Attacks on Wireless Coexistence: Exploiting Cross-Technology Performance Features for Inter-Chip Privilege Escalation

TL;DR

This paper reveals practical security vulnerabilities in wireless coexistence interfaces of mobile device chips, enabling privilege escalation and data extraction across wireless technologies like Bluetooth and Wi-Fi.

Contribution

It demonstrates real-world coexistence attacks on popular chips, exposing security flaws and highlighting the need for hardware redesigns to ensure separation and security.

Findings

Bluetooth can extract network passwords

Wi-Fi traffic can be manipulated

Partial vendor fixes are insufficient

Abstract

Modern mobile devices feature multiple wireless technologies, such as Bluetooth, Wi-Fi, and LTE. Each of them is implemented within a separate wireless chip, sometimes packaged as combo chips. However, these chips share components and resources, such as the same antenna or wireless spectrum. Wireless coexistence interfaces enable them to schedule packets without collisions despite shared resources, essential to maximizing networking performance. Today's hardwired coexistence interfaces hinder clear security boundaries and separation between chips and chip components. This paper shows practical coexistence attacks on Broadcom, Cypress, and Silicon Labs chips deployed in billions of devices. For example, we demonstrate that a Bluetooth chip can directly extract network passwords and manipulate traffic on a Wi-Fi chip. Coexistence attacks enable a novel type of lateral privilege escalation across chip boundaries. We responsibly disclosed the vulnerabilities to the vendors. Yet, only partial fixes were released for existing hardware since wireless chips would need to be redesigned from the ground up to prevent the presented attacks on coexistence.