Late last week, Intel issued security advisories, INTEL-SA-00539, INTEL-SA-00581, INTEL-SA-00582. All in all, Intel listed 27 different vulnerabilities in its AMT and Killer Wi-Fi chip drivers, 13 of these vulnerabilities can be used for information disclosure, denial of service or privilege escalation (possibly arbitrary code execution) by an unauthenticated user via an adjacent network.
The Underlying Wrong Assumption on the Possibility of an Attack
Intel notified that these vulnerabilities can be exploited by an unauthenticated user via adjacent access. In the Wi-Fi space, this term refers to an attacker with a nearby wireless device – what we immediately think of as a “parking lot” attack. This is an underlying typical assumption that Intel – just like many companies and even security professionals, gets wrong. The truth, however, is that the attacker is actually much closer than considered.
Antenna for Hire: Gone is the Requirement for the Attacker’s Physical Proximity
It’s important to recognize that wireless capable devices are all around us today. These may be printers, security cameras, AV devices and home routers. Many of these have lax security configurations and are highly susceptible to remote take over through the Internet (think Shodan). Hence, they can quickly become what can be considered as an Antenna for Hire, enabling remote attackers with that “adjacent access” requirement that they need in order to exploit these recently published vulnerabilities. Think Mirai or BotenaGo botnets and you’ll get the picture. In other words, an attacker remotely takes control of an Antenna for Hire which is broadcasting in the proximity of an organization, and uses the Antenna for Hire as a stepping stone in order to exploit a vulnerability within the organization, such as Intel’s Wi-Fi chip.
How to Address the Corporate Network Airspace
These issued vulnerabilities are yet another reminder of an unhandled, and increasing, attack surface – the network airspace. The corporate network airspace is full of wireless capable devices – those that are owned by the company, and those that are not. But with no enforcing technology over wireless connections, all these wireless devices can connect and communicate with all other devices in the airspace – including with those devices that are not owned by the company, aka Antenna for hire. It’s time that enterprises take active space to protect and control this upcoming cyber battle ground. This means monitoring the network airspace 24/7, classifying wireless assets as belonging or not belonging to the corporate, identifying interactions between all wireless devices and terminating them if they do not adhere to company policy or indicate an over-the-air attack.
Related CVEs
Further Reading
https://www.tomsguide.com/news/intel-killer-wifi-chip-patches
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00539.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00581.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00582.html