Attackers can use connections between wireless chips to steal data or credentials, researchers find
Vulnerabilities in wireless chip designs could allow malicious hackers to steal data and passwords from devices, according to security researchers.
According to the group, from the Technical University of Darmstadt’s Secure Mobile Networking Group (Germany) and the University of Brescia’s CNIT (Italy), attackers could exploit "wireless coexistence" or shared component features on millions of mobile devices.
Wireless devices often use radio components with shared resources, combination chips or System on a Chip (SoC) designs. These SoCs are responsible for multiple radio interfaces, including Bluetooth, WiFi, LTE (4G) and 5G.
But, as the researchers note, these interfaces typically share components, such as memory, and resources including antennae and wireless spectrum. Designers utilize wireless coexistence to allow resource sharing and maximize network performance. In doing so, they create security flaws that are hard, or even impossible, to patch.
"While SoCs are constantly optimized towards energy efficiency, high throughput, and low latency communication, their security has not always been prioritized," the researchers warn.
Over-the-air exploit
In tests, researchers built a mobile test rig for under $100, and in an over-the-air exploit made use of a Bluetooth connection to obtain network passwords and manipulate traffic on a WiFi chip. Coexistence attacks enable a novel type of lateral privilege escalation across chip boundaries, they state.
The researchers were able to create a proof-of-concept exploitation of shared resources on technologies from Silicon Labs, Broadcomm, and Cypress. The group found nine CVEs, which they disclosed to the chip companies, as well as the Bluetooth SIG and associated manufacturers that use coexistence interfaces.
Catch up on the latest mobile security news and analysis
Attackers can escalate "privileges laterally from one wireless chip or core into another". And serial coexistence protocols can leak information across wireless chips, giving away packet types and activity. Malicious hackers could obtain keypress timings from a Bluetooth device "for inferring passwords and password lengths", they found.
More details on the research can be found in a paper by the researcher entitled 'Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation' (PDF).
Researchers have devised an attack that targets devices with multiple RF [radio frequency] interfaces
Mitigation impossible?
The potential attacks are both stealthy and hard to patch. An attack that moves laterally between components is likely to be invisible to the operating system, and so bypass its protection measures, the researchers warned.
Hardware manufacturers should be able to reduce the risks by redesigning chip architectures, and by patching firmware. But not all systems can be patched, and older devices might no longer receive updates from their makers.
In the meantime, device users are advised to take steps such as deleting unused Bluetooth pairings and using 4G rather than WiFi in public places.
"This raises an entire new class of attack against devices with multiple RF [radio frequency] interfaces," UK-based security researcher Andrew Tierney told The Daily Swig. "The most interesting aspect is how stealthy they can be, entirely bypassing protections put in place by the operating system."
But he added that as the techniques "are very involved" they are most likely to be used by nation states.
YOU MAY ALSO LIKE Bug bounty platforms handling thousands of Log4j vulnerability reports
