New Spectra attack breaks the separation between Wi-Fi and Bluetooth in iPhones, MacBooks, and Samsung Galaxy S series using Broadcom and Cypress chips
Most iPhones, Macbooks, and Samsung Galaxy S series smartphones use Wi-Fi and Bluetooth combo chips from Broadcom and Cypress. These combo chips use a procedure called coexistence mechanism to switch between the Wi-Fi and Bluetooth at a rapid pace while you are using the iPhone and other gadgets. Any break in the switching can lead to denial of service on your iPhone, MacBook, or Samsung S series smartphones.
Jiska Classen, from the Darmstadt Technical University, and Francesco Gringoli, from the University of Brescia have precisely done that. They have developed a new practical attack method that breaks the separation between Wi-Fi and Bluetooth technologies running on the same device, such as laptops, smartphones, and tablets. The researchers have named their attack method Spectra.
Spectra attack works on any combo chip using Wi-Fi and Bluetooth combination but the researchers were able to successfully launch a denial of service attack on chips from Broadcom and Cypress. As said above, this attack works against “combo chips” used for connectivity on devices using Wi-Fi, Bluetooth, LTE. These specialized chips are able to handle multiple types of radio wave-based wireless communications requests from users at the same time.
Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access
The researchers say that the Spectra attack can breach the coexistence mechanisms on the chips without much effort. The coexistence mechanisms are designed to improve the connectivity performance of the chips but researchers say they also provide the opportunity to carry out side-channel attacks and allow an attacker to glean information from other wireless technologies the combo chip supports.
The researchers stated that the Spectra attack could work on any combo chips but they conducted research on specific chips from Broadcom and Cypress.
We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series. We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores.
The researchers said that to exploit the Spectra attack, a hacker would need to harness a combo chip with malformed wireless traffic.
In general, denial-of-service on spectrum access is possible. The associated packet meta-information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core. Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface
While the Spectra attack may not sound like a big vulnerability, it could be used by hackers and cybercriminals to access your Wi-Fi passwords and Bluetooth information. It could also be used to launch a Denial of Service attack (DoS) against your Wi-Fi and Bluetooth, rendering them useless.
Classen and Gringoli say they plan to demonstrate the Spectra attack during the virtual session at the Black Hat security conference to be held in August. They will also release technical details of the Spectra attack in the conference.