Practical coexistence attacks on billions of WiFi chips allow data theft and traffic manipulation

Pierluigi Paganini December 13, 2021

Boffins discovered bugs in WiFi chips that can be exploited to extract passwords and manipulate traffic by targeting a device’s Bluetooth component.

A group of researchers from the University of Darmstadt, University of Brescia, CNIT, and the Secure Mobile Networking Lab, have discovered security vulnerabilities in WiFi chips that can be exploited to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component.

According to the research paper published by the experts, modern mobile devices use separate wireless chips to manage wireless technologies, such as Bluetooth, Wi-Fi, and LTE. However, these chips share components and resources, such as the same antenna or wireless spectrum, to improve the efficiency of the devices reducing the energy consumption and the latency in communications.

The researchers explained that it is possible to use these shared resources to launch lateral privilege escalation attacks across wireless chip boundaries.

“This paper demonstrates lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. The WiFi chip encrypts network traffic and holds the current WiFi credentials, thereby providing the attacker with further information.” reads the research paper published by the experts. “Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network. In the opposite direction, we observe Bluetooth packet types from a Wi-Fi chip. This allows determining keystroke timings on Bluetooth keyboards, which can allow reconstructing texts entered on the keyboard.”

The researchers demonstrated practical coexistence attacks on Broadcom, Cypress, and Silicon Labs chips deployed in
billions of devices.

Practical coexistence attacks demonstrated in the paper allowed the researchers to achieve WiFi code execution, memory readout, and denial of service.

In the attack scenario devised by the researchers, they first perform code execution on either the Bluetooth or WiFi chip, then they perform lateral attacks on other chips on the same device by leveraging shared memory resources.

Threat actors can execute code by exploiting an unpatched or new security issue over-the-air, or abusing the
local OS firmware update mechanism.

The following table reports the attack types associated with the vulnerabilities discovered by the researchers.

WiFi coexistence attacks

Experts pointed out that some of the vulnerabilities they discovered cannot be fixed without changing the design of the hardware.

“Some issues can only be patched by releasing a new hardware revision. For example, a new firmware version will not physically remove shared memory from a chip or adjust for arbitrary jitter in a serial protocol. Moreover, some packet timing and metadata cannot be removed without negatively impacting packet coordination performance” continues the paper.

The researchers shared their findings with the chip vendors, and some of them have already addressed the issues.

According to the researchers, though, fixing the identified issues has been slow and inadequate, and the most dangerous aspect of the attack remains largely unfixed.

“While the code execution vulnerability is rooted in architectural issues of specific chips and uncovering required reverse-engineering efforts, DoS and information disclosure attacks of a more general nature can directly be derived from the openly available coexistence specifications.” concludes the paper. “Wireless coexistence enables new escalation strategies based on hardwired inter-chip components. Since the attack vector lies directly between the chips, it bypasses the main operating system. A full fix will require chip redesigns—current firmware fixes are incomplete”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WiFi coexistence attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment