New ‘Spectra’ attack breaks the separation between Wi-Fi and Bluetooth
Academics from Germany and Italy say they developed a new practical attack that breaks the separation between Wi-Fi and Bluetooth technologies running on the same device, such as laptops, smartphones, and tablets.
Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others.
“Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access,” the research team said today in a short abstract detailing an upcoming Black Hat talk.
More particularly, the Spectra attack takes advantage of the coexistence mechanisms that chipset vendors include with their devices. Combo chips use these mechanisms to switch between wireless technologies at a rapid pace.
Researchers say that while these coexistence mechanisms increase performance, they also provide the opportunity to carry out side-channel attacks and allow an attacker to infer details from other wireless technologies the combo chip supports.
Jiska Classen, from the Darmstadt Technical University, and Francesco Gringoli, from the University of Brescia, say they are the first research team to explore the possibility of breaking this coexistence barrier on combo chips.
“We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series,” the two said.
“We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores.”
Exploiting Spectra requires attacking a combo chip with malformed wireless traffic, and then attacking the chip interface between the two technologies.
Results vary, but the research team says that certain scenarios are possible following a Spectra attack.
“In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core,” Classen and Gringoli say.
“Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface.
Furthermore, even if researchers analyzed only Broadcom and Cypress chips for their work, Classen and Gringoli say that other combo chipset manufacturers are most likely vulnerable to Spectra attacks as well.
Additional technical details about the attack have not yet been made public. The research team plans to provide a technical rundown during a virtual session at the Black Hat security conference in August.
An academic paper detailing the Spectra attack in greater depth will also be made available at the same time, in August.