Bugs in billions of WiFi, Bluetooth chips allow password, data theft
https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-blue... Bugs in billions of WiFi, Bluetooth chips allow password, data theft By Bill Toulas Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it's possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device's Bluetooth component. Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.However, these components often share the same resources, such as the antenna or wireless spectrum. This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications. As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries. The implications of these attacks include code execution, memory readout, and denial of service.
It's great to see this described more clearly. The article and paper have dense information including CVEs and chip interconnection diagram. This is crucial crucial stuff.
[image: BleepingComputer.com logo] <https://www.bleepingcomputer.com/>
- <https://www.facebook.com/BleepingComputer> - - <https://twitter.com/BleepinComputer> - - <https://www.youtube.com/user/BleepingComputer>
- NEWS <https://www.bleepingcomputer.com/> - DOWNLOADS <https://www.bleepingcomputer.com/download/> - VIRUS REMOVAL GUIDES <https://www.bleepingcomputer.com/virus-removal/> - TUTORIALS <https://www.bleepingcomputer.com/tutorials/> - DEALS <https://deals.bleepingcomputer.com/> - FORUMS <https://www.bleepingcomputer.com/forums/> - MORE <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
- Home <https://www.bleepingcomputer.com/> - News <https://www.bleepingcomputer.com/news/> - Security <https://www.bleepingcomputer.com/news/security/> - Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Bugs in billions of WiFi, Bluetooth chips allow password, data theft By Bill Toulas <https://www.bleepingcomputer.com/author/bill-toulas/>
- December 13, 2021 - - 11:04 AM - - 1 <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#comments>
[image: Billions of WiFi chips vulnerable to code execution via Bluetooth component]
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it's possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device's Bluetooth component.
Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.
However, these components often share the same resources, such as the antenna or wireless spectrum. Top Articles[image: Emotet starts dropping Cobalt Strike again for faster attacks][image: Microsoft to set Windows Terminal as default console in Windows 11][image: Large-scale phishing study shows who bites the bait more often][image: CISA warns critical infrastructure to stay vigilant for ongoing threats][image: State-sponsored hackers abuse Slack API to steal airline data][image: AWS down again, outage impacts Twitch, Zoom, PSN, Hulu, others] <https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/?traffic_source=Connatix>AWS down again, outageimpacts Twitch, Zoom, PSN, Hulu, others <https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/?traffic_source=Connatix> [image: AWS down again, outage impacts Twitch, Zoom, PSN, Hulu, others]
This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications.
As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries.
The implications of these attacks include code execution, memory readout, and denial of service. [image: Resource sharing diagram of Google Nexus 5]Resource sharing diagram of Google Nexus 5 *Source: Arxiv.org* Multiple flaws in architecture and protocol
To exploit these vulnerabilities, the researchers first needed to perform code execution on either the Bluetooth or WiFi chip. While this is not very common, remote code execution vulnerabilities affecting Bluetooth and WiFi have been discovered in the past <https://www.bleepingcomputer.com/news/security/zephyr-rtos-fixes-bluetooth-bugs-that-may-lead-to-code-execution/> .
Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device's other chips using shared memory resources.
In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs. [image: CVEs reserved for the particular threat model.]CVEs reserved for the particular threat model. *Source: Arxiv.org*
These vulnerabilities were assigned the following CVEs:
- CVE-2020-10368: WiFi unencrypted data leak (architectural) - CVE-2020-10367: Wi-Fi code execution (architectural) - CVE- 2019-15063: Wi-Fi denial of service (protocol) - CVE-2020-10370: Bluetooth denial of service (protocol) - CVE-2020-10369: Bluetooth data leak (protocol) - CVE-2020-29531: WiFi denial of service (protocol) - CVE-2020-29533: WiFi data leak (protocol) - CVE-2020-29532: Bluetooth denial of service (protocol) - CVE-2020-29530: Bluetooth data leak (protocol)
Some of the above flaws can only be fixed by a new hardware revision, so firmware updates cannot patch all the identified security problems.
For example, flaws that rely on physical memory sharing cannot be addressed by security updates of any kind.
In other cases, mitigating security issues such as packet timing and metadata flaws would result in severe packet coordination performance drops. Impact and remediation
The researchers looked into chips made by Broadcom, Silicon Labs, and Cypress, which are found inside billions of electronic devices.
All flaws have been responsibly reported to the chip vendors, and some have released security updates where possible.
Many though haven't addressed the security problems, either due to no longer supporting the affected products or because a firmware patch is practically infeasible. [image: Devices tested by the researchers against CVE-2020-10368 and CVE-2020-10367]Devices tested by the researchers against CVE-2020-10368 and CVE-2020-10367 *Source: Arxiv.org*
As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, still work on up-to-date Broadcom chips. Again, this highlights how hard these issues are to fix in practice.
Cypress released some fixes in June 2020 and updated the status in October as follows:
- They claim that the shared RAM feature causing code execution has only been "enabled by development tools for testing mobile phone platforms." They plan to remove stack support for this in the future. - The keystroke information leakage is remarked as solved without a patch because "keyboard packets can be identified through other means." - DoS resistance is not yet resolved but is in development. For this, "Cypress plans to implement a monitor feature in the WiFi and Bluetooth stacks to enable a system response to abnormal traffic patterns."
According to the researchers, though, fixing the identified issues has been slow and inadequate, and the most dangerous aspect of the attack remains largely unfixed.
"Over-the-air attacks via the Bluetooth chip, is not mitigated by current patches. Only the interface Bluetooth daemon→Bluetooth chip is hardened, not the shared RAM interface that enables Bluetooth chip→WiFi chip code execution. It is important to note that the daemon→chip interface was never designed to be secure against attacks." - reads the technical paper <https://arxiv.org/pdf/2112.05719.pdf>.
"For example, the initial patch could be bypassed with a UART interface overflow (CVE-2021-22492) in the chip's firmware until a recent patch, which was at least applied by Samsung in January 2021. Moreover, while writing to the Bluetooth RAM via this interface has been disabled on iOS devices, the iPhone 7 on iOS 14.3 would still allow another command to execute arbitrary addresses in RAM."
Bleeping Computer has reached out to all vendors and asked for a comment on the above, and we will update this post as soon as we hear back.
In the meantime, and for as long as these hardware-related issues remain unpatched, users are advised to follow these simple protection measures:
- Delete unnecessary Bluetooth device pairings, - Remove unused WiFi networks from the settings - Use cellular instead of WiFi in public spaces.
As a final note, we would say that patching responses favor the more recent device models, so upgrading to a newer gadget that the vendor actively supports is always a good idea from the perspective of security. Related Articles:
Nine WiFi routers used by millions were vulnerable to 226 flaws <https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/>
Hackers start pushing malware in worldwide Log4Shell attacks <https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>
Log4j: List of vulnerable products and vendor advisories <https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/>
New ransomware now being deployed in Log4Shell attacks <https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>
Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws <https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2021-patch-tuesday-fixes-6-zero-days-67-flaws/>
- BLUETOOTH <https://www.bleepingcomputer.com/tag/bluetooth/> - - CHIPS <https://www.bleepingcomputer.com/tag/chips/> - - SECURITY <https://www.bleepingcomputer.com/tag/security/> - - SMARTPHONE <https://www.bleepingcomputer.com/tag/smartphone/> - - VULNERABILITY <https://www.bleepingcomputer.com/tag/vulnerability/> - - WIFI <https://www.bleepingcomputer.com/tag/wifi/>
- <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#> - - <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#> - - <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
- <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#> - - <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
<https://www.bleepingcomputer.com/author/bill-toulas/> BILL TOULAS <https://www.bleepingcomputer.com/author/bill-toulas/> <bill.toulas@bleepingcomputer.com> <https://twitter.com/billtoulas>Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications. An open source advocate and Linux enthusiast, is currently finding pleasure in following hacks, malware campaigns, and data breach incidents, as well as by exploring the intricate ways through which tech is swiftly transforming our lives.
