The Exodus Intelligence researcher Nitay Artenstein recently discovered a vulnerability in Broadcomm’s Wi-Fi chipsets which makes infecting mobile devices with self-propagating malware possible. Dubbed Broadpwn, the flaw can be exploited for mass attacks that don’t require any user cooperation.
Artenstein found the bug in the Broadcomm BCM43xx Wi-Fi chips.
“They are the dominant choice for high-end smartphones, used in the likes of Samsung’s Galaxy S8, the Nexus 5 and 6 models made for Google, and all Apple iPhones after the iPhone 5.” – he explains.
The researcher also noted that the firmware for the Broadcomm chip is not encrypted and it is lacking integrity checks which makes reverse engineering and patching the code a much easier task.
Artenstein was also able to write a proof of concept by exploiting a bug in Broadcomm’s implementation of the wireless multimedia (WMM) quality of service extension and 802.11 Wi-Fi protocol association process probe requests, proving that silently implanting attacker code on vulnerable devices is possible without any user intervention.
The attack against the Broadcomm BCM43xx chipsets sidesteps mitigations like code execution prevention and address space layout randomization which means that it can be used to code self-propagating malware. Due to such mitigations, the worms that were massively spread in the early 2000s sunk and the most recent self-propagating malware was the Conficker work back in 2009.
Artenstein created a network worm through Broadpwn, tested it in public and proved that there are many vulnerable mobile devices.
“Running an Alfa wireless adapter on monitor mode for about an hour in a crowded urban area, we’ve sniffed hundreds of SSID names in probe request packets.” – Artenstein wrote – “Of these, approximately 70 percent were using a Broadcom Wi-Fi chip. Even assuming moderate infection rates, the impact of a Broadpwn worm running for several days is potentially huge.”
After hearing about this, both Google and Apple issued patches for the Broadpwn vulnerability this month.