A group of German and Italian scientists have developed a new attack to circumvent the separation between Wi-Fi and Bluetooth technologies used on the same device (smartphone, laptops and tablets). The attack, dubbed Spectra, runs on “combined” chips that process various types of wireless communications, including Wi-Fi, Bluetooth, LTE, etc.
“Spectra’s new class of vulnerabilities is based on the fact that data is transmitted in one spectrum and wireless chips must allow access to the channel,” the researchers said in a short announcement of their future report at the Black Hat conference.
More specifically, Spectra is based on a coexistence mechanism used by “combined” chips to quickly switch between wireless technologies. According to the researchers, although these mechanisms increase productivity, they also make the device vulnerable to attacks through third-party channels.
Scientists have analyzed the “combined” Broadcom and Cypress chips used in millions of devices, including the iPhone, MacBook and Samsung Galaxy S series smartphones. They managed to remove the barrier between Wi-Fi and Bluetooth processed by individual ARM cores. They attacked the chip with malicious wireless traffic, and then “broke” the boundaries between the two wireless technologies.
Attack results may vary. In short, Spectra allows a DDoS attack to access the spectrum. The metadata about the package allows you to disclose information, such as the time it took to press the keys on the Bluetooth keyboard in the Wi-Fi D11 core.
Researchers have also identified a shared RAM area that allows code to run through Bluetooth on Wi-Fi. This equates remote code execution via Bluetooth to remote code execution via Wi-Fi, which significantly increases the attack surface.
Although the study studied Broadcom and Cypress chips, according to scientists, Spectra may affect other devices. Details of the attack have not yet been published. The researchers report will be presented at the Black Hat online conference in August.