This week, wide spread reports have been published by many media outlets confirming what has long been suspected… most smart phones (Android and iPhones) are vulnerable to being hacked when they are connected to WiFi networks that have rogue devices infected with malware that is designed to exploit the Broadcom SoC chipset. The Malware known as BroadPwn, can spread automatically over WiFi with no need for user authentication. Simply being connected to a WiFi network that has an infected phone on the same network can allow for automatic infection. This is bad news for operators of unsecured WiFi hot spots, since they may be considered liable for causing smart phones to become infected.
U.S. Cert issued an advisory CVE-2017-0561 detailing that this is a critical issue impacting Android phones, but it has also been reported that iPhone from version 5 onward, may also be using the same vulnerable Broadcom chip. Once exploited, the device is compromised at the Kernel level which can allow for interception of any displayed communications as well as remote control. The compromise involves directing the user to a non-https web page that contains the payload that causes a memory buffer overflow, thereby allowing for the firmware on board the chips of the smart phone to be compromised.
This type of malware that self propagates without any need for user authentication is known as a worm. U.S. Cert rates this as a Critical vulnerability.
The number of phones that are allegedly open to this WiFi hopping work attack are in excess of 1 billion, according to a recent article posted by ARS Technica.
At last weeks Black Hat security conference, security researcher Nitay Artenstein of Exodus Intelligence demonstrated the ability to exploit unpatched iPhones and Android phones. When Artenstein’s exploit reached a device using the BCM43xx family of WiFi chipsets, his exploit was able to rewirte the firmware onboard the smart phones that control the Broadcom chip, there by taking over the smart phone.
Broadcom’s vulnerable chips are those not protected by Address Space Layout Randomization (ASLR) memory protection or Data Execution Protection (DEP) which can allow a remote attacker to compromise DNS matching of websites a user is trying to connect to by injecting a payload graphic file that can cause a buffer overflow.
Time will tell how many devices have been compromised. This type of attack is bound to create problems for companies who allow employees to bring their personal devices to work and to connect to work WiFi networks.
Google and Apple have released patches that will protect unaffected smart phones from infection, but it isn’t clear that phones already infected can be fixed simply by downloading the patch updates.
More technical details available at https://blog.exodusintel.com/2017/07/26/broadpwn/