[1] BleepingComputer.com logo
     *
     *
     *
     *
     *

   ____________________
   Login  Sign up
     * [2]NEWS
     * [3]DOWNLOADS
     * [4]VIRUS REMOVAL GUIDES
     * [5]TUTORIALS
     * [6]DEALS
     * [7]FORUMS
     * [8]MORE

     * [9]Home
     * [10]News
     * [11]Security
     * Bugs in billions of WiFi, Bluetooth chips allow password, data
       theft


     * 93
     *
     *

Bugs in billions of WiFi, Bluetooth chips allow password, data theft

   By

[12]Bill Toulas


     * December 13, 2021
     *
     * 11:04 AM
     *
     * [13]1

   Billions of WiFi chips vulnerable to code execution via Bluetooth
   component

   Researchers at the University of Darmstadt, Brescia, CNIT, and the
   Secure Mobile Networking Lab, have published a paper that proves it's
   possible to extract passwords and manipulate traffic on a WiFi chip by
   targeting a device's Bluetooth component.

   Modern consumer electronic devices such as smartphones feature SoCs
   with separate Bluetooth, WiFi, and LTE components, each with its own
   dedicated security implementation.

   However, these components often share the same resources, such as the
   antenna or wireless spectrum.
   Top Articles Emotet starts dropping Cobalt Strike again for faster
   attacks Microsoft to set Windows Terminal as default console in Windows
   11 Large-scale phishing study shows who bites the bait more often CISA
   warns critical infrastructure to stay vigilant for ongoing threats
   State-sponsored hackers abuse Slack API to steal airline data AWS down
   again, outage impacts Twitch, Zoom, PSN, Hulu, others [14]AWS down
   again, outageimpacts Twitch, Zoom, PSN, Hulu, others
   AWS down again, outage impacts Twitch, Zoom, PSN, Hulu, others

   This resource sharing aims to make the SoCs more energy-efficient and
   give them higher throughput and low latency in communications.

   As the researchers detail in the recently published paper, it is
   possible to use these shared resources as bridges for launching lateral
   privilege escalation attacks across wireless chip boundaries.

   The implications of these attacks include code execution, memory
   readout, and denial of service.
   Resource sharing diagram of Google Nexus 5 Resource sharing diagram of
   Google Nexus 5
   Source: Arxiv.org

Multiple flaws in architecture and protocol

   To exploit these vulnerabilities, the researchers first needed to
   perform code execution on either the Bluetooth or WiFi chip. While this
   is not very common, remote code execution vulnerabilities affecting
   Bluetooth and WiFi have been [15]discovered in the past.

   Once the researchers achieved code execution on one chip, they could
   perform lateral attacks on the device's other chips using shared memory
   resources.

   In their paper, the researchers explain how they could perform OTA
   (Over-the-Air) denial of service, code execution, extract network
   passwords, and read sensitive data on chipsets from Broadcom, Cypress,
   and Silicon Labs.
   CVEs reserved for the particular threat model. CVEs reserved for the
   particular threat model.
   Source: Arxiv.org

   These vulnerabilities were assigned the following CVEs:
     * CVE-2020-10368: WiFi unencrypted data leak (architectural)
     * CVE-2020-10367: Wi-Fi code execution (architectural)
     * CVE- 2019-15063: Wi-Fi denial of service (protocol)
     * CVE-2020-10370: Bluetooth denial of service (protocol)
     * CVE-2020-10369: Bluetooth data leak (protocol)
     * CVE-2020-29531: WiFi denial of service (protocol)
     * CVE-2020-29533: WiFi data leak (protocol)
     * CVE-2020-29532: Bluetooth denial of service (protocol)
     * CVE-2020-29530: Bluetooth data leak (protocol)

   Some of the above flaws can only be fixed by a new hardware revision,
   so firmware updates cannot patch all the identified security problems.

   For example, flaws that rely on physical memory sharing cannot be
   addressed by security updates of any kind.

   In other cases, mitigating security issues such as packet timing and
   metadata flaws would result in severe packet coordination performance
   drops.

Impact and remediation

   The researchers looked into chips made by Broadcom, Silicon Labs, and
   Cypress, which are found inside billions of electronic devices.

   All flaws have been responsibly reported to the chip vendors, and some
   have released security updates where possible.

   Many though haven't addressed the security problems, either due to no
   longer supporting the affected products or because a firmware patch is
   practically infeasible.
   Devices tested by the researchers against CVE-2020-10368 and
   CVE-2020-10367 Devices tested by the researchers against CVE-2020-10368
   and CVE-2020-10367
   Source: Arxiv.org

   As of November 2021, more than two years after reporting the first
   coexistence bug, coexistence attacks, including code execution, still
   work on up-to-date Broadcom chips. Again, this highlights how hard
   these issues are to fix in practice.

