1st, 2019.

Embedi security researcher Denis Selianin recently disclosed a slew of major vulnerabilitiesthat impacted one of the most popular Wi-Fi chipsets on the market. According to various media reports, the affected SoC can be found in devices such as the Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones and Valve SteamLink cast devices.

As Selianin notes in a detailed blog post, multiple techniques were used to remotely compromise devices packing the chip by exploiting a number of bugs in the SoC. These include closely examining the interaction between the Wi-Fi SoC and driver, firmware analysis, as well as static and dynamic (ThreadX runtime structures recovery & dynamic firmware instrumentation) firmware file analysis. In addition, Selianin hunted for bugs using fuzzing, engaged in basic ThreadX block pool overflow exploitation, exploited AP device driver vulnerabilities and even executed code on SteamLink’s application processor.

As Selianin concludes, Embedi’s remote compromise of devices using the affected SoC highlights the “huge” attack surfaces of wireless devices and the lack of exploitation mitigation on wireless SoCs. Moreover, Selianin cautions that device drivers may expose wide attack surface for escalation from a device to host application processor – even when a device doesn’t have direct access to host memory.

From our perspective, the above-mentioned SoC vulnerabilities could have been prevented if the Wi-Fi chip had included a hardware-based security core. Siloed from the primary processor, such a security core is specially designed to securely run sensitive code, processes and algorithms. This capability is particularly important for Wi-Fi chips, cellular modems and network processors, all of which provide connectivity for a wide range of systems and devices. Ensuring the security of these types of connectivity chips is critical to protecting the systems and devices that use them to communicate. Put simply, an embedded hardware-based security core can help protect the data passing through the chips and prevent unauthorized access.

Moreover, a hardware-based security core can effectively secure a range of communication protocols by placing sensitive elements within the siloed boundary of the security core. This protects keys and certificates, while preventing tampering. In addition, a hardware-based security core can be used to facilitate the encryption and decryption of data sent over an insecure link. Indeed, a hardware-based security core can utilize advanced anti-tamper techniques to provide the highest level of security and protection against a wide range of attacks, such as fault injection. These include logic and crypto redundancy, secure state encoding and ephemeral keys that are generated on-the-fly from multiple splits and flushed immediately after use.

In addition, a hardware-based security core can protect the host processor from compromise, as well as thwart non-volatile memory (NVM) key extraction, tearing and other attacks against NVM writes, corruption of non-volatile memory or fuses, probing of external buses, man-in-the-middle and replay attacks. Last, but certainly not least, a hardware-based security core can help protect SoCs against test and debug interface attacks Power/EM analysis (SPA/DPA) and other side-channel attacks, including timing attacks.

Interested in learning more about hardware-based security cores? You can check out our CryptoManager Root of Trust product page here.