Google And Apple Patch Serious Android And iOS Broadcom Wi-Fi Bug That Allowed Remote Execution Hack

Google Nexus 6P

Practically everyone who owns a smartphone should be on the lookout for a patch. Both Google and Apple this week released software updates for Android and iOS, respectively, to address a vulnerability discovered in Wi-Fi chipsets developed by Broadcom. If left unpatched, an attacker within range of the same Wi-Fi network could execute malicious code on a person's mobile device.

A researcher on Google's Project Zero team discovered the vulnerability and wrote about it in great detail (hit the source link for deep dive into the technical underpinnings of this exploit). Prior to Google releasing a patch for Android, the researcher demonstrated the hack on a fully patched Nexus 6P running Android 7.1.1 version NUF26K. Through the exploit, he was able to show a "full device takeover by Wi-Fi proximity along, requiring no user interaction."

"Two of the vulnerabilities can be triggered when connecting to networks supporting wireless roaming features; 802.11r Fast BSS Transition (FT), or Cisco’s CCKM roaming. On the one side, these vulnerabilities should be relatively straightforward to exploit - they are simple stack overflows. Moreover, the operating system running on the firmware (HNDRTE) does not use stack cookies, so there’s no additional information leak or bypass required," said Project Zero researcher Gal Beniamini.

Put another way, Beniamini reverse engineered Broadcom's firmware and found it was not as secure as it should be. More specifically, he said it lacks basic exploit mitigations, including stack cookies, safe unlinking, and access permission protection.

Broadcom's Wi-Fi chipsets are in wide use today. Android devices that uses the company's chips include the Nexus 5, 6, and 6P, and many of Samsung's flagship phones. And on iOS, all iPhones since the iPhone 4 and up are affected. Same goes for newer generation iPod touch and iPad devices.

In total Beniamini found 10 flaws in Broadcom's Wi-Fi chips. The good news here is that Broadcom has been high receptive to Beniamini's research and has taken steps to make newer versions of this chips more secure.