Spectra Attack Turns Bluetooth and Wi-Fi Against Each Other

Our smart devices need to communicate wirelessly and seamlessly with many other devices, in order to be useful. All these devices’ radios also need to talk with one another. And that allowed researchers at the Black Hat security conference to show off a new kind of attack they dubbed Spectra.

The research was presented by Jiska Classen from the Technische Universität Darmstadt and Francesco Gringoli of the University of Brescia; the former appeared onscreen with a forehead-mounted rainbow fedora superimposed on the video feed. Such feats were possible because the Black Hat conference was online this year, in response to the ongoing COVID-19 pandemic.

Screenshot of the Black Hat presentationUneasy Coexistence

Spectra works because both Bluetooth and Wi-Fi radios broadcast around the 2.4Ghz spectrum range, so they can’t send their broadcasts too close to one another. Classen explained that even when they aren’t in the same spectrum, there are still harmonics to worry about. “They somehow need to tell each other, ‘I am now using such and such frequency,'” said Classen.

Tweet

This is called a coexistence mechanism, and it presents some interesting properties for security researchers. “These chips have hardware connections,” said Classen. “And these connections can be used without passing any checks from an operating system.” In short, there are fewer roadblocks to an attack.

Doing Some Damage

The researchers determined that coexistence relationships could be exploited in a number of ways. The most obvious was a denial-of-service (DoS) attack. Because the chips have to coordinate the operation of their respective radios, one could be used to prevent the other from transmitting. If an attacker is able to control the Wi-Fi, for instance, they can prevent the Bluetooth radio from working.

Digging deeper, the researchers also found that it was possible for one chip to disclose some kind of information about activity on the other chip. Gringoli explained how a Bluetooth keyboard transmitted specific information for specific events, including the exact time an individual key is pressed on a wireless keyboard. When an attacker has access to the Wi-Fi system, they can gather up these keypress events. Add the help of a trained AI, and Gringoli suggested it would be possible to guess what the user is typing. 

Chip diagram showing the WLAN RAMThe Scope of the Problem

The researchers focused their work on the Broadcom combo chip that includes controls for Wi-Fi and Bluetooth. Broadcom’s Wi-Fi and Bluetooth operation was purchased by Cypress Semiconductor in 2016. Clearly, these chips are everywhere, but the researchers noted that manufacturers do not always release which chips are used in certain devices. The duo speculated they’re in hundreds of millions of devices.

Throughout the presentation, the team showed lengthy tables indicating which devices they knew were vulnerable and to whichattacks. These ranged from older devices, such as the Nexus 5, to high end ones, including the 2019-2020 MacBook Pro. Raspberry Pis, iPhones, and Samsung Galaxy devices also made appearances. The success of some of the attacks would depend on the OS version, though. 

The researchers underwent a responsible disclosure process, but Classen noted that many other manufacturers have proprietary coexistence features similar to Broadcom—meaning the same or similar vulnerabilities might exist there, too. “So we asked Broadcom if we could inform other wireless manufacturers,” said Classen. Broadcom agreed, and the list eventually grew to include Intel, Marvell, MediaTek, NXP, Qualcomm, and Texas Instruments. 

The outcome of that disclosure appears to have been a bit uneven. Classen checked the most recent versions of iOS and macOS Catalina, and the issue was still unpatched. “So I guess it’s still unfixable because it’s very low in the hardware.” 

This surely is not the end of the Spectra story. In fact, Classen said an over-the-air Bluetooth remote-code execution called Frankenstein would be discussed in a future conference. This means that some of the Spectra attacks may be possible without direct access to the target devices, ensuring exciting research is still forthcoming.

Further Reading

August 9, 2020
To Top