Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:
- Samsung Galaxy from S3 through S8, inclusive
- All Samsung Notes3. Nexus 5, 6, 6X and 6P
- All iPhones after iPhone 5
So how did this happen? And how does a bug affect so many different devices?
A smart phone nowadays is a very complicated mesh of interconnected chips. Besides the main processor, there are several other secondary processors handling specialized tasks which would otherwise clog up the main CPU. One of those is the WiFi chipset, which is responsible for WiFi radio communications — handling the PHY, MAC and MLME layers. When all the processing is complete, the radio chipset hands data packets over the kernel driver, which runs on the main CPU. This means that the radio chipset itself has to have some considerable data processing power to handle all this work. Alas, with great power comes great responsibility.
Broadpwn is a 0-day, fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets. The attack allows for code execution on the WiFi chipset itself (and also on the main application processor) on both Android and iOS. This chipset family is based on an ARM Cortex-R4 processor. Since this flaw directly exploits the WiFi chipset, it is independent of the underlying operating system in the main CPU. A similar bug, CVE-2017-0561, requires the attacker and the victim to be on the same WPA2 network. Broadpwn does not. It can be used to silently exploit any device in range of the attacker. This is possible because the bug exists in the way the WiFi chipset firmware handles an Association Response frame, prior to any actual authentication.
The researchers took things even further by effectively implementing what is most likely the first WiFi worm. A compromised device can be turned into a mobile infection station. In a nutshell, the attacker listens for a Probe Request. When a client issues it, the attacker impersonates the access point and triggers the vulnerability. The malicious code running on the victim can then replay this behaviour, propagating like a typical worm.
As security updates rolled out some time ago, the impact of this flaw to the average user is yet to be seen. Fortunately so far no known malware exploits it.