Millions of smartphones around the world could have been affected by a Wi-Fi security flaw, security researchers have claimed.
Broadcom's mobile Wi-Fi chips hid a vulnerability on them which could have allowed malicious actors to potentially attack a billion Android or iOS devices.
Fortunately, the vulnerability, which was demonstrated at the recently held Black Hat conference by security researcher Nitay Artenstein, has now been patched.
Artenstein developed malicious code which he could transmit through the air, probing nearby devices. Once a device with the BCM43xx family Wi-Fi chipset was found, the code could rewrite the firmware that controls the chip, allowing the attacker to kick off a potential chain reaction.
"This research is an attempt to demonstrate what such an attack, and such a bug, will look like," the researcher wrote in a blog post. "Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of Wi-Fi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
The vulnerability revolved around the fact that Broadcom chips, unlike kernels on iOS and Android, are not protected by either ASLR or DEP. What made things even easier for Artenstein was the fact that he didn't have to customise the code for each firmware build – it worked on all of them.
"Old school hackers often miss the 'good old days' of the early 2000s, when remotely exploitable bugs were abundant, no mitigations were in place to stop them, and worms and malware ran rampant," Artenstein wrote. "But with new research opening previously unknown attack surface such as the BCM Wi-Fi chip, those times may just be making a comeback."
Image Credit: CyberHades / Flickr