Millions Of Smartphones Using Broadcom Wi-Fi Chip Can Be Hacked Over-the-Air

Millions of smartphones and smart gadgets, including Apple iOS and many Android handsets from various manufacturers, equipped with Broadcom Wifi chips that support Cisco Centralized Key Management (CKKM) Fast Secure Roaming feature are vulnerable to over-the-air hijacking without any user interaction.

Just yesterday, Apple rushed out

an emergency iOS 10.3.1 patch

update to address a serious bug that could allow an attacker within same Wifi network to remotely execute malicious code on the Broadcom WiFi SoC (Software-on-Chip) used in iPhones, iPads, and iPods.

The vulnerability (

CVE-2017-6957

) was described as the stack buffer overflow issue and was discovered by Google’s Project Zero staffer Gal Beniamini, who today detailed his research on a lengthy

blog post

, saying the flaw affects not only Apple but all those devices using Broadcom’s Wi-Fi stack.

Beniamini says this stack buffer overflow issue in the Broadcom firmware code could lead to remote code execution vulnerability, allowing an attacker in the smartphone’s WiFi range to send and execute code on the device.

Attackers with high skills can also deploy malicious code to take full control over the victim’s device and install malicious apps, like banking Trojans, ransomware, and adware, without the victim’s knowledge.

In his next blog post that’s already on its way, Beniamini will explain how attackers can use their assumed control of the Wi-Fi SoC in order to further escalate their privileges into the application processor, taking over the host’s operating system.

Over-the-Air Broadcom Wi-Fi SoC Hack

According to the researcher, the firmware running on Broadcom WiFi SoC can be tricked into overrunning its stack buffers, which allowed him to send carefully crafted WiFi frames, with abnormal values, to the Wi-Fi controller in order to overflow the firmware’s stack.

Beniamini then combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device’s memory (RAM) until his malicious code is executed.

So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it.

“While the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” Beniamini explains. “Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection.”

The researcher also detailed a proof-of-concept Wi-Fi remote code execution exploit in the blog post and successfully performed it on a then-fully updated (now fixed) Nexus 6P, running Android 7.1.1 version NUF26K – the latest available Nexus device at the time of testing in February.

The flaw is one of the several vulnerabilities

discovered

by Beniamini in the firmware version 6.37.34.40 of Broadcom Wi-Fi chips.

Security Patch for Nexus & iOS Released; Others Have to Wait!

Google Project Zero team reported the issue to Broadcom in December. Since the flaw is in Broadcom’s code, smartphone makers had to wait for a patch from the chip vendor before testing the patch and pushing it out to their own user base.

Both Apple and Google addressed the vulnerability with security updates released on Monday, with Google delivering updates via its

Android April 2017 Security Bulletin

and Apple releasing the

iOS 10.3.1 update

.

The flaw still affects most Samsung flagship devices, including Galaxy S7 (G930F, G930V), Galaxy S7 Edge (G935F, G9350), Galaxy S6 Edge (G925V), Galaxy S5 (G900F), and Galaxy Note 4 (N910F), the researcher says.

For more technical details head on to the

blog post

published by Google Project Zero team today.

via The Hacker News http://bit.ly/2o9lj64

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s