Researchers have revealed new attacks that can exploit shared resources between Wi-Fi and Bluetooth components on a variety of system-on-chip (SoC) designs from Broadcom, Cypress, and Silicon Labs.
BleepingComputer first spotted the paper describing the findings, which is titled “Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation,” and was published by a researchers from the Secure Networking Lab at the University of Darmstadt and CNIT at the University of Brescia.
The researchers say they “demonstrate that a Bluetooth chip can directly extract network passwords and manipulate traffic on a Wi-Fi chip” because “these chips share components and resources, such as the same antenna or wireless spectrum,” even though they're all technically considered separate chips.
So far nine Common Vulnerabilities and Exposure (CVE) identifiers have been assigned to these vulnerabilities. The researchers say they have informed the Bluetooth Special Interest Group as well as Intel, MediaTek, Marvell, NXP, Qualcomm, and Texas Instruments and the manufacturers whose devices they successfully exploited.
Hackers would have to successfully compromise one of the wireless chips to exploit these flaws against the other chip. This could allow the attackers to steal Wi-Fi passwords after compromising the Bluetooth chip, the researchers say, or to exploit a different vulnerability in one of the chips to gain access to other parts of a targeted device.
“Since wireless chips communicate directly through hard-wired coexistence interfaces,” the researchers say, “the OS drivers cannot filter any events to prevent this novel attack. Despite reporting the first security issues on these interfaces more than two years ago, the inter-chip interfaces remain vulnerable to most of our attacks.”
The researchers say their attacks were still viable against iOS 14.7 and Android 11 devices. (Which have since been superseded by iOS 15 and Android 12, respectively, but this report has been two years in the making.) They also demonstrated their attacks on a variety of other devices, which are shown in the table below.
Recommended by Our Editors
But the lack of mitigation doesn't seem to have come as a surprise. “We responsibly disclosed the vulnerabilities to the vendor,” the researchers say. “Yet, only partial fixes were released for existing hardware since wireless chips would need to be redesigned from the ground up to prevent the presented attacks on coexistence.”
Broadcom, Cypress, and Silicon Labs didn't immediately respond to requests for comment.
Like What You're Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba