Broadpwn flaw allows for remote takeover of smartphones

A vulnerability in Broadcomm's wi-fi chips can be exploited to infect mobile devices with self-propagating malware, paving the way for mass attacks that don't require any user intervention.

Exodus Intelligence researcher Nitay Artenstein found the flaw, dubbed "Broadpwn", in the Broadcomm BCM43xx wi-fi chipsets.

They are the dominant choice for high-end smartphones, used in the likes of Samsung's Galaxy S8, the Nexus 5 and 6 models made for Google, and all Apple iPhones after the iPhone 5, Artenstein noted.

He discovered that the firmware for the Broadcomm chip is not encrypted, nor are there any integrity checks, making it relatively easy for attackers to reverse engineer the code and patch it.

By exploiting 802.11 wi-fi protocol association process probe requests and a bug in Broadcomm's implementation of the wireless multimedia (WMM) quality of service extension, Artenstein was able to write a proof of concept that can silently implant attacker code on vulnerable devices without any user interaction.

The remote attack against the Broadcomm BCM43xx chipsets bypasses mitigations such as address space layout randomisation and code execution prevention, meaning it could be used to code self-propagating malware.

These mitigations largely killed off the worms that were common throughout the early 2000s. The most recent self-propagating malware of this type was the Conficker worm of 2009.

Artenstein decided to create such a network worm through Broadpwn, and testing in public showed plenty of vulnerable smartphones.

"Running an Alfa wireless adapter on monitor mode for about an hour in a crowded urban area, we’ve sniffed hundreds of SSID names in probe request packets," Artenstein wrote.

"Of these, approximately 70 percent were using a Broadcom wi-fi chip. Even assuming moderate infection rates, the impact of a Broadpwn worm running for several days is potentially huge."

He warned that hacks through new attack surfaces like the Broadcomm chipset could resurrect network worms while also providing a backdoor into otherwise secure mobile operating systems.

Both Apple and Google issued patches for the Broadpwn vulnerability this month.