LAS VEGAS–The vulnerability in Broadcom WiFi chips running in many iPhones and Android devices that both Apple and Google patched recently could be triggered with a simple probe request from a mobile access point, giving the attacker full control of the victim’s device.
The bug, known as Broadpwn, is about as powerful as they come for mobile devices. The researcher who discovered the flaw, Nitay Artenstein, said it took him many weeks of work and reverse engineering and digging into the Broadcom firmware in order to find the weakness. During a talk at the Black Hat conference here Thursday, Artenstein detailed the vulnerability and showed a demonstration video of an exploit against it. In the video, a WiFi access point that Artenstein controls sent a single probe request to an Android phone, triggering the bug and giving him control of the device. The only visible indication of the exploit was that the phone’s WiFi functionality restarted.
“I can send one probe request and trigger the bug. It’s enough just for your phone to be in your pocket and it will work,” he said.
The vulnerability itself lies in the Broadcom BCM43xx chipset family, which is in all of the iPhones since the iPhone 5, many HTC, LG, and Nexus Android devices, and almost all Samsung Android phones. Google patched the Broadpwn bug in Android in early July and Apple followed suit a couple weeks later with the release of iOS 10.3.3.
Artenstein said that even after he discovered the vulnerability, exploiting it was a challenge. He wanted an exploit that wouldn’t alert the user to the attack and wouldn’t crash the device, something that can be quite difficult with remote bugs.
“You can’t make any mistakes with remote targets. You can’t make any assumptions about the system and yet you can’t crash the system either,” he said.
“Many remote bugs have died an untimely death because they require you to make assumptions about the system. We just want the bug to sit down and behave nicely.”