Broadpwn flaw allows for remote takeover of smartphones

By on
Broadpwn flaw allows for remote takeover of smartphones

Makes self-propagating malware possible.

A vulnerability in Broadcomm's wi-fi chips can be exploited to infect mobile devices with self-propagating malware, paving the way for mass attacks that don't require any user intervention.

Exodus Intelligence researcher Nitay Artenstein found the flaw, dubbed "Broadpwn", in the Broadcomm BCM43xx wi-fi chipsets.

They are the dominant choice for high-end smartphones, used in the likes of Samsung's Galaxy S8, the Nexus 5 and 6 models made for Google, and all Apple iPhones after the iPhone 5, Artenstein noted.

He discovered that the firmware for the Broadcomm chip is not encrypted, nor are there any integrity checks, making it relatively easy for attackers to reverse engineer the code and patch it.

By exploiting 802.11 wi-fi protocol association process probe requests and a bug in Broadcomm's implementation of the wireless multimedia (WMM) quality of service extension, Artenstein was able to write a proof of concept that can silently implant attacker code on vulnerable devices without any user interaction.

The remote attack against the Broadcomm BCM43xx chipsets bypasses mitigations such as address space layout randomisation and code execution prevention, meaning it could be used to code self-propagating malware.

These mitigations largely killed off the worms that were common throughout the early 2000s. The most recent self-propagating malware of this type was the Conficker worm of 2009.

Artenstein decided to create such a network worm through Broadpwn, and testing in public showed plenty of vulnerable smartphones.

"Running an Alfa wireless adapter on monitor mode for about an hour in a crowded urban area, we’ve sniffed hundreds of SSID names in probe request packets," Artenstein wrote.

"Of these, approximately 70 percent were using a Broadcom wi-fi chip. Even assuming moderate infection rates, the impact of a Broadpwn worm running for several days is potentially huge."

He warned that hacks through new attack surfaces like the Broadcomm chipset could resurrect network worms while also providing a backdoor into otherwise secure mobile operating systems.

Both Apple and Google issued patches for the Broadpwn vulnerability this month.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
android apple broadcomm broadpwn google ios iphone nitay artenstein security
In Partnership With

Most Read Articles

CBA slammed by RBA for stalling New Payments Platform

CBA slammed by RBA for stalling New Payments Platform
TPG 'contemplates' future of sub-$60 NBN plans

TPG 'contemplates' future of sub-$60 NBN plans
Inside Infosys' complex Centrelink payments calculator overhaul

Inside Infosys' complex Centrelink payments calculator overhaul
NBN Co challenges Australia's $60 broadband 'sweet spot'

NBN Co challenges Australia's $60 broadband 'sweet spot'
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?