Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others.
“Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access,” the research team said today in a short abstract detailing an upcoming Black Hat talk.
More particularly, the Spectra attack takes advantage of the coexistence mechanisms that chipset vendors include with their devices. Combo chips use these mechanisms to switch between wireless technologies at a rapid pace.
Researchers say that while these coexistence mechanisms increase performance, they also provide the opportunity to carry out side-channel attacks and allow an attacker to infer details from other wireless technologies the combo chip supports.
“We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series,” the two said.
“In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core,” Classen and Gringoli say.
“Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface.