Researchers at the University of California San Diego have discovered how Bluetooth can be used to directly steal network passwords and manipulate traffic on a Wi-Fi chip, putting billions of electronic devices at risk of stealthy attacks.
It targets the so-called “combo chips,” which are specialized chips that are designed to handle different types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, and LTE.
Coexistence, i.e., the coordination of cross-technology wireless transmissions, is an unexplored attack surface, according to a paper published by researchers from the Secure Mobile Networking Lab at the Technical University of Darmstadt and the University of Brescia.
According to the study, instead of directly escalating privileges into the mobile [operating system], wireless chips can exploit the means they employ to arbitrate their access to the resources they share, namely the transmitting antenna and the wireless medium. Bluetooth, Wi-Fi, and LTE coexist because they share the same components and resources, like antennas and wireless spectrum, necessitating that these communication standards coordinate the spectrum access to avoid collisions. Chipset vendors use this principle to allow Wi-Fi and Bluetooth to operate virtually concurrently. Despite the importance of these combo wireless chips to high-performance spectrum sharing, researchers demonstrated that coexistence interfaces also possess a side-channel risk last year at the Black Hat security conference, allowing a malicious party to access information about other wireless technologies supported by the combo chip. Researchers noted that the Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, providing an attacker with further information. Furthermore, an attacker can run code on a Wi-Fi chip without being connected to a wireless network.”
Additionally, the researchers found that an adversary with control over the Wi-Fi core can observe Bluetooth packets. This, in turn, allows the adversary to determine keystroke timings on Bluetooth keyboards, ultimately allowing the attacker to reassemble text entered with the keyboard. In November 2021, more than two years after the first coexistence bug was reported, the researchers said that coexistence attacks, including code execution, still work on Broadcom chips. They said that the problems are difficult to solve in practice. The best way to minimize the risk of such wireless attacks is for users to remove unnecessary Bluetooth pairings, delete unused Wi-Fi networks, and use cellular instead of Wi-Fi when in public places.