A mobile vulnerability impacting devices using Broadcom chipsets connected to Wi-Fi networks was discovered by the Google Project Zero security team in February 2016. While this was over a year ago, the threat it poses is still relevant and has generated a large amount of subsequent buzz over the past couple weeks, so it’s worth examining further details.
Many vulnerabilities in mobile devices originate in apps or operating systems, but this one is hardware-related (or at least the firmware which controls the hardware). This flaw can permit an attacker on the same Wi-Fi network to take over a device using a technique known as remote code execution via a buffer overflow. Complicating things further, setting the appropriate Wi-Fi security on your home or office networks may not necessarily prevent this exploit from being leveraged as an attacker might trick users into connecting to a malicious open access point then targeting their devices.
Devices that haven’t been patched, are not be set up to receive patches, or on which updates are intentionally blocked (such as by irritated users) may be at risk. While this flaw has the potential to impact devices from various manufacturers, Apple has only recently released an emergency patch (iOS 1.3.1) to address the problem for the iPhone 5 and up, the iPad 4th generation and up and the iPod touch 6th generation and up.
Craig Young, computer security researcher for cyber security firm Tripwire and member of their VERT (Vulnerability and Exposures Research Team), provided the following comment:
“This is a prime example of a supply chain security problem. This system-on-chip (SoC) package providing Wi-Fi for all modern iPhones and several Samsung and Google/Nexus phones from recent years was never properly vetted for security issues before being integrated with any of these handsets. In general, packaged technology like this often evades security review, due to the difficulties associated with analyzing such low-level systems. Although it is unfortunate that neither Apple, Samsung, or Google (among others) didn’t recognize the vulnerability or require basic exploit mitigation features before putting the chipset into hundreds of millions of phones, owners of these phones should be grateful for Google’s Project Zero team for shedding light on this dark corner of mobile security.
Affected users with supported devices should be sure to apply updates as they become available since this could be an incredibly devastating attack due to the possibility of wireless exploitation without user interaction. If you do have a device with an affected Broadcom chip (i.e. iPhone 5, iPad, iPod, Nexus 5/6/6P, Samsung Galaxy, etc.), it is advisable to disable Wi-Fi when in public spaces until a fix is applied.”
In a blog post, Gal Beniamini of the Project Zero team at Google stated that the Broadcom chipset firmware had sub-par security settings and “lacks all basic exploit mitigations.” He also stated the vulnerability leverages Broadcom’s version of what is known as tunneled direct link setup (TDLS) which permits devices to exchange data as peers [without requiring user control] and pass data through a mutually-connected access point.”
Broadcom said its latest firmware uses certain memory protection components which can stave off such exploits; these components were present but not activated on the prior versions. Therefore, memory contents were subject to read, write and executable commands. Broadcom also stated that it is considering implementing other exploit mitigations in future firmware versions.
I had some follow-up questions for Young:
TechRepublic: Is this a common vulnerability?
Craig Young: “This vulnerability is common in that the affected platform component has been used in a large number of handsets. Whether the underlying mistake itself may be prevalent on similar components is unclear at this time. It is worth noting, however, that Google’s Project Zero research uncovered numerous memory corruption flaws on this specific Broadcom system-on-chip (SoC).”
TR: Can you provide some more specifics on how it exploits a device?
CY: “The vulnerability can be used to exploit the device by broadcasting crafted 802.11 Tunneled Direct Link Setup (TDLS) frames designed to overflow data structures in the chip’s heap memory until the desired shellcode has been written into an executable memory space and then overwriting a function pointer with the address of the shellcode. The end result of this process is that an attacker can send a series of specially crafted wireless messages to load arbitrary code onto the phone. In the example exploit provided on the Project Zero blog, the exploit does nothing more than writing a particular value at a particular address in the firmware’s RAM to demonstrate code execution. If this were a real attack, the hacker could compromise the confidentiality of all data sent over Wi-Fi and would also likely be able to take control of the phone’s main operating system. The fix for this set of issues was to improve memory handling in the firmware so as to prevent memory corruption through the various vulnerabilities discovered by Google.
TR: Are other vendors besides Apple producing or have produced a patch?
CY: “Google released fixes for Nexus 6, Nexus 6P, Nexus 9, Pixel C, Nexus Player in the April security update and Apple released a fix for supported iOS devices in version 10.3.1. I am not certain if Samsung and other affected vendors have released a fix already.”
Whether you’re an individual user or a system administrator, it’s highly recommended that you ensure your devices receive any available updates. Either conduct these steps below (where applicable), use your mobile device management solution (if applicable) to push out updates, or communicate these steps to your users:
For iOS devices, tap Settings, General and choose Software Update.
For Samsung Galaxy, Settings System Updates and tap Download updates manually.
For Nexus devices, go to Settings, scroll to the bottom and tap About phone or About tablet then select System updates.