Wireless InterChip Privilege Escalation Attack
Vulnerabilities in wireless chip designs could allow malicious hackers to steal data and passwords from devices, according to security researchers.
Wireless devices often use radio components with shared resources, combination chips or System on a Chip (SoC) designs. These SoCs are responsible for multiple radio interfaces, including Bluetooth, WiFi, LTE (4G) and 5G.
These interfaces typically share components, such as memory, and resources including antennae and wireless spectrum. Designers utilize wireless coexistence to allow resource sharing and maximize network performance. In doing so, they create security flaws that are hard, or even impossible, to patch.
Researchers built a mobile test rig for under $100, and in an over-the-air exploit made use of a Bluetooth connection to obtain network passwords and manipulate traffic on a WiFi chip. Coexistence attacks enable a novel type of lateral privilege escalation across chip boundaries, they state.
The researchers were able to create a PoC exploitation of shared resources on technologies from Silicon Labs, Broadcom, and Cypress. The group found nine CVEs, which they disclosed to the chip companies, as well as the Bluetooth SIG and associated manufacturers that use coexistence interfaces.
Attackers can escalate “privileges laterally from one wireless chip or core into another”. And serial coexistence protocols can leak information across wireless chips, giving away packet types and activity. Malicious hackers could obtain keypress timings from a Bluetooth device “for inferring passwords and password lengths”, they found.
The potential attacks are both stealthy and hard to patch. An attack that moves laterally between components is likely to be invisible to the operating system, and so bypass its protection measures, the researchers warned.
Hardware manufacturers should be able to reduce the risks by redesigning chip architectures, and by patching firmware. But not all systems can be patched, and older devices might no longer receive updates from their makers.
Device users are advised to take steps such as deleting unused Bluetooth pairings and using 4G rather than WiFi in public places.