Cybersecurity researchers have demonstrated a new attack technique that makes it possible to leverage a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip.
The novel attacks work against the so-called “combo chips,” which are specialized chips that are equipped to handle different types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, and LTE.
“We provide empirical evidence that coexistence, i.e., the coordination of cross-technology wireless transmissions, is an unexplored attack surface,” a group of researchers from the Technical University of Darmstadt’s Secure Mobile Networking Lab and the University of Brescia said in a new paper.
“Instead of escalating directly into the mobile [operating system], wireless chips can escalate their privileges into other wireless chips by exploiting the same mechanisms they use to arbitrate their access to the resources they share, i.e., the transmitting antenna and the wireless medium.”
Coexistence refers to a mechanism wherein Bluetooth, Wi-Fi, and LTE share the same components and resources — e.g., antenna or wireless spectrum — necessitating that these communication standards coordinate the spectrum access to avoid collisions when operating in the same frequency. Chipset vendors use this principle to allow Wi-Fi and Bluetooth to operate virtually concurrently.
While these combo wireless chips are key to high-performance spectrum sharing, coexistence interfaces also pose a side-channel risk as demonstrated by the same set of researchers at the Black Hat security conference last year, effectively permitting a malicious party to glean details from other wireless technologies supported by the combo chip.
Dubbed “Spectra,” the vulnerability class banks on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. This breaks the separation between Wi-Fi and Bluetooth to result in denial-of-service on spectrum access, information disclosure, and even enable lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip.
“The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information,” the researchers said. “Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network.”
In addition, the researchers found that it’s possible for an adversary with control over the Wi-Fi core to observe Bluetooth packets, which, in turn, allows determining keystroke timings on Bluetooth keyboards, ultimately granting the attacker the ability to reconstruct text entered using the keyboard.
While some of the attack scenarios were first reported to the vendors as early as August 2019, the coexistence flaws continue to remain unpatched on Broadcom SoCs to date.
“As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, still work on up-to-date Broadcom chips,” the academics said. “This highlights how hard these issues are to fix in practice.”
To minimize the risk of such wireless attacks, it’s recommended that users remove unnecessary Bluetooth pairings, delete unused Wi-Fi networks, and restrict to using cellular instead of Wi-Fi at public spaces.
“Cellular data plans got more affordable during recent years and cellular network coverage increased,” the researchers concluded. “Disabling Wi-Fi by default and only enabling it when using trusted networks can be considered a good security practice, even if cumbersome.”