Our smart devices need to communicate wirelessly and seamlessly with many other devices, in order to be useful.
All these devices' radios also need to talk with one another.
And that allowed researchers at the Black Hat security conference to show off a new kind of attack they dubbed Spectra.
The research was presented by Jiska Classen from the Technische Universität Darmstadt and Francesco Gringoli of the University of Brescia; the former appeared onscreen with a forehead-mounted rainbow fedora superimposed on the video feed.
Such feats were possible because the Black Hat conference was online this year, in response to the ongoing COVID-19 pandemic.
Uneasy Coexistence
Spectra works because both Bluetooth and Wi-Fi radios broadcast around the 2.4Ghz spectrum range, so they can't send their broadcasts too close to one another.
Classen explained that even when they aren't in the same spectrum, there are still harmonics to worry about.
"They somehow need to tell each other, 'I am now using such and such frequency,'" said Classen.
This is called a coexistence mechanism, and it presents some interesting properties for security researchers.
"These chips have hardware connections," said Classen.
"And these connections can be used without passing any checks from an operating system." In short, there are fewer roadblocks to an attack.
Doing Some Damage
The researchers determined that coexistence relationships could be exploited in a number of ways.
The most obvious was a denial-of-service (DoS) attack.
Because the chips have to coordinate the operation of their respective radios, one could be used to prevent the other from transmitting.
If an attacker is able to control the Wi-Fi, for instance, they can prevent the Bluetooth radio from working.
Digging deeper, the researchers also found that it was possible for one chip to disclose some kind of information about activity on the other chip.
Gringoli explained how a Bluetooth keyboard transmitted specific information for specific events, including the exact time an individual key is pressed on a wireless keyboard.
When an attacker has access to the Wi-Fi system, they can gather up these keypress events.
Add the help of a trained AI, and Gringoli suggested it would be possible to guess what the user is typing.
The team had one final discovery.
In one diagram, Classen noticed something called WLAN RAM Sharing, which appeared to be memory that both the Wi-Fi and Bluetooth systems could access.
Classen described this portion of the research like this: "when you spend too much looking for side channels, but then you miss the one big thing."
The team determined that an attacker with access to the Bluetooth side of the house could read information from the Wi-Fi RAM.
They also discovered that Bluetooth could write to this memory as well, and that the Wi-Fi side would execute that code—always a great find for security researchers.
Classen said that exploiting this discovery for mischief wasn't especially difficult: Just "randomly writing stuff to the shared memory region" could cause crashes and kernel panics.
Classen summed up the findings with a simple chart.
Bluetooth remote-code execution allows for driver kernel panics, information disclosure, and code execution on the Wi-Fi system.
Having remote-code execution on the Wi-Fi system allows for denial of service and information disclosure from the Bluetooth side.
Truly, a house divided cannot stand.
The Scope of the Problem
The researchers focused their work on the Broadcom combo chip that includes controls for Wi-Fi and Bluetooth.
Broadcom's Wi-Fi and Bluetooth operation was purchased by Cypress Semiconductor in 2016.
Clearly, these chips are everywhere, but the researchers noted that manufacturers do not always release which chips are used in certain devices.
The duo speculated they're in hundreds of millions of devices.
Throughout the presentation, the team showed lengthy tables indicating which devices they knew were vulnerable and to whichattacks.
These ranged from older devices, such as the Nexus 5, to high end ones, including the 2019-2020 MacBook Pro.
Raspberry Pis, iPhones, and Samsung Galaxy devices also made appearances.
The success of some of the attacks would depend on the OS version, though.
The researchers underwent a responsible disclosure process, but Classen noted that many other manufacturers have proprietary coexistence features similar to Broadcom—meaning the same or similar vulnerabilities might exist there, too.
"So we asked Broadcom if we could inform other wireless manufacturers," said Classen.
Broadcom agreed, and the list eventually grew to include Intel, Marvell, MediaTek, NXP, Qualcomm, and Texas Instruments.
The outcome of that disclosure appears to have been a bit uneven.
Classen checked the most recent versions of iOS and macOS Catalina, and the issue was still unpatched.
"So I guess it's still unfixable because it's very low in the hardware."
This surely is not the end of the Spectra story.
In fact, Classen said an over-the-air Bluetooth remote-code execution called Frankenstein would be discussed in a future conference.
This means that some of the Spectra attacks may be possible without direct access to the target devices, ensuring exciting research is still forthcoming.