Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Karl
gmkarl at gmail.com
Thu Dec 16 03:51:09 PST 2021
>
> [image: BleepingComputer.com logo] <https://www.bleepingcomputer.com/>
>
> - <https://www.facebook.com/BleepingComputer>
> -
> - <https://twitter.com/BleepinComputer>
> -
> - <https://www.youtube.com/user/BleepingComputer>
>
>
>
> - NEWS <https://www.bleepingcomputer.com/>
> - DOWNLOADS <https://www.bleepingcomputer.com/download/>
> - VIRUS REMOVAL GUIDES
> <https://www.bleepingcomputer.com/virus-removal/>
> - TUTORIALS <https://www.bleepingcomputer.com/tutorials/>
> - DEALS <https://deals.bleepingcomputer.com/>
> - FORUMS <https://www.bleepingcomputer.com/forums/>
> - MORE
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
>
>
> - Home <https://www.bleepingcomputer.com/>
> - News <https://www.bleepingcomputer.com/news/>
> - Security <https://www.bleepingcomputer.com/news/security/>
> - Bugs in billions of WiFi, Bluetooth chips allow password, data theft
>
>
>
> - 93
> -
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
>
> Bugs in billions of WiFi, Bluetooth chips allow password, data theft
> By Bill Toulas <https://www.bleepingcomputer.com/author/bill-toulas/>
>
>
> - December 13, 2021
> -
> - 11:04 AM
> -
> - 1
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#comments>
>
> [image: Billions of WiFi chips vulnerable to code execution via Bluetooth
> component]
>
> Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure
> Mobile Networking Lab, have published a paper that proves it's possible to
> extract passwords and manipulate traffic on a WiFi chip by targeting a
> device's Bluetooth component.
>
> Modern consumer electronic devices such as smartphones feature SoCs with
> separate Bluetooth, WiFi, and LTE components, each with its own dedicated
> security implementation.
>
> However, these components often share the same resources, such as the
> antenna or wireless spectrum.
> Top Articles[image: Emotet starts dropping Cobalt Strike again for faster
> attacks][image: Microsoft to set Windows Terminal as default console in
> Windows 11][image: Large-scale phishing study shows who bites the bait
> more often][image: CISA warns critical infrastructure to stay vigilant
> for ongoing threats][image: State-sponsored hackers abuse Slack API to
> steal airline data][image: AWS down again, outage impacts Twitch, Zoom,
> PSN, Hulu, others]
> <https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/?traffic_source=Connatix>AWS
> down again, outageimpacts Twitch, Zoom, PSN, Hulu, others
> <https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/?traffic_source=Connatix>
> [image: AWS down again, outage impacts Twitch, Zoom, PSN, Hulu, others]
>
> This resource sharing aims to make the SoCs more energy-efficient and give
> them higher throughput and low latency in communications.
>
> As the researchers detail in the recently published paper, it is possible
> to use these shared resources as bridges for launching lateral privilege
> escalation attacks across wireless chip boundaries.
>
> The implications of these attacks include code execution, memory readout,
> and denial of service.
> [image: Resource sharing diagram of Google Nexus 5]Resource sharing
> diagram of Google Nexus 5
> *Source: Arxiv.org*
> Multiple flaws in architecture and protocol
>
> To exploit these vulnerabilities, the researchers first needed to perform
> code execution on either the Bluetooth or WiFi chip. While this is not very
> common, remote code execution vulnerabilities affecting Bluetooth and WiFi
> have been discovered in the past
> <https://www.bleepingcomputer.com/news/security/zephyr-rtos-fixes-bluetooth-bugs-that-may-lead-to-code-execution/>
> .
>
> Once the researchers achieved code execution on one chip, they could
> perform lateral attacks on the device's other chips using shared memory
> resources.
>
> In their paper, the researchers explain how they could perform OTA
> (Over-the-Air) denial of service, code execution, extract network
> passwords, and read sensitive data on chipsets from Broadcom, Cypress, and
> Silicon Labs.
> [image: CVEs reserved for the particular threat model.]CVEs reserved for
> the particular threat model.
> *Source: Arxiv.org*
>
> These vulnerabilities were assigned the following CVEs:
>
> - CVE-2020-10368: WiFi unencrypted data leak (architectural)
> - CVE-2020-10367: Wi-Fi code execution (architectural)
> - CVE- 2019-15063: Wi-Fi denial of service (protocol)
> - CVE-2020-10370: Bluetooth denial of service (protocol)
> - CVE-2020-10369: Bluetooth data leak (protocol)
> - CVE-2020-29531: WiFi denial of service (protocol)
> - CVE-2020-29533: WiFi data leak (protocol)
> - CVE-2020-29532: Bluetooth denial of service (protocol)
> - CVE-2020-29530: Bluetooth data leak (protocol)
>
> Some of the above flaws can only be fixed by a new hardware revision, so
> firmware updates cannot patch all the identified security problems.
