Researchers from Darmstadt University of Technology, together with colleagues from the Secure Mobile Networking Lab. and several other European organizations have published a paper that proves the ability to extract passwords and manipulate traffic by exploiting vulnerabilities in Wi-Fi and Bluetooth chips.
Modern consumer devices such as smartphones or tablets have single-chip systems (SoCs) with separate Bluetooth, Wi-Fi and LTE modules, each with their own security implementation. Most often, however, these components share the same resources, such as the antenna or the frequency spectrum. Due to this, the developers manage to make the SoC more energy efficient. In addition, throughput is increased and data transmission delays are reduced.
The researchers said that the shared resources of wireless modules can be in use by attackers; as bridges to launch privilege escalation attacks. After carrying out such an attack, an attacker can remotely execute code on the target device; as well as read data from memory and affect its performance.
Vulnerabilities in billions of Wi-Fi and Bluetooth units can lead to password and data theft
As part of such an attack, attackers will need to carry out remote code execution on a Bluetooth or Wi-Fi module. Vulnerabilities that allow you to do this were the subject pf a discovery by researchers in the past. As soon as it is possible to achieve the execution of the code on one module; it immediately opens up the possibility of attacking other components through the shared resources of the device. As part of the work done, the researchers managed to cause a denial of service, remote code execution, extract network passwords and transmitted data.
Wireless vulnerabilities such as CVE-2020-10368 (data leakage over Wi-Fi), CVE-2020-10367 (remote code execution via Wi-Fi module), CVE-2019-15063 (failure in service via Wi-Fi module), CVE-2020-10370 (denial of service via Bluetooth module), CVE-2020-10369 (data leak via Bluetooth), etc. Note that some of the vulnerabilities cannot get a fix by releasing software patches. For example, physical memory sharing vulnerabilities cannot get a patch by any security update. In some other cases, software fixes can cause performance degradation.
Researchers have worked with a variety of wireless adapters from Broadcom, Cypress and Silicon Labs; that are in use in billions of electronic devices around the world. All vulnerabilities found are reported to the vendors, and some of them release appropriate security fixes whenever possible. However, not everyone does this, since in some cases the support period for devices has already ended; or it is simply impossible to fix the problem with software patches.