Vulnerability Strikes Again: Broadcom WiFi chip likely used in your smartphone

This post was authored by guest blogger Tushar Nandwana – OneBeacon Technology Risk Control Specialist.

At the recent BlackHat security conference, a researcher named Nitay Artenstein from Exodus Intelligence disclosed a major security vulnerability called Broadpwn that would have affected 1 billion smartphones–on both the Android and Apple iOS operating systems. This far-reaching risk includes all iPhones since iPhone 5, Google Nexus (5, 6, 6X and 6P), Samsung Note 3 and Samsung Galaxy (S3 to S8).  The bug was disclosed to Apple and Google a few months ago and patches were implemented in July, just prior to Artenstein’s presentation. The flaw was patched and is now closed.

So why did this bug barely make the news? Perhaps because this was not the usual software attack.  Alternatively, it was found in the hardware–specifically, in a third-party WiFi chip produced by Broadcom, within their BCM43xx family of WiFi chips, which enables WiFi communication within the smartphone. This was a drive-by vulnerability, meaning a hacker could get into the smartphone’s WiFi chipset through WiFi without the user’s knowledge or without the user having to access or click on a compromised site or link. The only requirement was that WiFi had to be active on the user’s phone, which these days, is a typical state. Furthermore, the hacker could then turn the smartphone into a rogue access point, which could infect other nearby smartphones through their WiFi. This vulnerability could have allowed unscrupulous hackers to create drive-by worms that could infect and replicate exponentially. Artenstein dubbed Broadpwn as the first “WiFi worm.”

In simple terms, the vulnerability works through a memory heap overflow. Memory overflows are not a new exploit, and the Android and iOS operating systems are hardened and protected from this through security techniques such as ASLR and DEP. Unfortunately, the WiFi chips did not have such protection.  Similarly, other wireless chips (NFC – Near Field Communication) or Bluetooth may have such vulnerabilities, but fortunately, the distance range for NFC or Bluetooth is far shorter, and may be less effective in infecting other smartphones.

Whether this vulnerability would allow a hacker to access the smartphone’s operating system was not investigated but Artenstein notes that it could have been possible. With the potential attack surface of over 1 billion smartphones, a Broadpwn attack could have been catastrophic.

Artenstein discovered the vulnerability when he researched the Broadcom chip’s firmware source code, which was accidentally leaked by a third-party vendor to a public, code site called GitHub. Incidentally, Google researchers discovered vulnerability in the same WiFi chip family earlier in the year and it, too, was promptly patched before being exploited.

This did not make the major news channels because it was patched before Broadpwn could be exploited; but it could have been far worse. So what are the lessons learned?

  • It is imperative that the smartphone manufacturers review, test and harden other critical third-party hardware and software to ensure a secured and well-protected environment.
  • This can also apply to manufacturers of other electronic products – not only should they be designing security into and hardening their own products, they should be requiring the same of their critical suppliers.

For more information:

Author Carmen Duarte

More posts by Carmen Duarte

Leave a Reply