   Cypress released some fixes in June 2020 and updated the status in
   October as follows:
     * They claim that the shared RAM feature causing code execution has
       only been "enabled by development tools for testing mobile phone
       platforms." They plan to remove stack support for this in the
       future.
     * The keystroke information leakage is remarked as solved without a
       patch because "keyboard packets can be identified through other
       means."
     * DoS resistance is not yet resolved but is in development. For this,
       "Cypress plans to implement a monitor feature in the WiFi and
       Bluetooth stacks to enable a system response to abnormal traffic
       patterns."

   According to the researchers, though, fixing the identified issues has
   been slow and inadequate, and the most dangerous aspect of the attack
   remains largely unfixed.

     "Over-the-air attacks via the Bluetooth chip, is not mitigated by
     current patches. Only the interface Bluetooth daemon→Bluetooth chip
     is hardened, not the shared RAM interface that enables Bluetooth
     chip→WiFi chip code execution. It is important to note that the
     daemon→chip interface was never designed to be secure against
     attacks." - [16]reads the technical paper.

     "For example, the initial patch could be bypassed with a UART
     interface overflow (CVE-2021-22492) in the chip's firmware until a
     recent patch, which was at least applied by Samsung in January 2021.
     Moreover, while writing to the Bluetooth RAM via this interface has
     been disabled on iOS devices, the iPhone 7 on iOS 14.3 would still
     allow another command to execute arbitrary addresses in RAM."

   Bleeping Computer has reached out to all vendors and asked for a
   comment on the above, and we will update this post as soon as we hear
   back.

   In the meantime, and for as long as these hardware-related issues
   remain unpatched, users are advised to follow these simple protection
   measures:
     * Delete unnecessary Bluetooth device pairings,
     * Remove unused WiFi networks from the settings
     * Use cellular instead of WiFi in public spaces.

   As a final note, we would say that patching responses favor the more
   recent device models, so upgrading to a newer gadget that the vendor
   actively supports is always a good idea from the perspective of
   security.

Related Articles:

   [17]Nine WiFi routers used by millions were vulnerable to 226 flaws

   [18]Hackers start pushing malware in worldwide Log4Shell attacks

   [19]Log4j: List of vulnerable products and vendor advisories

   [20]New ransomware now being deployed in Log4Shell attacks

   [21]Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flaws

     * [22]BLUETOOTH
     *
     * [23]CHIPS
     *
     * [24]SECURITY
     *
     * [25]SMARTPHONE
     *
     * [26]VULNERABILITY
     *
     * [27]WIFI


     *
     *
     *
     *
     *


     *
     *
     *


[28]BILL TOULAS

   Bill Toulas is a technology writer and infosec news reporter with over
   a decade of experience working on various online publications. An open
   source advocate and Linux enthusiast, is currently finding pleasure in
   following hacks, malware campaigns, and data breach incidents, as well
   as by exploring the intricate ways through which tech is swiftly
   transforming our lives.

     * [29] PREVIOUS ARTICLE
     * [30]NEXT ARTICLE

Comments

     * Wallak Photo

[31]Wallak - 2 days ago
          +
          +
          +
       Nah!!! Use ethernet conection (or better, disconnect from the net,
       hahaha) ... forget about firmware updates... and forget about
       security on wireless communications, they will always be a nice lab
       to explore and explode, communication systems have never been
       designed thinking on their security.

Post a Comment[32]Community Rules

You need to login in order to post a comment

   Login

   Not a member yet? [33]Register Now

You may also like:

   [INS: [INS: [INS: :INS] :INS] :INS]

                [34][Bleeping_Computer_CIR_Nov_2021-opt.gif]

   POPULAR STORIES
     * Log4J
       Log4j: List of vulnerable products and vendor advisories
     * Micosoft Exchange
       Hackers steal Microsoft Exchange credentials using IIS module

NEWSLETTER SIGN UP

   To receive periodic updates and news from [35]BleepingComputer, please
   use the form below.
   ____________________
   Submit

NEWSLETTER SIGN UP

   ____________________
   Submit
     * Follow us:
     *
     *
     *
     *
     *
     *
     *
     *

MAIN SECTIONS

     * [36]News
     * [37]Downloads
     * [38]Virus Removal Guides
     * [39]Tutorials
     * [40]Startup Database
     * [41]Uninstall Database
     * [42]File Database
     * [43]Glossary

COMMUNITY

     * [44]Forums
     * [45]Forum Rules
     * [46]Chat

USEFUL RESOURCES

     * [47]Welcome Guide
     * [48]Sitemap

COMPANY

     * [49]About BleepingComputer
     * [50]Contact Us
     * [51]Send us a Tip!
     * [52]Advertising
     * [53]Write for BleepingComputer
     * [54]Social & Feeds
     * [55]Changelog

   [56]Terms of Use - [57]Privacy Policy - [58]Ethics Statement

   Copyright @ 2003 - 2021 [59]Bleeping Computer® LLC - All Rights
   Reserved

     [INS: [INS: [INS: :INS] :INS] [INS: :INS] :INS]

