Spectra: Breaking Separation Between Wireless Chips

Conference:  BlackHat USA 2020



The presentation discusses vulnerabilities in Bluetooth and Wi-Fi chips and the difficulty in fixing them due to hardware design. Collaboration with hardware vendors is necessary to address the issue.
  • Bluetooth and Wi-Fi chips have vulnerabilities that can be exploited through code execution and side channel measurement
  • Fixing the issue is difficult due to the low level in hardware design
  • Collaboration with hardware vendors is necessary to address the issue
  • Qualcomm is not vulnerable due to a combined core for Wi-Fi and Bluetooth
  • Documentation and building proof of concept is necessary to identify vulnerable chips
The presenter mentioned that some vendors claimed they were not vulnerable because they already had a shared core for Wi-Fi and Bluetooth, while others admitted vulnerability to the design of service but not to code execution. It is important to read documentation and build proof of concept to identify vulnerable chips.


Nowadays wireless technologies are increasingly sharing spectrum. This is the case for Wi-Fi and Bluetooth, but also some LTE bands and harmonics. Operating on the same frequency means that these different technologies need to coordinate wireless spectrum access to avoid collisions. Especially for nearby sources, as it is the case for multiple chips within one smartphone, so-called coexistence is the key to high-performance spectrum sharing.Coexistence between wireless chips can be implemented in various ways. While there are open specifications, most manufacturers opt to develop proprietary coexistence mechanisms to further improve performance. Open interfaces are not needed on combo chips that implement multiple wireless technologies, as the manufacturer has full control.Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. While coexistence should only increase performance, it also poses a powerful side channel.We are the first to explore side-channel attacks on wireless coexistence. We specifically analyze Broadcom and Cypress combo chips, which are in hundreds of millions of devices, such as all iPhones, MacBooks, and the Samsung Galaxy S series. Note that other manufacturers also rely on coexistence and similar attacks might apply.We exploit coexistence in Broadcom and Cypress chips and break the separation between Wi-Fi and Bluetooth, which operate on separate ARM cores. In general, denial-of-service on spectrum access is possible. The associated packet meta information allows information disclosure, such as extracting Bluetooth keyboard press timings within the Wi-Fi D11 core. Moreover, we identify a shared RAM region, which allows code execution via Bluetooth in Wi-Fi. This makes Bluetooth remote code execution attacks equivalent to Wi-Fi remote code execution, thus, tremendously increasing the attack surface. During code execution within the Wi-Fi firmware, we even experience kernel panics on Android and iOS.