15-12-2021 | By Robin Mitchell
Recently, researchers have discovered a flaw that could see billions of devices worldwide vulnerable to attack. What vulnerability exists, is there a fix, and why are hardware bugs hard to defend against?
Researchers discover vulnerabilities in billions of wireless SoCs
Recently, researchers from the University of Darmstadt have published a paper on a number of security vulnerabilities that could affect billions of devices worldwide. The new list of vulnerabilities affects wireless SoCs that combines a Wi-Fi and Bluetooth module into a single package and take advantage of shared resources between the two processors.
Devices that use Bluetooth and Wi-Fi generally incorporate a variety of security measures to ensure that they are protected from remote attacks, including encryption, random number generation, and real-time process monitoring. However, the new attacks outlined by the researchers take advantage of the lack of hardware security found on many popular SoCs and can be used to obtain private data, including Wi-Fi keys, and allow for remote code execution.
Simply put, many SoCs that combine Wi-Fi and Bluetooth will utilise shared resources between the two modules for the sake of cost and hardware simplicity. Furthermore, shared resources can allow for a single external processor to access both resources without switching between hardware.
Taking advantage of shared resources between the two units, the researchers were able to gain access to one of the units (generally the Bluetooth module) and then have it store arbitrary code in RAM. As this RAM is shared with the Wi-Fi module, the researchers were able to execute this code in the Wi-Fi module, essentially bypassing all security measures that prevent remote code execution. The researchers also used the same technique to execute a denial-of-service attack and extract information from the Wi-Fi module (and vice versa).
The complete named list for the vulnerabilities are as such
- CVE-2020-10368: WiFi unencrypted data leak (architectural)
- CVE-2020-10367: Wi-Fi code execution (architectural)
- CVE- 2019-15063: Wi-Fi denial of service (protocol)
- CVE-2020-10370: Bluetooth denial of service (protocol)
- CVE-2020-10369: Bluetooth data leak (protocol)
- CVE-2020-29531: Wi-Fi denial of service (protocol)
- CVE-2020-29533: Wi-Fi data leak (protocol)
- CVE-2020-29532: Bluetooth denial of service (protocol)
- CVE-2020-29530: Bluetooth data leak (protocol)
Is there a fix for such attacks?
Devices affected by this vulnerability include those produced by Broadcom, Cypress, and Silicon Labs. The researchers need to remotely execute code on one of the two modules for the attack to be successful. The researchers demonstrated that many modules currently on the market are still vulnerable to remote code execution attacks.
This security announcement is different because the researchers were able to arbitrarily execute code on a separate module that wasn't the target of the initial attack and take advantage of resource sharing. This can make it very difficult for hardware security systems to detect as code is injected into memory from an authorised controller.
As vulnerabilities that relate to hardware bugs such as resource sharing are unlikely to be fixable with any kind of update, it is essential that devices use the latest firmware with the hope that software security systems can detect arbitrary code. In this case, it appears that the two architectural bugs discovered are unfixable, but the protocol related bugs may be fixable via protocol changes.
Why are hardware bugs difficult to defend against?
Hardware bugs are difficult to fix fundamentally because they are existing hardware. While software systems can be updated and rewritten, trying to update hardware is next to impossible.
Another factor that makes hardware bugs particularly problematic is that because the hardware itself exists in the physical realm, once a billion devices have been sold on the market, it is very difficult to try and recall these devices. Some devices may be owned by individuals who do not perform security audits (such as most homeowners), while others may be in critical infrastructure that cannot be easily removed and replaced.
This inability to update hardware presents a strong argument for future devices based on programmable hardware such as FPGAs and CPLDs. Such hardware can be reprogrammed and altered to allow changes in the fundamental architecture of a design should a bug be discovered.