Broadpwn flaw allows for remote takeover of smartphones

By on
Broadpwn flaw allows for remote takeover of smartphones

Makes self-propagating malware possible.

A vulnerability in Broadcomm's wi-fi chips can be exploited to infect mobile devices with self-propagating malware, paving the way for mass attacks that don't require any user intervention.

Exodus Intelligence researcher Nitay Artenstein found the flaw, dubbed "Broadpwn", in the Broadcomm BCM43xx wi-fi chipsets.

They are the dominant choice for high-end smartphones, used in the likes of Samsung's Galaxy S8, the Nexus 5 and 6 models made for Google, and all Apple iPhones after the iPhone 5, Artenstein noted.

He discovered that the firmware for the Broadcomm chip is not encrypted, nor are there any integrity checks, making it relatively easy for attackers to reverse engineer the code and patch it.

By exploiting 802.11 wi-fi protocol association process probe requests and a bug in Broadcomm's implementation of the wireless multimedia (WMM) quality of service extension, Artenstein was able to write a proof of concept that can silently implant attacker code on vulnerable devices without any user interaction.

The remote attack against the Broadcomm BCM43xx chipsets bypasses mitigations such as address space layout randomisation and code execution prevention, meaning it could be used to code self-propagating malware.

These mitigations largely killed off the worms that were common throughout the early 2000s. The most recent self-propagating malware of this type was the Conficker worm of 2009.

Artenstein decided to create such a network worm through Broadpwn, and testing in public showed plenty of vulnerable smartphones.

"Running an Alfa wireless adapter on monitor mode for about an hour in a crowded urban area, we’ve sniffed hundreds of SSID names in probe request packets," Artenstein wrote.

"Of these, approximately 70 percent were using a Broadcom wi-fi chip. Even assuming moderate infection rates, the impact of a Broadpwn worm running for several days is potentially huge."

He warned that hacks through new attack surfaces like the Broadcomm chipset could resurrect network worms while also providing a backdoor into otherwise secure mobile operating systems.

Both Apple and Google issued patches for the Broadpwn vulnerability this month.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
android apple broadcomm broadpwn google ios iphone nitay artenstein security
In Partnership With

Most Read Articles

Musk's leaked email shows Tesla to make record deliveries

Musk's leaked email shows Tesla to make record deliveries
NAB switches on Apple Pay

NAB switches on Apple Pay
Game and shame: Internet providers called out again on NBN speed claims

Game and shame: Internet providers called out again on NBN speed claims
The techies who ran for office in the 2019 federal election

The techies who ran for office in the 2019 federal election
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

How to drive revenue and increase loyalty through customer experience in retail
How to drive revenue and increase loyalty through customer experience in retail
Stop Parasites on your Network with Sophos
Stop Parasites on your Network with Sophos
Stop your Oracle database slowing down your business
Stop your Oracle database slowing down your business
How Macquarie University has prepared for fire and flood
How Macquarie University has prepared for fire and flood
Guide to Fully-Composable Software-Defined Private Cloud
Guide to Fully-Composable Software-Defined Private Cloud

Events

Log In

Username / Email:
Password:
  |  Forgot your password?