Researchers from Exodus Intelligence discovered a zero-day attack that threatens most of the popular smartphones on the market today. The hack is called Broadpwn and it affects devices running iOS and Android. Specifically all Samsung Galaxy S3 through Galaxy S8 devices are susceptible as are the Note 3, 6, 6X, and 6P, and the Apple iPhone 5 and up.
The vector for the attack is the Broadcom BCM43xx family of Wi-Fi chips used in all of those smartphones. Exodus writes in its research, "Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
Broadpwn allows an attacker to execute code on the Wi-Fi chipset and on the main application processor on Android and iOS devices. The vulnerable Broadcom chips are the most common used on popular smartphones, including Nexus devices. Talking about why the Broadcom hardware was chosen, Exodus writes, "Another detail sealed our choice. Running some tests on Broadcom’s chips, we realised with joy that there was no ASLR and that the whole of RAM has RWX permissions – meaning that we can read, write and run code anywhere in memory."
The researchers say that with ASLR enabled gleaning the insight needed to have full execution ability for code, you sometimes need a separate infoleak to get that needed insight. To gain the information that the researchers needed to create Broadpwn, it chose to use an old router called the VMG-1312 that uses a Broadcom chipset. The needed information came in the brcmsmac driver code apparently accidentally open sourced by Broadcom. Exodus says that the proprietary Broadcom code ware a disclaimer stating, "This is UNPUBLISHED PROPRIETARY SOURCE CODE of Broadcom Corporation." The code is thought to have been published by mistake along with the other VGM-1312 resources.
Exodus states, "The leaked code contains most of the key functions we find in the firmware blob, but it appears to be dated, and does not contain much of the processing code for the newer 802.11 protocols. Yet it was extremely useful during the course of this research, since the main packet handling functions have not changed much. By comparing the source code with the firmware, we were able to get a quick high-level view of the packet processing code section, which enabled us to hone in on interesting code areas and focus on the next stage: finding a suitable bug."
Exodus eventually began searching for bugs in functions that parse association packets, and they found one eventually after some complex research and lots of hard work. The discovery of the bug was the easy part according to the researchers, they then had to write the remote exploit.
The researchers wrote, "In Broadpwn, both of these difficulties are mitigated by two main lucky facts: First, the addresses of all the relevant structures and data that we will use during the exploit are consistent for a given firmware build, meaning that we do not need any knowledge of dynamic addresses – after testing the exploit once on a given firmware build, it will be consistently reproducible. Second, crashing the chip is not particularly noisy. The main indication in the user interface is the disappearance of the WiFi icon, and a temporary disruption of connectivity as the chip resets."
The hard work the team at Exodus Intel put in has resulted in what they claim is the first Wi-Fi worm. The Broadpwn attack requires no authentication and doesn't need an infoleak from the device being targeted. The attack also has no need for complicated logic to carry out and once the attack is executed, the compromised device then becomes a mobile infection station. There is no word from Broadcom on a potential patch for this attack at this time.