Spectra: Breaking Separation Between Wireless Chips

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 11 a.m. (40 minutes)

<p>Nowadays wireless technologies are increasingly sharing spectrum. This is the case for Wi-Fi and Bluetooth, but also some LTE bands and harmonics. Operating on the same frequency means that these different technologies need to coordinate wireless spectrum access to avoid collisions. Especially for nearby sources, as it is the case for multiple chips within one smartphone, so-called coexistence is the key to high-performance spectrum sharing.</p><p>Coexistence between wireless chips can be implemented in various ways. While there are open specifications, most manufacturers opt to develop proprietary coexistence mechanisms to further improve performance. Open interfaces are not needed on combo chips that implement multiple wireless technologies, as the manufacturer has full control.</p><p>Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. While coexistence should only increase performance, it also poses a powerful side channel.</p><p>We are the first to explore side-channel attacks on wireless coexistence. We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series. Note that other manufacturers also rely on coexistence and similar attacks might apply.</p><p>We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores. In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core. Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface. During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS.</p>

Presenters:

• Francesco Gringoli - Associate Professor, University of Brescia
  <span>Francesco Gringoli is associate professor at the University of Brescia, Italy. His research interests include security assessment, performance evaluation, and medium access control in wireless LANs. He likes playing with hardware and reverse engineering electronic devices.</span>
• Jiska Classen - Dr.-Ing., Technische Universität Darmstadt, SEEMOO
  Jiska Classen breaks things.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#spectra-breaking-separation-between-wireless-chips-20005

Similar Presentations:

• Black Hat USA 2017 / Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
• DEF CON 28 (2020) Virtual / Spectra-New Wireless Escalation Targets
• Black Hat USA 2022 / Ghost in the Wireless, iwlwifi Edition