References

   Visible links
   1. https://www.bleepingcomputer.com/
   2. https://www.bleepingcomputer.com/
   3. https://www.bleepingcomputer.com/download/
   4. https://www.bleepingcomputer.com/virus-removal/
   5. https://www.bleepingcomputer.com/tutorials/
   6. https://deals.bleepingcomputer.com/
   7. https://www.bleepingcomputer.com/forums/
   8. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
   9. https://www.bleepingcomputer.com/
  10. https://www.bleepingcomputer.com/news/
  11. https://www.bleepingcomputer.com/news/security/
  12. https://www.bleepingcomputer.com/author/bill-toulas/
  13. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#comments
  14. https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/?traffic_source=Connatix
  15. https://www.bleepingcomputer.com/news/security/zephyr-rtos-fixes-bluetooth-bugs-that-may-lead-to-code-execution/
  16. https://arxiv.org/pdf/2112.05719.pdf
  17. https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/
  18. https://www.bleepingcomputer.com/news/security/hackers-start-pushing-malware-in-worldwide-log4shell-attacks/
  19. https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/
  20. https://www.bleepingcomputer.com/news/security/new-ransomware-now-being-deployed-in-log4shell-attacks/
  21. https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2021-patch-tuesday-fixes-6-zero-days-67-flaws/
  22. https://www.bleepingcomputer.com/tag/bluetooth/
  23. https://www.bleepingcomputer.com/tag/chips/
  24. https://www.bleepingcomputer.com/tag/security/
  25. https://www.bleepingcomputer.com/tag/smartphone/
  26. https://www.bleepingcomputer.com/tag/vulnerability/
  27. https://www.bleepingcomputer.com/tag/wifi/
  28. https://www.bleepingcomputer.com/author/bill-toulas/
  29. https://www.bleepingcomputer.com/news/security/ukraine-arrests-51-for-selling-data-of-300-million-people-in-us-eu/
  30. https://www.bleepingcomputer.com/news/security/attackers-can-get-root-by-crashing-ubuntu-s-accountsservice/
  31. https://www.bleepingcomputer.com/forums/u/951092/wallak/
  32. https://www.bleepingcomputer.com/posting-guidelines/
  33. https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register
  34. https://www.bleepingcomputer.com/go/18/
  35. https://www.bleepingcomputer.com/
  36. https://www.bleepingcomputer.com/
  37. https://www.bleepingcomputer.com/download/
  38. https://www.bleepingcomputer.com/virus-removal/
  39. https://www.bleepingcomputer.com/tutorials/
  40. https://www.bleepingcomputer.com/startups/
  41. https://www.bleepingcomputer.com/uninstall/
  42. https://www.bleepingcomputer.com/filedb/
  43. https://www.bleepingcomputer.com/glossary/
  44. https://www.bleepingcomputer.com/forums/
  45. https://www.bleepingcomputer.com/forum-rules/
  46. https://www.bleepingcomputer.com/forums/t/730914/the-bleepingcomputer-official-discord-chat-server-come-join-the-fun/
  47. https://www.bleepingcomputer.com/welcome-guide/
  48. https://www.bleepingcomputer.com/sitemap/
  49. https://www.bleepingcomputer.com/about/
  50. https://www.bleepingcomputer.com/contact/
  51. https://www.bleepingcomputer.com/news-tip/
  52. https://www.bleepingcomputer.com/advertise/
  53. https://www.bleepingcomputer.com/write-for-bleepingcomputer/
  54. https://www.bleepingcomputer.com/rss-feeds/
  55. https://www.bleepingcomputer.com/changelog/
  56. https://www.bleepingcomputer.com/terms-of-use/
  57. https://www.bleepingcomputer.com/privacy/
  58. https://www.bleepingcomputer.com/ethics-statement/
  59. https://www.bleepingcomputer.com/

   Hidden links:
  61. https://www.facebook.com/BleepingComputer
  62. https://twitter.com/BleepinComputer
  63. https://www.youtube.com/user/BleepingComputer
  64. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  65. https://www.bleepingcomputer.com/news/technology/aws-down-again-outage-impacts-twitch-zoom-psn-hulu-others/?traffic_source=Connatix
  66. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  67. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  68. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  69. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  70. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  71. https://www.bleepingcomputer.com/author/bill-toulas/
  72. mailto:bill.toulas@bleepingcomputer.com
  73. https://twitter.com/billtoulas
  74. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
  75. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/#cid21935
  76. https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/
  77. https://www.bleepingcomputer.com/news/security/hackers-steal-microsoft-exchange-credentials-using-iis-module/
  78. https://www.facebook.com/BleepingComputer
  79. https://twitter.com/BleepinComputer
  80. https://www.youtube.com/user/BleepingComputer
  81. https://www.bleepingcomputer.com/feed/
  82. https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/