>
> For example, flaws that rely on physical memory sharing cannot be
> addressed by security updates of any kind.
>
> In other cases, mitigating security issues such as packet timing and
> metadata flaws would result in severe packet coordination performance drops.
> Impact and remediation
>
> The researchers looked into chips made by Broadcom, Silicon Labs, and
> Cypress, which are found inside billions of electronic devices.
>
> All flaws have been responsibly reported to the chip vendors, and some
> have released security updates where possible.
>
> Many though haven't addressed the security problems, either due to no
> longer supporting the affected products or because a firmware patch is
> practically infeasible.
> [image: Devices tested by the researchers against CVE-2020-10368 and
> CVE-2020-10367]Devices tested by the researchers against CVE-2020-10368
> and CVE-2020-10367
> *Source: Arxiv.org*
>
> As of November 2021, more than two years after reporting the first
> coexistence bug, coexistence attacks, including code execution, still work
> on up-to-date Broadcom chips. Again, this highlights how hard these issues
> are to fix in practice.
>
> Cypress released some fixes in June 2020 and updated the status in October
> as follows:
>
> - They claim that the shared RAM feature causing code execution has
> only been "enabled by development tools for testing mobile phone
> platforms." They plan to remove stack support for this in the future.
> - The keystroke information leakage is remarked as solved without a
> patch because "keyboard packets can be identified through other means."
> - DoS resistance is not yet resolved but is in development. For this,
> "Cypress plans to implement a monitor feature in the WiFi and Bluetooth
> stacks to enable a system response to abnormal traffic patterns."
>
> According to the researchers, though, fixing the identified issues has
> been slow and inadequate, and the most dangerous aspect of the attack
> remains largely unfixed.
>
> "Over-the-air attacks via the Bluetooth chip, is not mitigated by current
> patches. Only the interface Bluetooth daemon→Bluetooth chip is hardened,
> not the shared RAM interface that enables Bluetooth chip→WiFi chip code
> execution. It is important to note that the daemon→chip interface was never
> designed to be secure against attacks." - reads the technical paper
> <https://arxiv.org/pdf/2112.05719.pdf>.
>
> "For example, the initial patch could be bypassed with a UART interface
> overflow (CVE-2021-22492) in the chip's firmware until a recent patch,
> which was at least applied by Samsung in January 2021. Moreover, while
> writing to the Bluetooth RAM via this interface has been disabled on iOS
> devices, the iPhone 7 on iOS 14.3 would still allow another command to
> execute arbitrary addresses in RAM."
>
> Bleeping Computer has reached out to all vendors and asked for a comment
> on the above, and we will update this post as soon as we hear back.
>
> In the meantime, and for as long as these hardware-related issues remain
> unpatched, users are advised to follow these simple protection measures:
>
> - Delete unnecessary Bluetooth device pairings,
> - Remove unused WiFi networks from the settings
> - Use cellular instead of WiFi in public spaces.
>
> As a final note, we would say that patching responses favor the more
> recent device models, so upgrading to a newer gadget that the vendor
> actively supports is always a good idea from the perspective of security.
> Related Articles:
>
> Nine WiFi routers used by millions were vulnerable to 226 flaws
> <https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/>
>
> Hackers start pushing malware in worldwide Log4Shell attacks
> <https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/>
>
> Log4j: List of vulnerable products and vendor advisories
> <https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/>
>
> New ransomware now being deployed in Log4Shell attacks
> <https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/>
>
> Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws
> <https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2021-patch-tuesday-fixes-6-zero-days-67-flaws/>
>
> - BLUETOOTH <https://www.bleepingcomputer.com/tag/bluetooth/>
> -
> - CHIPS <https://www.bleepingcomputer.com/tag/chips/>
> -
> - SECURITY <https://www.bleepingcomputer.com/tag/security/>
> -
> - SMARTPHONE <https://www.bleepingcomputer.com/tag/smartphone/>
> -
> - VULNERABILITY <https://www.bleepingcomputer.com/tag/vulnerability/>
> -
> - WIFI <https://www.bleepingcomputer.com/tag/wifi/>
>
>
>
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
> -
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
> -
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
>
>
>
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
> -
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
>
>
> <https://www.bleepingcomputer.com/author/bill-toulas/>
> BILL TOULAS <https://www.bleepingcomputer.com/author/bill-toulas/>
> <bill.toulas at bleepingcomputer.com> <https://twitter.com/billtoulas>Bill
> Toulas is a technology writer and infosec news reporter with over a decade
> of experience working on various online publications. An open source
> advocate and Linux enthusiast, is currently finding pleasure in following
> hacks, malware campaigns, and data breach incidents, as well as by
> exploring the intricate ways through which tech is swiftly transforming our
> lives.
