Introduction
Recently, a team of researchers from the University of Darmstadt, the University of Brescia, the CNIT and Secure Mobile Networks Laboratory discovered security vulnerabilities in WiFi chips by exploiting them to locate the device's Bluetooth components, extract passwords and manipulate traffic on The WiFi chips.
Details
According to research papers published by experts, modern mobile devices use standalone wireless chips to manage wireless technologies such as Bluetooth, Wi-Fi, and LTE. These chips share components and resources, such as the same antenna or wireless spectrum, to improve the efficiency of the device, thereby reducing energy consumption and communication latency. Using these shared resources across the boundaries of wireless chips can be used to launch horizontal power escalation attacks.
The paper demonstrates the horizontal privilege escalation from Bluetooth chips to Wi-Fi chip code execution. The WiFi chip encrypts network traffic and saves current WiFi credentials, giving the attacker more information. In addition, an attacker could execute code on a Wi-Fi chip, even if it is not connected to a wireless network. In the opposite direction, we look at the type of Bluetooth packet from the Wi-Fi chip. This allows the time of keystrokes on the Bluetooth keyboard to be determined, so that the text entered on the keyboard can be reconstructed. The researchers demonstrated actual coexistence attacks on Broadcom, Cypress and Silicon Labs chips deployed in billions of devices.
Actual coexistence attacks enable researchers to implement WiFi code execution, memory reads, and denial of service. In the attack scenarios designed by the researchers, they first executed code on a Bluetooth or WiFi chip, and then used shared memory resources to conduct lateral attacks on other chips on the same device.
Threat actors can execute code by exploiting unpatched or new security issues wirelessly, or by abusing the local operating system firmware update mechanism. The following table reports the types of attacks related to the vulnerabilities that the researchers found.
Experts point out that some of the vulnerabilities they found could not be fixed without changing the hardware design.
"Some issues can only be patched by releasing a new hardware version. For example, a new firmware version does not physically remove shared memory from the chip, nor does it adjust for arbitrary jitter in the serial protocol. In addition, some packet timing and metadata cannot be dropped without affecting packet coordination performance. ”
The researchers shared their findings with chip vendors, some of which have already addressed these issues. Still, the researchers say the pace of fixing identified problems has been slow and inadequate, and the most dangerous aspects of the attack remain largely uncorrected.
While code execution vulnerabilities are rooted in the architectural problems of a particular chip and reveal the reverse engineering effort required, more prevalent DDoS and information disclosure attacks can be derived directly from publicly available coexistence specifications. Wireless coexistence supports a new upgrade strategy based on hardwired inter-chip components. Since the attack vector sits directly between the chips, it bypasses the main operating system. A complete fix will require a redesign of the chip, and the current firmware fix is not complete.
Note: This article is reported by E Security Compilation.
![How does audio and video relate to people?[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)