fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Bugs in Billions of WiFi, Bluetooth Chips Allow Password, Data Theft

Bugs in Billions of WiFi, Bluetooth Chips Allow Password, Data Theft

Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component.

Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.

However, these components often share the same resources, such as the antenna or wireless spectrum.

This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications.

As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries.

The implications of these attacks include code execution, memory readout, and denial of service.

Also Read: Do Not Call Registry Penalty: Important Tips To Consider

Resource sharing diagram of Google Nexus 5
Resource sharing diagram of Google Nexus 5
Source: Arxiv.org

Multiple flaws in architecture and protocol

To exploit these vulnerabilities, the researchers first needed to perform code execution on either the Bluetooth or WiFi chip. While this is not very common, remote code execution vulnerabilities affecting Bluetooth and WiFi have been discovered in the past.

Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device’s other chips using shared memory resources.

In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs.

CVEs reserved for the particular threat model.
CVEs reserved for the particular threat model.
Source: Arxiv.org

These vulnerabilities were assigned the following CVEs:

  • CVE-2020-10368: WiFi unencrypted data leak (architectural)
  • CVE-2020-10367: Wi-Fi code execution (architectural)
  • CVE- 2019-15063: Wi-Fi denial of service (protocol)
  • CVE-2020-10370: Bluetooth denial of service (protocol)
  • CVE-2020-10369: Bluetooth data leak (protocol)
  • CVE-2020-29531: WiFi denial of service (protocol)
  • CVE-2020-29533: WiFi data leak (protocol)
  • CVE-2020-29532: Bluetooth denial of service (protocol)
  • CVE-2020-29530: Bluetooth data leak (protocol)

Some of the above flaws can only be fixed by a new hardware revision, so firmware updates cannot patch all the identified security problems.

Also Read: Facts About Accountability PDF That You Need to Know About

For example, flaws that rely on physical memory sharing cannot be addressed by security updates of any kind.

In other cases, mitigating security issues such as packet timing and metadata flaws would result in severe packet coordination performance drops.

Impact and remediation

The researchers looked into chips made by Broadcom, Silicon Labs, and Cypress, which are found inside billions of electronic devices.

All flaws have been responsibly reported to the chip vendors, and some have released security updates where possible. 

Many though haven’t addressed the security problems, either due to no longer supporting the affected products or because a firmware patch is practically infeasible.

Devices tested by the researchers against CVE-2020-10368 and CVE-2020-10367
Devices tested by the researchers against CVE-2020-10368 and CVE-2020-10367
Source: Arxiv.org

As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, still work on up-to-date Broadcom chips. Again, this highlights how hard these issues are to fix in practice.

Cypress released some fixes in June 2020 and updated the status in October as follows:

  • They claim that the shared RAM feature causing code execution has only been “enabled by development tools for testing mobile phone platforms.” They plan to remove stack support for this in the future.
  • The keystroke information leakage is remarked as solved without a patch because “keyboard packets can be identified through other means.”
  • DoS resistance is not yet resolved but is in development. For this, “Cypress plans to implement a monitor feature in the WiFi and Bluetooth stacks to enable a system response to abnormal traffic patterns.”

According to the researchers, though, fixing the identified issues has been slow and inadequate, and the most dangerous aspect of the attack remains largely unfixed.

“Over-the-air attacks via the Bluetooth chip, is not mitigated by current patches. Only the interface Bluetooth daemon→Bluetooth chip is hardened, not the shared RAM interface that enables Bluetooth chip→WiFi chip code execution. It is important to note that the daemon→chip interface was never designed to be secure against attacks.” – reads the technical paper.

“For example, the initial patch could be bypassed with a UART interface overflow (CVE-2021-22492) in the chip’s firmware until a recent patch, which was at least applied by Samsung in January 2021. Moreover, while writing to the Bluetooth RAM via this interface has been disabled on iOS devices, the iPhone 7 on iOS 14.3 would still allow another command to execute arbitrary addresses in RAM.”

Bleeping Computer has reached out to all vendors and asked for a comment on the above, and we will update this post as soon as we hear back.

In the meantime, and for as long as these hardware-related issues remain unpatched, users are advised to follow these simple protection measures: 

  • Delete unnecessary Bluetooth device pairings,
  • Remove unused WiFi networks from the settings
  • Use cellular instead of WiFi in public spaces.

As a final note, we would say that patching responses favor the more recent device models, so upgrading to a newer gadget that the vendor actively supports is always a good idea from the perspective of security.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us