Wireless coexistence – New attack technique exploits Bluetooth, WiFi performance features for ‘inter-chip privilege escalation’

Stephen Pritchard

23 December 2021 at 15:28 UTC

Updated: 23 December 2021 at 15:43 UTC

Attackers can use connections between wireless chips to steal data or credentials, researchers find

Security shortcomings involving shared on-chip resources for different wireless technologies creates a means to steal data and passwords, security researchers warn

Vulnerabilities in wireless chip designs could allow malicious hackers to steal data and passwords from devices, according to security researchers.

According to the group, from the Technical University of Darmstadt’s Secure Mobile Networking Group (Germany) and the University of Brescia’s CNIT (Italy), attackers could exploit “wireless coexistence” or shared component features on millions of mobile devices.

Wireless devices often use radio components with shared resources, combination chips or System on a Chip (SoC) designs. These SoCs are responsible for multiple radio interfaces, including Bluetooth, WiFi, LTE (4G) and 5G.

But, as the researchers note, these interfaces typically share components, such as memory, and resources including antennae and wireless spectrum. Designers utilize wireless coexistence to allow resource sharing and maximize network performance. In doing so, they create security flaws that are hard, or even impossible, to patch.

“While SoCs are constantly optimized towards energy efficiency, high throughput, and low latency communication, their security has not always been prioritized,” the researchers warn.

Over-the-air exploit

In tests, researchers built a mobile test rig for under $100, and in an over-the-air exploit made use of a Bluetooth connection to obtain network passwords and manipulate traffic on a WiFi chip. Coexistence attacks enable a novel type of lateral privilege escalation across chip boundaries, they state.

The researchers were able to create a proof-of-concept exploitation of shared resources on technologies from Silicon Labs, Broadcomm, and Cypress. The group found nine CVEs, which they disclosed to the chip companies, as well as the Bluetooth SIG and associated manufacturers that use coexistence interfaces.

Catch up on the latest mobile security news and analysis

Attackers can escalate “privileges laterally from one wireless chip or core into another”. And serial…