Smartphones using Broadcom Wi-Fi SOC can be hacked Over-the-Air

Security patch available only for Nexus & iOS


A stack buffer overflow issue that affects all devices using Broadcom’s Wi-Fi stack was discovered by Google’s Project Zero researcher Gal Beniamini.

The flaw affects Apple devices and also all android devices using Broadcom’s Wi-Fi stack: an attacker within the smartphone’s WiFi range could remotely execute malicious code on the Broadcom WiFi SoC.

The vulnerability allows attackers to send WiFi frames, crafted with abnormal values, to the Wi-Fi controller in order to overflow the firmware’s stack.

The researcher combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device’s memory until his malicious code is executed.

So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it:

We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations — including stack cookies, safe unlinking and access permission protection (by means of an MPU).

Gal Beniamini also published a proof-of-concept RCE exploit that successfully performs remote commands on a fully updated Nexus running Android 7.1.1:


https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2

For the really complex technical analysis, please refer to the original article on Google’s Project Zero:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2


Security Patch?

Apple published an emergency iOS 10.3.1 patch update to address this vulnerability on iPhones, iPads, and iPods.

Google delivering updates via its Android April 2017 Security Bulletin, but the fix covers only Nexus devices, and the flaw still affects most Samsung flagship devices like:

  • Galaxy S7 (G930F, G930V)
  • Galaxy S7 Edge (G935F, G9350)
  • Galaxy S6 Edge (G925V)
  • Galaxy S5 (G900F)
  • Galaxy Note 4 (N910F)

References

https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2
https://bugs.chromium.org/p/project-zero/issues/detail?id=1046#c2

Comments