Broadcom chip bug opened 1 billion phones to a Wi-Fi-hopping worm attack

Broadcom chip bug opened 1 billion phones to a Wi-Fi-hopping worm attackIt's not often that a security researcher devises an attack that can unleash a self-replicating attack which, with no user interaction, threatens 1 billion smartphones. But that's just what Nitay Artenstein of Exodus Intelligence did in a feat that affected both iOS and Android devices.

At the Black Hat security conference, Artenstein demonstrated proof-of-concept attack code that exploited a vulnerability in Wi-Fi chips manufactured by Broadcom. It fills the airwaves with probes that request connections to nearby computing devices. When the specially devised requests reach a device using the BCM43xx family of Wi-Fi chipsets, the attack rewrites the firmware that controls the chip. The compromised chip then sends the same malicious packets to other vulnerable devices, setting off a potential chain reaction. Until early July and last week—when Google and Apple issued patches respectively—an estimated 1 billion devices were vulnerable to the attack. Artenstein has dubbed the worm "Broadpwn."

Although the flaw is now closed, the hack has important lessons as engineers continue their quest to secure mobile phones and other computing devices. Security protections such as address space layout randomization and data execution prevention have now become standard parts of the operating systems and apps. As a result, attackers have to work hard to exploit buffer overflows and other types of software vulnerabilities. That extra work largely makes self-replicating worms impossible. Artenstein's exploit, however, suggests that such worms are by no means impossible.

"This research is an attempt to demonstrate what such an attack, and such a bug, will look like," the researcher wrote in a detailed blog post. "Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of Wi-Fi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."

In sharp contrast to the kernels in iOS and Android, the Broadcom chips Artenstein targeted aren't protected by ASLR or DEP. That meant he could reliably know where his malicious code would be loaded in chip memory so he could ensure it got executed. Additionally, he found a flaw across various chipset firmware versions that allowed his code to work universally rather than having to be customized for each firmware build. Making the attack even more potent, targets didn't have to connect to the attacker's Wi-Fi network. Simply having Wi-Fi turned on was sufficient to being hacked.

Artenstein said his attack worked on a wide range of phones, including all iPhones since the iPhone 5, Google's Nexus 5, 6, 6X and 6P models, Samsung Notes 3 devices, and Samsung Galaxy devices from S3 to S8. After he privately reported the flaw, Google and Apple released patches that closed the underlying vulnerability that made the attack possible. Because Wi-Fi chipsets in laptop and desktop computers have more limited access to the computer's networking functions, the researcher doesn't believe they are vulnerable to the same attack. While Artenstein's proof of concept didn't spread from the Wi-Fi chip to infect the phone's kernel, he said that additional step is well within the means of determined hackers.

The remote code-execution vulnerability is the second one to be fixed by Broadcom this year. In April, both Apple and Google patched a separate critical flaw in the manufacturer's Wi-Fi chipsets. Gal Beniamini, the Google Project Zero researcher who discovered the vulnerability, said the absence of security mitigations made his proof-of-concept exploit relatively easy to develop. Together, the flaws suggest a potentially more promising avenue for attackers targeting smart phones.

"Old school hackers often miss the 'good old days' of the early 2000s, when remotely exploitable bugs were abundant, no mitigations were in place to stop them, and worms and malware ran rampant," Artenstein wrote. "But with new research opening previously unknown attack surface such as the BCM Wi-Fi chip, those times may just be making a comeback."

Source: Ars Technica

Tags: security, smartphones

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Galaxy Note10 really is built around a 6.7-inch display
 
You may still be able to download your content
 
Facebook, Messenger and Instagram are all going away
 
Minimize apps to a floating, always-on-top bubble
 
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
 
The 2001 operating system has reached its lowest share level
 
The entire TSMC 5nm design infrastructure is available now from TSMC
 
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
1234567
891011121314
15161718192021
22232425262728
293031    




Poll

Do you use microSD card with your phone?
or leave your own version in comments (15)