- PREVIOUS ARTICLE <https://www.bleepingcomputer.com/news/security/ukraine-arrests-51-for-selling-data-of-300-million-people-in-us-eu/> - NEXT ARTICLE <https://www.bleepingcomputer.com/news/security/attackers-can-get-root-by-crashing-ubuntu-s-accountsservice/>
Comments
- [image: Wallak Photo] Wallak <https://www.bleepingcomputer.com/forums/u/951092/wallak/> - 2 days ago - <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#> - - <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#cid21935>
Nah!!! Use ethernet conection (or better, disconnect from the net, hahaha) ... forget about firmware updates... and forget about security on wireless communications, they will always be a nice lab to explore and explode, communication systems have never been designed thinking on their security.
Post a CommentCommunity Rules <https://www.bleepingcomputer.com/posting-guidelines/> You need to login in order to post a comment
Not a member yet? Register Now <https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register>
You may also like: <https://www.bleepingcomputer.com/go/18/> POPULAR STORIES
- [image: Log4J]
Log4j: List of vulnerable products and vendor advisories
<https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/> - [image: Micosoft Exchange]
Hackers steal Microsoft Exchange credentials using IIS module
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer <https://www.bleepingcomputer.com/>, please use the form below. NEWSLETTER SIGN UP
- Follow us: - - <https://www.facebook.com/BleepingComputer> - - <https://twitter.com/BleepinComputer> - - <https://www.youtube.com/user/BleepingComputer> - - <https://www.bleepingcomputer.com/feed/>
MAIN SECTIONS
- News <https://www.bleepingcomputer.com/> - Downloads <https://www.bleepingcomputer.com/download/> - Virus Removal Guides <https://www.bleepingcomputer.com/virus-removal/> - Tutorials <https://www.bleepingcomputer.com/tutorials/> - Startup Database <https://www.bleepingcomputer.com/startups/> - Uninstall Database <https://www.bleepingcomputer.com/uninstall/> - File Database <https://www.bleepingcomputer.com/filedb/> - Glossary <https://www.bleepingcomputer.com/glossary/>
COMMUNITY
- Forums <https://www.bleepingcomputer.com/forums/> - Forum Rules <https://www.bleepingcomputer.com/forum-rules/> - Chat <https://www.bleepingcomputer.com/forums/t/730914/the-bleepingcomputer-official-discord-chat-server-come-join-the-fun/>
USEFUL RESOURCES
- Welcome Guide <https://www.bleepingcomputer.com/welcome-guide/> - Sitemap <https://www.bleepingcomputer.com/sitemap/>
COMPANY
- About BleepingComputer <https://www.bleepingcomputer.com/about/> - Contact Us <https://www.bleepingcomputer.com/contact/> - Send us a Tip! <https://www.bleepingcomputer.com/news-tip/> - Advertising <https://www.bleepingcomputer.com/advertise/> - Write for BleepingComputer <https://www.bleepingcomputer.com/write-for-bleepingcomputer/> - Social & Feeds <https://www.bleepingcomputer.com/rss-feeds/> - Changelog <https://www.bleepingcomputer.com/changelog/>
Terms of Use <https://www.bleepingcomputer.com/terms-of-use/> - Privacy Policy <https://www.bleepingcomputer.com/privacy/> - Ethics Statement <https://www.bleepingcomputer.com/ethics-statement/>
Copyright @ 2003 - 2021 Bleeping Computer® LLC <https://www.bleepingcomputer.com/>- All Rights Reserved
It wasnt labelled "Pentagon spam". But why would Cypherpunks not want to learn about "Pentagon spam"? Ever hear about a 'reverse barometer'? On Thu, Dec 16, 2021 at 8:47 AM, Punk-BatSoup-Stasi 2.0<punks@tfwno.gf> wrote:
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
what is the point of this particular piece of pentagon spam you just spammed Jim?
On Fri, 17 Dec 2021 07:02:31 +0000 (UTC) jim bell <jdb10987@yahoo.com> wrote:
It wasnt labelled "Pentagon spam". But why would Cypherpunks not want to learn about "Pentagon spam"?
What is to be learned? There's constant non-news about 'vulnerabilities'. Do people ever draw any correct conclusions from those 'news'? Nope. Do you? Nope. You've never explained what all those non-news are all about. You just spam them here. Do 'libertarian hackers' ever use those 'vulnerabilities' against govcorp? Nope.
