Millions of smartphones, including Apple iOS and Android phones, are vulnerable to Broadcom Wifi SoC(System-on-chip) chips over-the-air hijacking. Any devices equipped with Broadcom Wifi chips are vulnerable to over-the-air hijacking.
The vulnerability was discovered by Google’s Project Zero researcher Gal Beniamini, who today published his research in a blog post and the vulnerability known to be a stack buffer overflow issue.
The researcher said that Broadcom firmware code stack buffer overflow issue could let to remote code execution vulnerability, allowing an attacker to send and execute code on others smartphone’s WiFi range.
An attacker can install malicious apps, Trojans, ransomware and can take full control over the device without the user knowledge.
In the first blog post, Beniamini explored the attack on Wi-Fi SoC by discovering and exploiting the vulnerability, which allows remote code execution on the chip. In the second blog post, Beniamini will explain how attackers can take over the host operating system in order to escalate our privileging into the application process by controlling Wi-Fi SoC.
Broadcom Wi-Fi SoC Hack Over-the-Air:
Beniamini focused on Broadcom’s WiFi SoCs since the most common WiFi chipset used on smartphones. The researchers have tested the vulnerability on the Nexus 5, 6 and 6P, most Samsung flagship devices, and all iPhones since the iPhone 4.
The researcher demonstrated a WiFi remote code execution on an updated Nexus 6P(Now Fixed), running Android 7.1.1 version NUF26K with also detailed proof-of-concept.
To exploit, the flaw attacker needs to be within a WiFi range of the compromised device to take over it without the victim knowledge. Beniamini discovered the flaw in the firmware version 184.108.40.206 of Broadcom Wi-Fi chips.
Beniamini tricked Broadcom WiFi SoC into over running its stack buffer, which allowed him to send maliciously crafted Wi-Fi frames, to the WiFi in order to overflow the firmware’s stack. After overflowing the firmware’s stack the researcher combined this value with the frequent timer to overwrite the specific chunk’s of device memory (RAM) gradually until his malicious code is executed.
According to Beniamini,” the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection (by means of an MPU)”.
Security Patch For Nexus And iOS Released:
Google Project Zero team has reported the bug to Broadcom in December. Since the Broadcom is testing the patch before pushing out to the smartphone vendors.
Googe addressed the vulnerability and released the security patch update on Monday, delivering updates via its Android April 2017 Security Bulletin.
Apple released the iOS 10.3.1 emergency update yesterday, due to serious bug resides on Broadcom WiFi SoC used in iPhones, iPads, and iPods.
Other devices have to wait for the patch, the researcher also said most Samsung flagship devices, including Galaxy S7 (G930F, G930V), Galaxy S7 Edge (G935F, G9350), Galaxy S6 Edge (G925V), Galaxy S5 (G900F), and Galaxy Note 4 (N910F) are still affected by the vulnerability.
To read the technical details of the vulnerability go on to the blog post published by Google Project Zero team.