Broad Pwnage – WiFi everywhere is vulnerable to Association Attacks

Last month, Google and Apple released security patches to protect against the WiFi hopping “BroadPwn” vulnerability inherent in more than a billion devices.

After spending time analyzing the “Broadpwn” vulnerability and reviewing other researchers papers, including the analysis posted on the Exodus website, the problem appears to have more to do with the way WiFi devices talk to each other, and doesn’t appear to be specific to any single platform.  Other yet to be disclosed as vulnerable WiFi chips I believe may be able to be exploited beyond those chips we presently know of.

The “BroadPwn” vulnerability arises when WiFi access points and clients talk to each other without any encryption or authentication functions yet active, as dictated by today’s WiFi protocol specification.  By design of the WiFi standards, devices can communication early on without encryption or authentication, which introduces a new exploit vector.

Essentially, an attacker can craft and forge WiFi association packets known as Information Elements (IEs) and emit a unique value that can trigger a memory buffer overflow on unpatched vulnerable WiFi chips within range of the attacker.  This can lead to further code escalation on the processor and root code execution and take over of the device.  Once a targeted device has been compromised, hardware based storage chips onboard the device or connected to the computing device can be injected with rootkits that are able to provide persistence of the malware that is next to impossible to remediate by most of today’s IT Service professionals that largely lack experience with flashing on board peripheral and hardware chips.

Page 7 of the US Cert October 2016 advisory states the following.

What is most concerning about the “BroadPwn” WiFi vulnerability is the ease of which this vulnerability can allow for propagation of malware without the need for the victim vulnerable computing device to do anything other than have WiFi turned on and for the device to be within WiFi range of the attacker.

The large attack surface of computing devices that use WiFi combined with the large number of IOT WiFi enabled computing devices, such as traffic lights, pace makers, dishwashers, thermostats, security cameras, smart phones, tornado sirens, industrial equipment measurement and control systems, public transit, cars (continue onward..) all that are vulnerable to this WiFi attack vector, making the larger WiFi association process a real concern across all WiFi enabled computing devices that operate on the 801.11 protocol.  This a pretty nasty situation given the 1 Billion plus reportedly vulnerable devices!

Just last week, Raspberry Pi Engineer, PhilE, confirmed that the Raspberry Pi Platform is vulnerable due to a vulnerability in the Broadcom Chip known as “BroadPwn”. https://www.raspberrypi.org/forums/viewtopic.php?t=190202

The Raspberry Pi download page still has yet to release (as of this post) their August 2017 software code security update that is expected to have a patch to protect Raspberry Pi’s from the “BroadPwn” attack vector, however they do have a method for patching the vulnerability for the security geeks at heart.  As a side note, I like the Raspberry Pi and have many.  I am pleased to see they almost have a production release fix, but remain concern given the widespread usage of these devices to run our country’s infrastructure.

The “BroadPwn” vulnerability essentially allows a device with a vulnerable chip to attack another device due to Ad-hoc peer-to-peer WiFi communications built into the 802.11 wifi association process.  The Raspberry Pi platforms are used extensively in large part because of their low cost of around $35 each.

I suspect most major metropolitan areas have widespread malware outbreaks as a result of this WiFi vulnerability attack vector.  Consider turning WiFi off and using ethernet cabling if you are concerned!

Researchers wrote malware as a proof of concept on the ability for “BroadPwn” enabled WORMs to quickly propagate and takeover their targets as demonstrated at last month’s Black Hat hacker conference in Las Vegas.  They demonstrated the ability to quickly spread malware to all vulnerable devices with WiFi on and within WiFi range quickly and automatically.  Think of this as what the Measles was to humans before vaccinations, when you were 90% off household members fell ill, if someone in their family had the measles.

“Broadpwn” isn’t a virus per say, but a method of exploiting communications vulnerabilities between computing devices using unpatched Vulnerable BroadCom WiFi chips, such that a poisonous payload gets spread to devices nearby within WiFi range.  Those devices compromised via the “BroadPwn” WiFi vulnerability could have any number of variant malware payloads written to vulnerable devices such that the “BroadPwn” compromise, is used as a long range, 1000 foot needle to deliver the Measles virus to the unsuspecting, un-vaccinated victim. The “BroadPwn” vulnerability isn’t anything other than vehicle for delivering a payload that gets injected into the target.  It could technically be used to fix vulnerable computers, however the bad guys probably are more focused on making money off their victims than actually helping those targeted.  The “BroadPwn” should be renamed to “AssociationWifiAttackPwn” [a little too long though] since it may be unfairly singling out one chipmaker or computing device maker unfairly when the protocol standard has exploitable flaws likely somehow exploitable across all WiFi chips.

I wrote a post a few days ago how I believe that this WiFi vulnerability could be the explanation of why the UK’s NHS Hospitals were hit very hard by the “WannaCry” malware which can spread behind corporate firewalls via port 445.   First a device such as a Raspberry Pi with a Broadcom chip gets compromised, then launches secondary attacks using the Double Pulsar port 445 vulnerability vector to infect all hosts behind a corporate firewall that aren’t secured against SMB v1 exploits.

