• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

'Spectra' Cyber Attack Breaks Coexistence Between Wi-Fi and Bluetooth

Joined
Mar 31, 2020
Messages
1,519 (0.90/day)
Nowadays wireless technologies are increasingly sharing spectrum. This is the case for Wi-Fi and Bluetooth, but also some LTE bands and harmonics. Operating on the same frequency means that these different technologies need to coordinate wireless spectrum access to avoid collisions. Especially for nearby sources, as it is the case for multiple chips within one smartphone, so-called coexistence is the key to high-performance spectrum sharing.

Coexistence between wireless chips can be implemented in various ways. While there are open specifications, most manufacturers opt to develop proprietary coexistence mechanisms to further improve performance. Open interfaces are not needed on combo chips that implement multiple wireless technologies, as the manufacturer has full control.

Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. While coexistence should only increase performance, it also poses a powerful side channel.





We are the first to explore side-channel attacks on wireless coexistence. We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series. Note that other manufacturers also rely on coexistence and similar attacks might apply.

We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores. In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core. Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface. During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS.

The full technical details along with an academic paper on the attack will be released in August at a virtual session by the Black Hat security conference.

View at TechPowerUp Main Site
 
Joined
Feb 8, 2012
Messages
3,014 (0.65/day)
Location
Zagreb, Croatia
System Name Windows 10 64-bit Core i7 6700
Processor Intel Core i7 6700
Motherboard Asus Z170M-PLUS
Cooling Corsair AIO
Memory 2 x 8 GB Kingston DDR4 2666
Video Card(s) Gigabyte NVIDIA GeForce GTX 1060 6GB
Storage Western Digital Caviar Blue 1 TB, Seagate Baracuda 1 TB
Display(s) Dell P2414H
Case Corsair Carbide Air 540
Audio Device(s) Realtek HD Audio
Power Supply Corsair TX v2 650W
Mouse Steelseries Sensei
Keyboard CM Storm Quickfire Pro, Cherry MX Reds
Software MS Windows 10 Pro 64-bit
We present you Spectra wifi vulnerability, not to be confused with Spectre cpu vulnerability... we shall name the next vulnerabilty we find, Spectro, to make things even more interesting
 
Joined
Oct 22, 2014
Messages
14,084 (3.82/day)
Location
Sunshine Coast
System Name H7 Flow 2024
Processor AMD 5800X3D
Motherboard Asus X570 Tough Gaming
Cooling Custom liquid
Memory 32 GB DDR4
Video Card(s) Intel ARC A750
Storage Crucial P5 Plus 2TB.
Display(s) AOC 24" Freesync 1m.s. 75Hz
Mouse Lenovo
Keyboard Eweadn Mechanical
Software W11 Pro 64 bit
Oh noes, not Kernel Panics.
Wait is he on the same side as Major Disaster?
 
Joined
Apr 16, 2010
Messages
3,600 (0.67/day)
Location
Portugal
System Name LenovoⓇ ThinkPad™ T430
Processor IntelⓇ Core™ i5-3210M processor (2 cores, 2.50GHz, 3MB cache), Intel Turbo Boost™ 2.0 (3.10GHz), HT™
Motherboard Lenovo 2344 (Mobile Intel QM77 Express Chipset)
Cooling Single-pipe heatsink + Delta fan
Memory 2x 8GB KingstonⓇ HyperX™ Impact 2133MHz DDR3L SO-DIMM
Video Card(s) Intel HD Graphics™ 4000 (GPU clk: 1100MHz, vRAM clk: 1066MHz)
Storage SamsungⓇ 860 EVO mSATA (250GB) + 850 EVO (500GB) SATA
Display(s) 14.0" (355mm) HD (1366x768) color, anti-glare, LED backlight, 200 nits, 16:9 aspect ratio, 300:1 co
Case ThinkPad Roll Cage (one-piece magnesium frame)
Audio Device(s) HD Audio, RealtekⓇ ALC3202 codec, DolbyⓇ Advanced Audio™ v2 / stereo speakers, 1W x 2
Power Supply ThinkPad 65W AC Adapter + ThinkPad Battery 70++ (9-cell)
Mouse TrackPointⓇ pointing device + UltraNav™, wide touchpad below keyboard + ThinkLight™
Keyboard 6-row, 84-key, ThinkVantage button, spill-resistant, multimedia Fn keys, LED backlight (PT Layout)
Software MicrosoftⓇ WindowsⓇ 10 x86-64 (22H2)
We present you Spectra wifi vulnerability, not to be confused with Spectre cpu vulnerability... we shall name the next vulnerabilty we find, Spectro, to make things even more interesting
To all of those as a class of vulnerabilities, we call them 'Specteri', though we accept 'Spectruses' too. We will just frown in disappointment if you choose to call it that.
 
Top