• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

'Spectra' Cyber Attack Breaks Coexistence Between Wi-Fi and Bluetooth

Uskompuf

Staff member
Joined
Mar 31, 2020
Messages
182 (2.68/day)
Nowadays wireless technologies are increasingly sharing spectrum. This is the case for Wi-Fi and Bluetooth, but also some LTE bands and harmonics. Operating on the same frequency means that these different technologies need to coordinate wireless spectrum access to avoid collisions. Especially for nearby sources, as it is the case for multiple chips within one smartphone, so-called coexistence is the key to high-performance spectrum sharing.

Coexistence between wireless chips can be implemented in various ways. While there are open specifications, most manufacturers opt to develop proprietary coexistence mechanisms to further improve performance. Open interfaces are not needed on combo chips that implement multiple wireless technologies, as the manufacturer has full control.

Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. While coexistence should only increase performance, it also poses a powerful side channel.





We are the first to explore side-channel attacks on wireless coexistence. We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series. Note that other manufacturers also rely on coexistence and similar attacks might apply.

We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores. In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core. Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface. During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS.

The full technical details along with an academic paper on the attack will be released in August at a virtual session by the Black Hat security conference.

View at TechPowerUp Main Site
 
Joined
Feb 8, 2012
Messages
2,946 (0.97/day)
Location
Zagreb, Croatia
System Name Windows 7 64-bit Core i5 3570K
Processor Intel Core i5 3570K @ 4.2 GHz, 1.26 V
Motherboard Gigabyte GA-Z77MX-D3H
Cooling Scythe Katana 4
Memory 4 x 4 GB G-Skill Sniper DDR3 @ 1600 MHz
Video Card(s) Gainward NVIDIA GeForce GTX 970 Phantom
Storage Western Digital Caviar Blue 1 TB, Seagate Baracuda 1 TB
Display(s) Dell P2414H
Case CoolerMaster Silencio 550
Audio Device(s) VIA HD Audio
Power Supply Corsair TX v2 650W
Mouse Steelseries Sensei
Keyboard CM Storm Quickfire Pro, Cherry MX Reds
Software MS Windows 7 Enterprise 64-bit SP1
We present you Spectra wifi vulnerability, not to be confused with Spectre cpu vulnerability... we shall name the next vulnerabilty we find, Spectro, to make things even more interesting
 
Joined
Oct 22, 2014
Messages
8,118 (3.95/day)
Location
Sunshine Coast
System Name Black Box
Processor AMD 3200G
Motherboard MSI X470 Gaming Plus
Cooling Stock
Memory Adata 8Gb 2133Mhz DDR4
Storage Kingston A2000 512Gb NVME
Display(s) AOC 22" Freesync 1m.s. 75Hz
Case Corsair 450D High Air Flow.
Audio Device(s) No need.
Power Supply FSP Aurum 650W
Mouse Yes
Keyboard Of course
Software W10 Pro 64 bit
Oh noes, not Kernel Panics.
Wait is he on the same side as Major Disaster?
 
Joined
Apr 16, 2010
Messages
3,186 (0.86/day)
Location
Portugal
System Name _JP_'s Daily Driver
Processor AMD Ryzen 7 1700
Motherboard MSI X370 Gaming Plus
Cooling Noctua NH-C12P SE14 + NM-AM4 + NF-P14r
Memory 2x 8GB G.Skill Trident Z (F4-3200C16D-16GTZB)(Hynix)
Video Card(s) Sapphire Pulse AMD Radeon RX 5500 XT 8GiB
Storage HyperX Savage 240GB + KC300 240GB + 750EVO 500GB
Display(s) LG Flatron W2361V 23'' FHD
Case NOX Blaze w/random fans and no aRrGeeBee
Audio Device(s) Creative SoundBlasterX AE-5 + GigaWorks t40 series II
Power Supply Corsair TX650M
Mouse Microsoft Comfort Mouse 4500
Keyboard Logitech Media Keyboard (PS/2)
Software Windows 10 x86-64 (1909)
Benchmark Scores It plays a game or two in TV resolution from time to time
We present you Spectra wifi vulnerability, not to be confused with Spectre cpu vulnerability... we shall name the next vulnerabilty we find, Spectro, to make things even more interesting
To all of those as a class of vulnerabilities, we call them 'Specteri', though we accept 'Spectruses' too. We will just frown in disappointment if you choose to call it that.
 
Top