Gal Beniamini of Google Project Zero recently published a proof-of-concept for a remote code execution (RCE) vulnerability present in the Broadcom 802.11k Wi-Fi hardware, running firmware version BCM4355C0.
The flaw affects a number of smartphones, including the iPhone 7 and some Android devices, as well as smart TVs running tvOS.
This vulnerability (CVE-2017-11120) doesn’t need the victim to take any action aside from connecting to a rogue Wi-Fi network owned by the attacker—there’s no app that needs to be installed or phishy link that needs clicking. Once the victim connects their devices to the rogue network, the attacker can install a backdoor onto the victim’s device that gives them full read and write access to its firmware.
Not a big surprise then that Google Android gave this vulnerability the highest rating, Critical, in its September 5 security bulletin.
Researchers working on this vulnerability were able to confirm that it exists on the iPhone 7 and Galaxy S7 Edge firmware. It’s believed that it’s also present in all versions of iOS up to 10.3.3. Details weren’t published until 25 September 2017, by which date fixes for iOS, tvOS and Android had been made available.
This vulnerability has a number of similarities to another Broadcom flaw discovered earlier this year by Beniamini – colloquially called BroadPwn. NakedSecurity’s own Paul Ducklin did a remarkable job with a deep dive into BroadPwn and how it worked, so why not pour yourself a coffee and give that a read too.
Thankfully the fix for this serious problem is pretty simple for most users: update now.
Both BroadPwn and this yet-to-be-named vulnerability (The Return of BroadPwn?) serve as a reminder that keeping your mobile devices up-to-date is your first line of defense against potentially devastating RCEs. And in the case of this bug in particular, it’s also a warning about the dangers of connecting your devices to just any old public Wi-Fi.
Not sure if your device is affected? Some of the devices that should patch right away are below.
Update the following Apple products to the latest release (25 September release as of this writing)
- iPhone 5s or later
- iPad Air or later
- iPod Touch 6th generation or later
- Apple TV 4th generation
This vulnerability is addressed in the 2017-09-05 security patch for Android.
3 comments on “Chips in iPhone 7s, Androids, smart TVs vulnerable to rogue Wi-Fi”
“Thankfully the fix for this serious problem is pretty simple for most users: update now.”
I wish. Maybe when Android fixes its update mechanics in the future, but as an owner of an S7 Edge, I will probably have to wait a few more months before I finally get an update.
BroadPwn Part Deux
As Lily said, those using devices from manufacturers that do not really care about updates will have to wait for, or even forget about getting any updates at all.
For most mobile devices, internal hardware firmwares are rarely/never updated; only the operating system on top (and then maybe only once or twice over the device lifespan).
Even if you have a Google Nexus/Pixel you’re still potentially left hanging when it comes to the firmware blobs hidden inside the radio devices of a phone or tablet, because their content is proprietary and deliberately kept in secrecy; if the manufacturer of the proprietary firmware says no, Google can only try to work around it. And when it can’t, that’s the end of it.
No amount of tinkering or updating by end users will fix that insecure by design situation.