Hypothetical operation of how malware could spread and persist on a target

1. Vulnerable WiFi chip, Broadcom, or even others with exploits yet unpatched,  compromised via the vulnerable Broadcom “BroadPwn” WiFi vulnerability to send a spoofed IEs WiFi packet containing a payload exploit to a WiFi client or Access Point.
2. The payload exploit loads into the devices RAM via a buffer overflow exploit and then runs code as root on the processor.
3. The processor code seeks out external sources to load more lengthy exploit code and to take over the computer entirely.  These sources may exist behind the corporate firewall, or out on the Internet.
4. The computing device’s peripheral firmware chips (many different suppliers!)  and BIOS get tricked into updating a malicious firmware binary.  This is all due to weak or nonexistent  cryptographic verification functions on hardware chips and motherboards.
5. The device is rendered permanently compromised such that completely replacing the media will not remove the infection.  (See US Cert advisory referenced previously)
6. Efforts to patch a compromised device, once compromised, can be blocked by the computing device’s firmware being altered to disallow authentically signed software security updates and firmware updates issued by the original computer software and hardware makers to be applied.
7. Obfuscation that the device has been patched can be masked by giving the victim a falsely displayed notice that they are running the latest version firmware.  Vault 7 leaked documents I reviewed detailed this functionality in some of the leaked user manuals.
8. Detection of compromised computing devices often requires the ability to read firmware stored on SPI chips, NVRAM, BIOS and other flash storage, which presently is beyond the skills of most IT Security staff.
9. Remediation of compromised devices is highly difficult and beyond the scope of most network security and IT specialists in my opinion.
10. Once infested, multiple methods can exist for maintaining a persistent compromise, including storage on hardware chips, network devices, peripherals, network routers, and shared USB devices, all of which can attack a recently remediated device to regain persistence and compromise.

The WiFi authentication process that introduces the vulnerability and allows for an attacker compromise a peer via WiFi is as follows:

The WiFi 802.11 Vulnerable Association Process Described

A basic WiFi 802.11 header packet is emitted from the WiFi chip on a client smartphone or computing device, followed by Information Elements (IEs) associated with the 802.11 protocol.  These IEs use the Type-Length-Value (TLV) encoding whereby the first byte of the IEs describes the type of information, the second byte denotes the length, and the third set of bytes contains the actual data.  An analysis of this data going through the air by nearby WiFi devices discloses the requirements and capabilities of other devices in the association sequence that is a preamble to WiFi authentication between most WiFi devices.  None of this data is encrypted nor is it necessary to authenticate with the device in order to view or transmit spoofed IEs.

Router access points that provide WiFi connectivity using common WiFi encryption protocols such as WPA2 only implement encryption after the association sequence process has taken place.  Because WiFi packets can be easily forged and sent unencrypted to nearby devices, forged packets impersonating your WiFi router can trick your device into loading IEs that contain a payload capable of triggering a memory buffer overflow condition on vulnerable computers using unpatched WiFi chips.  Once data proven to trigger a memory buffer overflow condition has been identified for a specific WiFi chip, such as the Broadcom 4xxx(x) series of chips, that exploit code can be used repeatedly with different buffer overflow payloads in order to run customized malware code with full privileges on the computing devices processor.  You are probably safer with a Broadcom chip now if patched and never compromised, than with a different chip that may not have yet had the WiFi vulnerability disclosed.

A connecting computing device that comes within WiFi range of a vulnerable target has no way of knowing that the rogue access point is fake until after the authentication process takes place.  The attacker simply identifies the ideal code to insert into the IEs Value section that triggers a memory buffer overflow on the targeted WiFi chip, thereby allowing the attacker to inject code into memory that runs with full root privileges on the processor chip.

This vulnerability is less specific to any computing platform and more due to problems with the 802.11 association protocol and the inherent potential for an attacker to inject the right set of values into the IEs that results in a buffer overflow, leading to root control of the targeted device if vulnerable.  Atmel, a competitor to Broadcom (Now owned by Cyprus) had recent disclosures as well in their ZLL Touchlink protocol that can compromise Philips Smart bulbs among other devices that incorporate the vulnerable chip and protocol.  Other protocols beyond 802.11 have issues related to the Beaconing and Association process that takes place between WiFi devices before authentication and encryption take effect.  Even the 802.15.4 Protocol used by newer Amtel chips on the Silver Spring Networks meter readers have vulnerabilities that have been identified by NSF funded researchers.  http://cap.ece.gatech.edu/papers/securecomm10.pdf

News reports indicate that North Korea actors, “Hidden Cobra”, was likely behind the attack on the NHS.  Similar attacks using the broadly available “Broadpwn” vulnerable devices are much more likely to happen sooner rather than later, before patches get applied to lock down these devices.  News reports indicate that our US Government has concerns that a major cyber attack could be imminent.  I tend to agree and remain concerned.

Ask yourself, can I run without WiFi?  You may want to consider operating a little differently until this gets patched!