Ever hear about a 'reverse barometer'?
I don't need more technofascist spam to know what's going on in the technofascist world. Also, propaganda includes a portion of truth, so you can't just assume it's all lies.
On Thu, Dec 16, 2021 at 8:47 AM, Punk-BatSoup-Stasi 2.0<punks@tfwno.gf> wrote:
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
what is the point of this particular piece of pentagon spam you just spammed Jim?
Hi, Punk Stasi, The docs describe a significant portion of a suite of vulnerabilities inside phones that demonstrate that _most mobile phones today_ can be _remotely controlled by anyone with tools or skills_. This is more meaningful than, say, a cpu exploit, because everybody has one and it can be done wirelessly. People have been discussing these kinds of vulnerabilities since smartphones became common, and how the industry has been designing phones in a way that does this, but for me it has been rare to see backing documentation like this, especially with so many parts. The research can be quite laborious. It's important to be able to disconnect your radios from your computing equipment. The inability to do this is a clear push to take power from the common people, one that can be discussed and engaged in the mainstream.
On Sat, 18 Dec 2021 11:20:25 +0000 Karl <gmkarl@gmail.com> wrote:
Hi, Punk Stasi,
The docs describe a significant portion of a suite of vulnerabilities
tell me something I don't know.
It's important to be able to disconnect your radios from your computing equipment.
all your computing equipment is backdoored - again tell me something I don't know. you should explain what Jim's pentagon spam ACTUALLY means.
On 12/18/21, Karl <gmkarl@gmail.com> wrote:
It's important to be able to disconnect your radios from your computing equipment. The inability to do this is a clear push to take power from the common people
That's why the design agents above have been increasingly integrating radios on many motherboard chipsets recently in manner that commoners can't physically disable them. "Always on" "convenient" "included for free" "saves a slot" those slick voices say... yes, for the agents. Btw, serial number hw ID tied to your credit card, face camera, etc... shared sold combined, top-secret databases know who they cracked. A machine that never leaves the office/home doesn't need wifi/bt/5g... use the ethernet cable. Sniff your environment, a cesspool of insecurity, noise, and exploits. "Bugs" designed in, left in by insecurity and marketing profit culture, secure computing rainbow books binned decades ago remaining copies sent to ebay to be quaint museum pieces shelf queens. #OpenFabs , #OpenHW , #OpenAudit Crickets. Zero demand, zero investment, zero change. Thus the prevailing win shall continue... Zero click, zero day, zerodium. Bring ass lube or cut the power cable. Those are your choices.
On Thu, Dec 16, 2021 at 8:47 AM, Punk-BatSoup-Stasi 2.0<punks@tfwno.gf> wrote:
Bugs in billions of WiFi, Bluetooth chips allow password, data theft > what is the point of this particular piece of pentagon spam you just spammed Jim?
First, prove it's spam, in other rhan your own mind Then:Show that your statement that it's spam means that Cypherpunks shouldnt want to talk about it. THEN we can talk. Jim Bell
On Sat, 18 Dec 2021 23:03:42 +0000 (UTC) jim bell <jdb10987@yahoo.com> wrote:
On Thu, Dec 16, 2021 at 8:47 AM, Punk-BatSoup-Stasi 2.0<punks@tfwno.gf> wrote:
Bugs in billions of WiFi, Bluetooth chips allow password, data theft
> what is the point of this particular piece of pentagon spam you just spammed Jim?
And last but not least : even if your life depended on it, you can't give a half decent answer to the quesion : What's the point of the garbage you mindlessly spam? You don't know.
Consider if these bugs and bug apologist culture were put there by infiltrant bugs known as Spies, Moles, Agents, NSA, CIA, GCHQ, FVEY, Chinese, KGB, Israel, Swiss, German, etc. Not least made far easier by your refusal to do and insist upon even the smallest modicum of... #OpenFabs , #OpenHW , #OpenAudit
participants (4)
-
grarpamp
-
jim bell
-
Karl
-
Punk-BatSoup-Stasi 2.0