Billions of WiFi chips vulnerable to code execution via Bluetooth component

Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it's possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device's Bluetooth component.

Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.

However, these components often share the same resources, such as the antenna or wireless spectrum.

This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications.

As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries.

The implications of these attacks include code execution, memory readout, and denial of service.

Resource sharing diagram of Google Nexus 5
Resource sharing diagram of Google Nexus 5
Source: Arxiv.org

Multiple flaws in architecture and protocol

To exploit these vulnerabilities, the researchers first needed to perform code execution on either the Bluetooth or WiFi chip. While this is not very common, remote code execution vulnerabilities affecting Bluetooth and WiFi have been discovered in the past.

Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device's other chips using shared memory resources.

In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs

CVEs reserved for the particular threat model.
CVEs reserved for the particular threat model.
Source: Arxiv.org

These vulnerabilities were assigned the following CVEs:

  • CVE-2020-10368: WiFi unencrypted data leak (architectural)
  • CVE-2020-10367: Wi-Fi code execution (architectural)
  • CVE- 2019-15063: Wi-Fi denial of service (protocol)
  • CVE-2020-10370: Bluetooth denial of service (protocol)
  • CVE-2020-10369: Bluetooth data leak (protocol)
  • CVE-2020-29531: WiFi denial of service (protocol)
  • CVE-2020-29533: WiFi data leak (protocol)
  • CVE-2020-29532: Bluetooth denial of service (protocol)
  • CVE-2020-29530: Bluetooth data leak (protocol)

Some of the above flaws can only be fixed by a new hardware revision, so firmware updates cannot patch all the identified security problems.

READ more https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/