“Wireless communication is completely broken”, Jiska Classen from the research group for secure mobile networks at TU Darmstadt (SEEMOO) summarizes the situation. For example, the Wi-Fi of a smartphone can be switched off and blocked via Bluetooth. To this end, the researcher combines two security gaps in the firmware of a Broadcom Bluetooth chip. The gaps have now been closed, but far from all affected devices have received an update. With a new analysis tool, even more security vulnerabilities could be found.
At the 36C3 hacking convention, Classen said that Wi-Fi and Bluetooth have more in common than you might think. Both transmit in the 2.4 GHz band and often share an antenna that they use alternately. Bluetooth and Wi-Fi chip have to coordinate as they cannot send at the same time. The chip manufacturer Broadcom connects the two chip components via a serial coexistence interface. The protocols running on separate cores pass on the antenna via this: For example, if a video is streamed via Wi-Fi and the sound is output on a Bluetooth headset, this only works without interference if Bluetooth and Wi-Fi transmit alternately in a coordinated manner. “It’s super fun, as long as the chips can trust each other, that they release the resources again”, said Classen Golem.de.
When Bluetooth steals the antenna from Wi-Fi
Together with Francesco Gringoli, Classen examined several Broadcom chips that are found in many iPhones and Android smartphones. They succeeded in executing code on the chips and controlling another with one chip. Classen could use the antenna via Bluetooth and switch off the Wi-Fi, and conversely Gringoli could block the antenna via Wi-Fi.
The two security researchers reported the vulnerability to the companies concerned, including Broadcom and Apple. “The vulnerability should have been fixed since iOS 13 We also show up credits – but we can still take advantage of the coexistence gap, “ Classen explained. The iPhone SE, 7, 8, X and XR are affected. They would have to test more current models. Another error in the iPhones also meant that not only the chip could be crashed via coexistence, but the entire operating system. Classen had one a year ago DoS attack on Broadcom Bluetooth chips shown.
Execute remotely or via Checkm8 code
about Checkm8, an unrecoverable jailbreak for iPhones released in September, can also be executed without a remote code execution gap (RCE) code on the Broadcom chip and the Wi-Fi or Bluetooth can be switched off – but only with physical access to the device.
Another vulnerability (CVE-2019-11516) the security researchers were able to remotely execute the code on the Broadcom chip. The research group also discovered this RCE gap in the Broadcom firmware and reported it to the manufacturers. The vulnerability was fixed with the Android patch level August 5, but the corresponding updates must be distributed by the manufacturers, which often does not happen.
“If you can run code on a chip, you can also crash it or read the pairing keys,” Classen explained. “If users use the Smart Lock function, with which Android smartphones are automatically unlocked, as soon as a certain device connected via Bluetooth is within range, we can unlock the smartphone via Bluetooth – we can read out the pairing key”,