Broadcom Broadpwn

Security researchers recently found a bug in Broadcom wireless chips used in various phones including iPhones and Android devices that allows a hacker to gain remote execution access on smartphones. Fortunately, both Google and Apple have fixed the bug and are rolling out the fixes.

The flaw was found and demoed by Nitay Artenstein, a researcher at Exodus Intelligence, at the Black Hat security conference in Las Vegas recently. He exposed the vulnerability of Wi-Fi chips that was a critical threat to about 1 billion Android and iOS smartphones.

Wi-Fi

As per the reports, this vulnerability was found in the BCM43xx family of Wi-Fi chips manufactured by Broadcom. Artenstein demonstrated the bug with a proof-of-concept attack code that took advantage of the vulnerability of chips. Artenstein has dubbed the bug as ‘Broadpwn’.

The attack code fills airwaves with connection requests to nearby devices. When the request reaches the specified devices, particularly those with Wi-Fi chipsets, it rewrites the firmware controlling the chip. Then, the compromised chip sends malicious packets to other exploitable devices, thus creating a domino effect.

Artenstein further explains in his report that in order for the attack to begin, targeted devices don’t even need to connect to the malicious network. Simply having Wi-Fi turned on was enough to get affected.

The attack worked on a number of smartphones, including iPhone 5, Google’s Nexus 5, Nexus 6, Nexus 5X, Nexus 6P, Samsung Galaxy Notes 3, and Samsung Galaxy flagship devices like Galaxy S8 as well.

The report further states that Artenstein contacted Google and Apple to make them aware of the bug. Google released a security patch early in July to prevent any such ripple effect to start. Apple also has released a fix last week as well, preventing this self-replicating attack to spread on a larger number of devices.

Artenstein wrote in a blog post,

“This research is an attempt to demonstrate what such an attack, and such a bug, will look like. Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of Wi-Fi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit.”