Broadpwn flaw allows for remote takeover of smartphones

By on
Broadpwn flaw allows for remote takeover of smartphones

Makes self-propagating malware possible.

A vulnerability in Broadcomm's wi-fi chips can be exploited to infect mobile devices with self-propagating malware, paving the way for mass attacks that don't require any user intervention.

Exodus Intelligence researcher Nitay Artenstein found the flaw, dubbed "Broadpwn", in the Broadcomm BCM43xx wi-fi chipsets.

They are the dominant choice for high-end smartphones, used in the likes of Samsung's Galaxy S8, the Nexus 5 and 6 models made for Google, and all Apple iPhones after the iPhone 5, Artenstein noted.

He discovered that the firmware for the Broadcomm chip is not encrypted, nor are there any integrity checks, making it relatively easy for attackers to reverse engineer the code and patch it.

By exploiting 802.11 wi-fi protocol association process probe requests and a bug in Broadcomm's implementation of the wireless multimedia (WMM) quality of service extension, Artenstein was able to write a proof of concept that can silently implant attacker code on vulnerable devices without any user interaction.

The remote attack against the Broadcomm BCM43xx chipsets bypasses mitigations such as address space layout randomisation and code execution prevention, meaning it could be used to code self-propagating malware.

These mitigations largely killed off the worms that were common throughout the early 2000s. The most recent self-propagating malware of this type was the Conficker worm of 2009.

Artenstein decided to create such a network worm through Broadpwn, and testing in public showed plenty of vulnerable smartphones.

"Running an Alfa wireless adapter on monitor mode for about an hour in a crowded urban area, we’ve sniffed hundreds of SSID names in probe request packets," Artenstein wrote.

"Of these, approximately 70 percent were using a Broadcom wi-fi chip. Even assuming moderate infection rates, the impact of a Broadpwn worm running for several days is potentially huge."

He warned that hacks through new attack surfaces like the Broadcomm chipset could resurrect network worms while also providing a backdoor into otherwise secure mobile operating systems.

Both Apple and Google issued patches for the Broadpwn vulnerability this month.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
android apple broadcomm broadpwn google ios iphone nitay artenstein security
In Partnership With

Most Read Articles

Microsoft admits it couldn't afford its own cloud

Microsoft admits it couldn't afford its own cloud
CBA discloses app's open source components

CBA discloses app's open source components
NSW using AWS to predict public transport delays

NSW using AWS to predict public transport delays
Yes, it's real: "The first Australian Public Service F@#kup Night!"

Yes, it's real: "The first Australian Public Service F@#kup Night!"
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?
Follow these steps to prevent targeted attacks
Follow these steps to prevent targeted attacks
Your mobile devices may not be secure – learn how to fix that
Your mobile devices may not be secure – learn how to fix that
Don’t risk your business – learn how to protect your cloud assets
Don’t risk your business – learn how to protect your cloud assets

Events

Log In

Username / Email:
Password:
  |  Forgot your password?