Bugs in billions of WiFi, Bluetooth chips allow password, data theft

Researchers from the University of Darmstadt, Brescia, CNIT and the Secure Mobile Networking Lab, published an article which proves that it is possible to extract passwords and manipulate traffic on a WiFi chip by targeting the Bluetooth component of a device.

Modern consumer electronics devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.

However, these components often share the same resources, such as the antenna or the wireless spectrum.

This sharing of resources aims to make SoCs more energy efficient and give them higher throughput and low latency in communications.

As the researchers detail in the recently published article, it is possible to use these shared resources as bridges to launch lateral privilege escalation attacks beyond the boundaries of wireless chips.

The implications of these attacks include code execution, memory reading, and denial of service.

Google Nexus 5 Resource Sharing Diagram
Google Nexus 5 Resource Sharing Diagram
Source: Arxiv.org

Multiple architectural and protocol flaws

To exploit these vulnerabilities, researchers first had to execute code on the Bluetooth or WiFi chip. While not very common, remote code execution vulnerabilities affecting Bluetooth and WiFi have been discovered in the past.

Once the researchers achieved the execution of the code on a chip, they were able to perform lateral attacks on the other chips in the device using shared memory resources.

In their article, the researchers explain how they could perform an Over-the-Air (Denial of Service) denial of service, execute code, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs.

CVE reserved for the particular threat model.
CVE reserved for the particular threat model.
Source: Arxiv.org

These vulnerabilities have been assigned to the following CVEs:

  • CVE-2020-10368: Unencrypted WiFi data leak (architecture)
  • CVE-2020-10367: Wi-Fi Code Execution (Architectural)
  • CVE- 2019-15063: Wi-Fi denial of service (protocol)
  • CVE-2020-10370: denial of service Bluetooth (protocol)
  • CVE-2020-10369: Bluetooth data leak (protocol)
  • CVE-2020-29531: WiFi denial of service (protocol)
  • CVE-2020-29533: WiFi data leak (protocol)
  • CVE-2020-29532: denial of service Bluetooth (protocol)
  • CVE-2020-29530: Bluetooth data leak (protocol)

Some of the above flaws can only be fixed with a new hardware revision, so firmware updates cannot fix all identified security issues.

For example, vulnerabilities that rely on the sharing of physical memory cannot be corrected by security updates of any kind.

In other cases, mitigating security issues such as packet synchronization and metadata faults would cause severe degradation in packet coordination performance.

Impact and remediation

The researchers looked at chips made by Broadcom, Silicon Labs and Cypress, which are inside billions of electronic devices.

All vulnerabilities have been responsibly reported to chip vendors, and some have released security updates where possible.

However, many have not addressed the security concerns, either because they no longer support the affected products or because a firmware fix is ​​next to impossible.

Devices tested by researchers against CVE-2020-10368 and CVE-2020-10367
Devices tested by researchers against CVE-2020-10368 and CVE-2020-10367
Source: Arxiv.org

As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, are still working on up-to-date Broadcom chips. Again, this shows how difficult these problems are to solve in practice.

Cypress released a few fixes in June 2020 and updated the status in October as follows:

  • They claim that the shared RAM feature causing code execution has only been “enabled by development tools to test mobile phone platforms.” They plan to remove stack support for this in the future.
  • The typing information leak is considered resolved without a fix because “keyboard packets may be identified by other means.”
  • Resistance to DoS is not yet resolved but is under development. To achieve this, “Cypress plans to implement a monitoring function in the WiFi and Bluetooth stacks to enable system response to abnormal traffic patterns.”

According to the researchers, however, the resolution of the identified problems has been slow and inadequate, and the most dangerous aspect of the attack remains largely unresolved.

“Live attacks through the Bluetooth chip are not mitigated by the current patches. Only the Bluetooth daemon → Bluetooth chip interface is hardened, not the shared RAM interface which allows code execution Bluetooth chip → WiFi chip. It is important to note that the daemon → chip interface was never designed to be secure against attacks. ” – read the technical document.

“For example, the initial patch could be bypassed with a UART interface overflow (CVE-2021-22492) in the chip’s firmware until a recent patch, which was at least applied by Samsung in January 2021. From Plus, when writing to RAM Bluetooth through this interface was disabled on iOS devices, the iPhone 7 on iOS 14.3 would still allow another command to execute arbitrary addresses in RAM. “

Bleeping Computer has contacted all vendors and requested comment on the above, and we will update this post as soon as we have a response.

In the meantime, and until these hardware-related issues are corrected, users are advised to follow these simple protective measures:

  • Delete unnecessary Bluetooth device pairings,
  • Remove unused Wi-Fi networks from settings
  • Use cellphones instead of WiFi in public areas.

Lastly, we would say that patch responses favor the newer device models, so upgrading to a newer gadget that the vendor actively supports is always a good idea from a security perspective.

Previous How do you protect your organization's social media accounts from hackers?
Next Google Chrome releases emergency update as billions of users are at risk