Security researchers hailing from Google’s Project Zero have discovered a new sophisticated and troublesome bug which is affecting Wi-Fi chips from Broadcom, a gear supplier for iPhones, Nexuses, and Samsung devices.
According to Gal Baniamini, a Project Zero researcher writing a detailed blog post on the exploit, by chaining together a series of exploits, an attacker could perform a full device takeover via Wi-Fi proximity alone, requiring no user interaction. In layman terms, if you are using the same Wi-Fi network as the attacker, like a public hotspot, an attacker could compromise your device without you even knowing.
The demonstration was done on a Nexus 6P, but the problem affects all devices running on Broadcom WiFi SoCs. This includes the Nexus 5 and 6, Samsung’s flagship devices and all iPhones after iPhone 4. Broadcom has already been notified and collaborated with Google on fixing the problem, while also making fixes available to affected vendors.
Apple has already issued a patch fixing the problem in their most recent update (iOS 10.3.1 which you should update asap). “An attacker within the stipulated range may be able to execute arbitrary code on the Wi-Fi chip,” Apple stated in its security files. The problem is so dire that Apple pushed the new update just one week after the previous one.
Beniamini has stated, “We’ve seen that while the firmware implementation on the WiFi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations — including stack cookies, safe unlinking and access permission protection (by means of an MPU).” “Broadcom has informed me that newer versions of the SoC utilize the MPU, along with several additional hardware security mechanisms. This is an interesting development and a step in the right direction. They are also considering implementing exploit mitigations in future firmware versions."