Google and Apple released security updates on Monday (April 03) which contained fixes for a security flaw in Broadcom WiFi SoC (Software on Chip) which otherwise could let attackers who are in WiFi range inject and run code on Android and iOS smartphones. Depending on the attacker's skills, he can deploy code that takes over the user's device and installs applications without the user's knowledge, such as adware, banking trojans, or ransomware. Considering how far WiFi signals travel, it’s possible hackers could target iPhones, iPads, and other mobile devices in your home simply by driving down the street and looking for wireless signals. Coffee shops, stores, and other public places will make good target areas, too.
The flaw which was discovered by Google Project Zero security researcher, Gal Beniamini said that the issue impacted iPhone 5 and newer, along with Google’s Nexus and several Samsung Galaxy models. Since Broadcom’s SoC is used in so many mobile devices and Wi-Fi routers, it’s a safe bet other smartphones and tablets are vulnerable, too.
According to Beniamini, there are two variants of the attack involving stack buffer overflows related to wireless roaming support. Another attack involves Tunneled Direct Link Setup, or TLDS, which allows devices on a network to share data directly with each other instead of first sending it back through the WiFi base station.
In his detailed 8, 500 words blog post on the research, Beniamini wrote that he discovered the firmware running on Broadcom's wireless system-on-chip (SoC) can be tricked into overrunning its stack buffers. He was able to send carefully crafted wireless frames, with abnormal values in the metadata, to the Wi-Fi controller to overflow the firmware's stack, and combine this with the chipset's frequent timer firings to gradually overwrite specific chunks of device RAM until arbitrary code is executed. Beniamini described his findings, in the context of attacking a fully-patched Nexus 6P Android device running on 7.1.1 version NUF26K, which was the latest available at the time of testing in February.
The security flaw falls squarely in Broadcom’s lap since it designed the WiFi chip and its embedded software. According to Beniamini’s research Broadcom’s WiFi SoC “lacks basic exploit mitigations, such as stack cookies, safe unlinking,” and also doesn’t use the available memory protection features.
Both companies addressed the issue with Apple releasing iOS 10.3.1, and Google delivering updates via its Android Security Bulletin for April 2017.
The iOS and Android RCE attacks are two of ten flaws Beniamini discovered in Broadcom's WiFi SoC firmware.
Broadcom says security in new versions of its WiFi SoC is better, and more are being evaluated.