The researchers from the Technical University of Darmstadt’s Secure Mobile Networking Lab and the University of Brescia have published a new paper warning about a coexistence flaw, Spectra, that appears to be on WiFi/Bluetooth combo chips. The vulnerability can grant attackers to execute code on the WiFi chip.
WiFi and Bluetooth share the same components
The details were shared with vendors two years ago, but the flaw remains
In modern devices such as mobile phones, wireless connectivity components are shared while Bluetooth and WiFi can be separated in SoC. Bluetooth’s and WiFi’s radio spectrum are different, so they need to communicate with each other to do their job seamlessly with shared antennas. That’s why they are hardwired to each other for constant communication.
The vulnerability is found in the systems that have coexistence wireless communication systems, which are widely used. The researchers say that using a wireless chip can escalate their privileges into other wireless chips via the hardwired interface we mentioned above is possible. The Spectra vulnerability relies on the fact that transmissions happen in the same spectrum and the wireless chips need to arbitrate the channel access.
Denial of service and code execution
The attackers using this flaw can make both WiFi and Bluetooth use the same spectrum to break the separation between them. As a result, denial-of-service happens on the spectrum access. In addition to that, by using the Bluetooth chip attackers can enable lateral privilege escalations to execute codes on the WiFi chip. Also, the WiFi chip holds current WiFi connection credentials, which can be accessed with the flaw.
It is also possible to take control of the WiFi chip to observe Bluetooth packets. In that case, attackers can see the keys pressed on Bluetooth-connected keyboards.
Researchers stated that the first attack scenarios were reported to the vendors in August 2019, but it remains unpatched. The flaw appears on Broadcom and Cypress wireless combo chips, which exist in hundreds of millions of devices, including iPhones, Macbooks, and Samsung Galaxy S series phones.