Security News > 2021 > December > Bugs in billions of WiFi, Bluetooth chips allow password, data theft
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it's possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device's Bluetooth component.
To exploit these vulnerabilities, the researchers first needed to perform code execution on either the Bluetooth or WiFi chip.
Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device's other chips using shared memory resources.
The researchers looked into chips made by Broadcom, Silicon Labs, and Cypress, which are found inside billions of electronic devices.
"Over-the-air attacks via the Bluetooth chip, is not mitigated by current patches. Only the interface Bluetooth daemon→Bluetooth chip is hardened, not the shared RAM interface that enables Bluetooth chip→WiFi chip code execution. It is important to note that the daemon→chip interface was never designed to be secure against attacks." - reads the technical paper.
The initial patch could be bypassed with a UART interface overflow in the chip's firmware until a recent patch, which was at least applied by Samsung in January 2021. Moreover, while writing to the Bluetooth RAM via this interface has been disabled on iOS devices, the iPhone 7 on iOS 14.3 would still allow another command to execute arbitrary addresses in RAM.".