A Broadcom chip flaw found and demoed by Exodus Intelligence's Nitay Artenstein exposed a potential critical threat to 1 billion Android and iOS smartphones. This exploit was possible due to a specific Broadcom Wi-Fi chip bug that let the hacker gain remote execution access on smartphones. Fortunately, before this could happen, Google and Apple both have fixed the bug. The Wi-Fi chip is vulnerable to a self-replicating attack, which could spread infect and spread without any user interaction.
Ars Technica reports that this vulnerability was found in the BCM43xx family of Wi-Fi chips manufactured by Broadcom. Artenstein demoed a proof-of-concept attack code that took advantage of the vulnerability at the Black Hat security conference in Las Vegas recently. This code reportedly fills airwaves with connection requests to nearby devices, and when the request reaches the specified Wi-Fi chipsets' devices particularly; it rewrites the firmware controlling the chip. Then, the compromised chip sends malicious packets to other exploitable devices, creating a domino effect of sorts. Artenstein has dubbed this bug as 'Broadpwn', and this vulnerable chip resides in almost 1 billion smartphones in the market, as mentioned before.
The report states that Artenstein got in touch with Google and Apple both to make them aware about this bug, and Google released a patch early in July to prevent any sort of ripple effect to start. Apple also released a fix two weeks ago as well, preventing a potential self-replicating attack to spread to a large number of devices.
"This research is an attempt to demonstrate what such an attack, and such a bug, will look like. Broadpwn is a fully remote attack against Broadcom's BCM43xx family of Wi-Fi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit," Artenstein wrote in a blog post.
In his post, Anrtenstein explains that in order for the attack to begin, targets don't even have to connect to the malicious network, and simply having Wi-Fi turned on was enough. His attack worked on a number of smartphones, including all iPhone models since the iPhone 5, Google's Nexus 5, Nexus 6, Nexus 5X, Nexus 6P, Samsung Galaxy Notes 3, and Samsung Galaxy flagship devices from Galaxy S3 to the Galaxy S8 launched this year. The researcher also said that this attack was more vulnerable on smartphones than laptops and computers as they provide limited access to Wi-Fi chipsets, not enabling remote execution at least.