Cybersecurity experts have discovered new Coexistence attacks on WiFi and Bluetooth chips. According to the researchers, the bad actors can launch an attack using this technique via a device’s Bluetooth component to directly extract network passwords and manipulate traffic on a Wi-Fi chip, putting billions of electronic devices at risk.
The Coexistence attacks work against the so-called “combo chips”, these are specialized chips equipped to handle various types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, and LTE.
A group of researchers from the Technical University of Darmstadt’s Secure Mobile Networking Lab and the University of Brescia in a new paper said, “We provide empirical evidence that coexistence, i.e., the coordination of cross-technology wireless transmissions, is an unexplored attack surface. ”
They further mentioned, “Instead of escalating directly into the mobile [operating system], wireless chips can escalate their privileges into other wireless chips by exploiting the same mechanisms they use to arbitrate their access to the resources they share, i.e., the transmitting antenna and the wireless medium.”principles are commonly used by Chipset vendors to allow WiFi and Bluetooth to operate virtually concurrently. It is a mechanism that allows Bluetooth, Wi-Fi, and LTE to share the same components and resources, such as an antenna or wireless spectrum. As a result of this these communication standards coordinate the spectrum access to avoid collisions when operating in the same frequency.
These Coexistence wireless chips play a key role in high-performance spectrum sharing, they also pose a side-channel risk as demonstrated by the same set of researchers at the Black Hat security conference earlier last year. This enables a malicious party to glean details from other wireless technologies supported by the combo chip.
The vulnerability dubbed as “Spectra” banks on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. Since it breaks the separation between Wi-Fi and Bluetooth, results in denial-of-service on spectrum access and information disclosure. Additionally, it also enables lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip.
The researchers further explained, “The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information. Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network.”
The researchers further explained, “The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information. Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network.”The researchers also discovered bad actors can also observe Bluetooth packets when in control of the WiFi core. This further enables them to determine keystroke timings on Bluetooth keyboards, resulting in them getting access to reconstruct text entered using the keyboard.
Similar attacks have been reported earlier in August 2019, though the coexistence flaws continue to remain unpatched on Broadcom SoCs to date.
According to the academics, “As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, still work on up-to-date Broadcom chips. This highlights how hard these issues are to fix in practice.”
To minimize the risk of such attacks users need to remove unwanted Bluetooth pairing, Delete unused Wi-Fi networks, and restrict to using cellular instead of Wi-Fi in public spaces.
The researchers concluded, “Cellular data plans got more affordable during recent years and cellular network coverage increased. Disabling Wi-Fi by default and only enabling it when using trusted networks can be considered a good security practice, even if cumbersome.”