Spectra Security Exploit Unleashes Side-Channel Attack On Combo Wi-Fi And Bluetooth Chips

A team of researchers warn that combo chips that implement multiple wireless technologies in PCs and mobile devices are susceptible to a side-channel exploit called Spectra. Not to be confused with Spectre (or Meltdown), this side-channel vulnerability affects chips that combine Wi-Fi and Bluetooth connectivity, and sometimes cellular bands as well.

"We are the first to explore side-channel attacks on wireless coexistence. We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series. Note that other manufacturers also rely on coexistence and similar attacks might apply," the researchers say.

What this relates to is the sharing of spectrum among wireless technologies. Wi-Fi and Bluetooth can operate in the same frequency, which necessitates technologies to coordinate wireless spectrum to avoid collision. To deal with this, the researches say many chip makers developer proprietary coexistence mechanisms, as they offer better performance than existing open coexistence specifications.

"Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. While coexistence should only increase performance, it also poses a powerful side channel," the researchers say.

The researchers have not yet provided in-depth details on the vulnerability, but did say that in general, denial of service (DoS) attacks are possible. They also warn of being able to extract data from packet meta information. Same goes for "experience kernel panics on Android and iOS" devices.

"Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface," the researchers added.

The research team says they will offer up more details at the Black Hate USA 2020 conference.