>
>
> - PREVIOUS ARTICLE
> <https://www.bleepingcomputer.com/news/security/ukraine-arrests-51-for-selling-data-of-300-million-people-in-us-eu/>
> - NEXT ARTICLE
> <https://www.bleepingcomputer.com/news/security/attackers-can-get-root-by-crashing-ubuntu-s-accountsservice/>
>
> Comments
>
> - [image: Wallak Photo]
> Wallak <https://www.bleepingcomputer.com/forums/u/951092/wallak/> - 2
> days ago
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
> -
> -
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#cid21935>
>
> Nah!!! Use ethernet conection (or better, disconnect from the net,
> hahaha) ... forget about firmware updates... and forget about security on
> wireless communications, they will always be a nice lab to explore and
> explode, communication systems have never been designed thinking on their
> security.
>
> Post a CommentCommunity Rules
> <https://www.bleepingcomputer.com/posting-guidelines/>
> You need to login in order to post a comment
>
> Not a member yet? Register Now
> <https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register>
>
> You may also like:
> <https://www.bleepingcomputer.com/go/18/>
> POPULAR STORIES
>
> - [image: Log4J]
>
> Log4j: List of vulnerable products and vendor advisories
>
> <https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/>
> - [image: Micosoft Exchange]
>
> Hackers steal Microsoft Exchange credentials using IIS module
>
> <https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-exchange-credentials-using-iis-module/>
>
> NEWSLETTER SIGN UP
>
> To receive periodic updates and news from BleepingComputer
> <https://www.bleepingcomputer.com/>, please use the form below.
> NEWSLETTER SIGN UP
>
> - Follow us:
> -
> - <https://www.facebook.com/BleepingComputer>
> -
> - <https://twitter.com/BleepinComputer>
> -
> - <https://www.youtube.com/user/BleepingComputer>
> -
> - <https://www.bleepingcomputer.com/feed/>
>
> MAIN SECTIONS
>
> - News <https://www.bleepingcomputer.com/>
> - Downloads <https://www.bleepingcomputer.com/download/>
> - Virus Removal Guides
> <https://www.bleepingcomputer.com/virus-removal/>
> - Tutorials <https://www.bleepingcomputer.com/tutorials/>
> - Startup Database <https://www.bleepingcomputer.com/startups/>
> - Uninstall Database <https://www.bleepingcomputer.com/uninstall/>
> - File Database <https://www.bleepingcomputer.com/filedb/>
> - Glossary <https://www.bleepingcomputer.com/glossary/>
>
> COMMUNITY
>
> - Forums <https://www.bleepingcomputer.com/forums/>
> - Forum Rules <https://www.bleepingcomputer.com/forum-rules/>
> - Chat
> <https://www.bleepingcomputer.com/forums/t/730914/the-bleepingcomputer-official-discord-chat-server-come-join-the-fun/>
>
> USEFUL RESOURCES
>
> - Welcome Guide <https://www.bleepingcomputer.com/welcome-guide/>
> - Sitemap <https://www.bleepingcomputer.com/sitemap/>
>
> COMPANY
>
> - About BleepingComputer <https://www.bleepingcomputer.com/about/>
> - Contact Us <https://www.bleepingcomputer.com/contact/>
> - Send us a Tip! <https://www.bleepingcomputer.com/news-tip/>
> - Advertising <https://www.bleepingcomputer.com/advertise/>
> - Write for BleepingComputer
> <https://www.bleepingcomputer.com/write-for-bleepingcomputer/>
> - Social & Feeds <https://www.bleepingcomputer.com/rss-feeds/>
> - Changelog <https://www.bleepingcomputer.com/changelog/>
>
> Terms of Use <https://www.bleepingcomputer.com/terms-of-use/> - Privacy
> Policy <https://www.bleepingcomputer.com/privacy/> - Ethics Statement
> <https://www.bleepingcomputer.com/ethics-statement/>
>
> Copyright @ 2003 - 2021 Bleeping Computer® LLC
> <https://www.bleepingcomputer.com/>- All Rights Reserved
>
> <https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 69791 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211216/2d2784ea/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2112.05719.pdf
Type: application/pdf
Size: 1230522 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20211216/2d2784ea/attachment-0001.pdf>
More information about the cypherpunks
mailing list