Figure 2: Bluetooth vulnerabilities from the year 2002 to 2022 including the release of InternalBlue [3]
Remote Code Execution through Malicious Packets
Aside from traditional cryptographic attacks, wireless security must also defend against attacks on the implementation of a protocol. Typically, the wireless stack is implemented on a separate co-processor running its own code separate from the main application processor. Attackers can target this specific chip and exploit vulnerabilities within its programming.
A possible attack vector is the packet parsing routine used by the co-processor to decode received messages. This kind of attack falls under the category of binary exploitation and in some cases can be used to gain remote code execution on the co-processor [8].
Once exploited, attackers could use this co-processor to eavesdrop on phone calls, inject new packets, e.g. to inject keystrokes of a Bluetooth keyboard or intercept encrypted traffic. Additionally to governments using these exploits for surveillance, there is a risk that human rights activists and journalists could be especially targeted. Therefore, security research and ethical reporting are important to ensure safe communication for everyone.
Pre-authentication vulnerabilities can be exploited before two devices authenticate to each other. This makes them particularly dangerous because they can be executed without any prior relationship between the devices. Remote exploits are used to send malicious packets over the internet to target devices. This expands the attack surface and allows attacks to be launched from anywhere in the world.
Real-world Example: Shannon Attack
One attack combines security flaws in a popular hardware component used in Google and Samsung phones to connect to cellular networks. It falls into the category of packet parsing attacks. The packets are transmitted over the internet and attackers can remotely gain code execution on the victim’s phone by simply making a Voice over LTE (VoLTE) call.
The affected Shannon baseband chip, which is responsible for parsing certain cellular packets, lacked mitigations available in modern mobile operating systems and, due to programming errors, allowed attackers to compromise it by crafting a malicious VoLTE packet. An important aspect of this exploit was its potential to allow for 0-click attacks. This type of attack does not require the victim to interact with the device to be exploited. Packets sent over a pre-authenticated connection were used to trigger the exploit, making the attack more difficult to detect. Despite its complexity, the development of similar exploits can be quite quick. Recent attacks on the Linux Wi-Fi stack were developed within months using fuzzing techniques [10].
Attacking Wireless Hardware
Known attacks mostly target one single technology or component in victim devices. When looking at the physical layer of certain wireless protocols, they share similarities that may offer new attack surfaces. One example are the Wi-Fi and Bluetooth protocols, both transmitting data over the 2.4 GHz band. As such, both protocols must work around each other. Bluetooth does this by blacklisting certain frequencies and Wi-Fi by rescheduling packets to avoid traffic. In modern hardware, the components responsible for Wi-Fi and Bluetooth often share a communication link to work together [1]. Implementations range from simply locking out the other chip during transmission to sharing buffers between Wi-Fi and Bluetooth hardware. The latter configuration allows an attack that modifies the Bluetooth chip's firmware to write instructions to shared memory for the Wi-Fi chip to execute code and crash the component. This attack could allow attackers to jump the gap between components in an exploit chain to gain more privileges after compromising the Bluetooth hardware.
Detecting and mitigating this kind of attack requires knowledge of the existing connection between components. Modern devices may contain multiple wireless components that are connected in hardware. Over the lifetime of the product or during development, updates may remove the features making use of these connections, but components could potentially still talk to each other through these channels. Attackers armed with this knowledge could use undocumented or inactive interfaces to move between components thought to be isolated from another.
Signal-Based Relay and Boosting Attacks
The Bluetooth protocol and NFC are susceptible to signal-based relay attacks where the signal received by the antenna is relayed from another location to the victim device.
Researchers at TU Darmstadt built nfcgateto relay NFC communication over the internet between two Android devices [5]. They demonstrated their system by paying for a meal at their university's dining hall from another city. A possible mitigation for this kind of attack would be a plausibility check on the time between the security challenge and the response. This way, implausible delays caused by the internet would give away the attack and the reader could reject the authentication.
A similar attack is also being used by car thieves to unlock cars using wireless key fobs. The fob must be close to the vehicle to unlock the doors, but by amplifying the signal to reach beyond this range, the car can be unlocked without the key. More recent technologies such as Ultrawide-Band (UWB) support fine and secure ranging and could make this kind of attack harder to execute. Researchers have also identified problems with early versions of UWB which allow for similar range-boosting attacks.
Summary
Wireless security is important because an attacker can overhear, modify, and send anything on a wireless channel. Attacks can target the protocol and cryptography in use or focus on implementations of the protocol. Cryptographic attacks occur mostly due to the insecurities in network protocols. To prevent this, devices use a multi-layer encryption approach to protect sensitive data. InternalBlue allows researchers to modify the firmware of Bluetooth chips, leading to an increase in vulnerability discoveries in 2018. Targeting the implementation of a particular protocol, e.g. the packet parsing routine, can allow attackers to compromise a device’s co-processor and gain remote code execution. Such attacks have been found in practice. Wireless communication also presents additional security challenges due to its inherent ability to work without physical proximity between participants and can be vulnerable against range boosting or relaying.
References
[1] Apple Support. 2024.000Z. Systemsicherheit bei watchOS (June 2024.000Z). Retrieved June 25, 2024.247Z from support.apple.com/de-de/guide/security/secc7d85209d/web.
[2] Bluetooth® Technology Website. 2024. Reporting Security Vulnerabilities | Bluetooth® Technology Website (June 2024). Retrieved June 18, 2024 from www.bluetooth.com/learn-about%20-bluetooth/key-attributes/bluetooth-security/reporting-security/.
[3] Jiska Classen. 2024. Wireless Security. Lecture Series on HPI Research SoSe 2024.
[4] D. Dolev and A. Yao. 1983. On the security of public key protocols. IEEE Trans. Inform. Theory 29, 2, 198–208. DOI: doi.org/10.1109/TIT.1983.1056650.
[5] GitHub. 2024. nfcgate/nfcgate: An NFC research toolkit application for Android (June 2024). Retrieved June 18, 2024 from github.com/nfcgate/nfcgate.
[6] GitHub. 2024. seemoo-lab/internalblue: Bluetooth experimentation framework for Broadcom and Cypress chips (June 2024). Retrieved June 19, 2024 from github.com/seemoo-lab/internalblue.
[7] Dennis Heinze, Jiska Classen, and Felix Rohrbach. 2020. MagicPairing. In WiSec'20. Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks : July 8-20, 2020, Linz (Virtual Event), Austria. The Association for Computing Machinery, New York, New York, 111–121. DOI: doi.org/10.1145/3395351.3399343.
[8] Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. 2020. Frankenstein: Advanced Wireless Fuzzing to Exploit New Bluetooth Escalation Targets. In 29th USENIX Conference on Security Symposium (SEC'20). August 12 - 14, 2020. USENIX Association, Berkeley, CA, 19–36.
[9] Security Today. 2024. Just Why Are So Many Cyber Breaches Due to Human Error? -- Security Today (June 2024). Retrieved June 18, 2024 from securitytoday.com/articles/2022/07/30/just-why-are-so-many-cyber-breaches-due-to-human-error.aspx.
[10] Sönke Huster, Matthias Hollick, and Jiska Classen. 2023. To Boldly Go Where No Fuzzer Has Gone Before: Finding Bugs in Linux' Wireless Stacks through VirtIO Devices. 2375-1207, 28. DOI: doi.org/10.1109/SP54263.2024.00024.
[11] 2014. websdr.org (October 2014). Retrieved June 18, 2024 from websdr.org/.