Cybersecurity researchers from Darmstadt University of Technology, together with colleagues from the Secure Mobile Networking Lab, University of Brescia and CNIT, have unearthed multiple security flaws in WiFi chips that can be abused to extract passwords and manipulate traffic on a WiFi chip via a Bluetooth feature.
According to the research paper published by the experts, modern mobile devices have a chip with separate components for Bluetooth, Wi-Fi, and LTE, each with its own dedicated security execution. However, these chips usually share the same resources such as the antenna or the wireless spectrum to enhance the efficiency of the devices, minimizing the energy consumption and the latency in communications.
The shared resources of wireless modules can be used by attackers as bridges to perform privilege escalation assaults across wireless chip boundaries, researchers explained.
“This paper demonstrates lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. The WiFi chip encrypts network traffic and holds the current WiFi credentials, thereby providing the attacker with further information,” reads the article released by cybersecurity experts.
“Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network. In the opposite direction, we observe Bluetooth packet types from a Wi-Fi chip. This allows determining keystroke timings on Bluetooth keyboards, which can allow reconstructing texts entered on the keyboard.”
To test the vulnerabilities, researchers performed practical coexistence assaults on Broadcom, Cypress, and Silicon Labs chips deployed in billions of devices. The demonstration allowed researchers to achieve WiFi code execution, memory readout, and denial of service.
In total, researchers identified nine different flaws. Some can be patched with firmware updates, while others can only be fixed with new hardware revisions that put billions of existing devices at risk of potential attacks. Attackers can execute code by exploiting an unpatched or new security issue over the air or abusing the local OS firmware update mechanism.
“Some issues can only be patched by releasing a new hardware revision. For example, a new firmware version will not physically remove shared memory from a chip or adjust for arbitrary jitter in a serial protocol. Moreover, some packet timing and metadata cannot be removed without negatively impacting packet coordination performance” researchers added.
All the nine flaws can be tracked by the following names:
CVE-2020-10368: WiFi unencrypted data leak (architecture)
CVE-2020-10367: Wi-Fi code execution (architecture)
CVE- 2019-15063: Wi-Fi denial of service (protocol)
CVE-2020 -10370: Bluetooth denial of service (protocol) CVE-2020-10369: Bluetooth data leak (protocol)
CVE-2020-29531: WiFi denial of service (protocol)
CVE-2020-29533: WiFi data leak (protocol)
CVE-2020-29532: Bluetooth denial of service (protocol) CVE-2020-29530: Bluetooth data leak (protocol)
The researchers have reported their findings to the chip vendors, and some of them have already patched the security loopholes. However, many have not fixed these security bugs either because they are no longer compatible with the affected products or because firmware is unworkable.