Critical Exploit in MediaTek Wi-Fi Chipsets: Zero-Click Vulnerability

Not too surprising given what I&#x27;ve seen of their vendor sdk driver source code, compared to mt76. (Messy would be kind assessment)<p>Unfortunately, there are also some running aftermarket firmware builds with the vendor driver, due to it having an edge in throughput over mt76.<p>Mediatek and their WiSoC division luckily have a few engineers that are enthusiastic about engaging with the FOSS community, while also maintaining their own little OpenWrt fork running mt76.[1]<p>[1] <a href="https:&#x2F;&#x2F;git01.mediatek.com&#x2F;plugins&#x2F;gitiles&#x2F;openwrt&#x2F;feeds&#x2F;mtk-openwrt-feeds&#x2F;" rel="nofollow">https:&#x2F;&#x2F;git01.mediatek.com&#x2F;plugins&#x2F;gitiles&#x2F;openwrt&#x2F;feeds&#x2F;mtk...</a>

The wording of the headline is a bit misleading here. I followed the link thinking it might be a firmware or silicon bug as I have a couple of routers at home with mt76 wifi, but was relieved to find it&#x27;s just a bug in the vendor&#x27;s &#x27;sdk&#x27; shovelware. I&#x27;m baffled that anyone even thought about using that, given there&#x27;s such good mt76 support from mainline kernels with hostapd.

Original blog: <a href="https:&#x2F;&#x2F;blog.coffinsec.com&#x2F;0day&#x2F;2024&#x2F;08&#x2F;30&#x2F;exploiting-CVE-2024-20017-four-different-ways.html" rel="nofollow">https:&#x2F;&#x2F;blog.coffinsec.com&#x2F;0day&#x2F;2024&#x2F;08&#x2F;30&#x2F;exploiting-CVE-20...</a>

Is there some logic to MediaTek&#x27;s naming conventions, or all their devices just MTxxxx where x is some incremented&#x2F;random number?<p>I have a device with a mt6631 wifi chip and I&#x27;d <i>assume</i> it&#x27;s unaffected just because it&#x27;s not mentioned as affected anywhere, but it&#x27;s hard to tell where it might fit into the lineup.

They say that OpenWrt 19.07 and 21.02 are affected, but as far as I can tell, official builds of OpenWrt only use the mt76 driver and not the Mediatek SDK.

I&#x27;ve been buying laptops with AMD CPU&#x27;s but they always come with these trash MediaTek RZ616 Wi-Fi cards, why is that? I&#x27;ve been replacing them with Intel Wi-Fi cards, now I have a pile of RZ616 cards ready to become future microplastics :-(

IIRC my phone uses a MediaTek chipset. And I vaguely remember the vendor has moved away from MediaTek since because of the ahem quality of those products...<p>No idea how WiFi is done on a phone though. Is there a way to find out whether the phone is affected? I hardly ever use WiFi because I have unlimited cellular data and good coverage, but would still be good to know.

i still cannot fathom why in this day and age where people buy any silicon that&#x27;s available, these C tier vendors don&#x27;t adopt the PC strategy and completely open their firmwares for open source community.

&gt; The affected versions include MediaTek SDK versions 7.4.0.1 and earlier, as well as OpenWrt 19.07 and 21.02.<p>&gt; The vulnerability resides in wappd, a network daemon included in the MediaTek MT7622&#x2F;MT7915 SDK and RTxxxx SoftAP driver bundle.<p>OpenWRT doesn&#x27;t seem to use wappd though?

That&#x27;s why we need free firmware. I&#x27;m tired of Broadcom and Ralink.

Exploit is hard to distinguish between a back door here.

Welcome back to the 90s.

Can the OP&#x27;s link be changed to the original source, not the advertisement it currently links to? The exploit is documented <a href="https:&#x2F;&#x2F;blog.coffinsec.com&#x2F;0day&#x2F;2024&#x2F;08&#x2F;30&#x2F;exploiting-CVE-2024-20017-four-different-ways.html" rel="nofollow">https:&#x2F;&#x2F;blog.coffinsec.com&#x2F;0day&#x2F;2024&#x2F;08&#x2F;30&#x2F;exploiting-CVE-20...</a>

[flagged]

I would like to remind people of the 2016 Adups backdoor:<p>&gt; According to Kryptowire, Adups engineers would have been able to collect data such as SMS messages, call logs, contact lists, geo-location data, IMSI and IMEI identifiers, and would have been able to forcibly install other apps or execute root commands on all devices.<p><a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;android-adups-backdoor-became-active-5-months-affected-43-phone-vendors&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;android-adups...</a>