Reports last week of security flaws in the wireless chips used in a wide range of Apple and Android mobile devices came hard on the heels of news that network-enabled toys are being used by hackers to access personal data.
The flaw which was discovered by Google Project Zero security researcher, Gal Beniamini said that the issue impacted iPhone 5 and newer, along with Google’s Nexus and several Samsung Galaxy models. Since Broadcom’s SoC is used in so many mobile devices and Wi-Fi routers, it’s a safe bet other smartphones and tablets are vulnerable, too.
According to Beniamini, there are two variants of the attack involving stack buffer overflows related to wireless roaming support. Another attack involves Tunneled Direct Link Setup, or TLDS, which allows devices on a network to share data directly with each other instead of first sending it back through the WiFi base station.
In his detailed 8, 500 words blog post on the research, Beniamini wrote that he discovered the firmware running on Broadcom’s wireless system-on-chip (SoC) can be tricked into overrunning its stack buffers. He was able to send carefully crafted wireless frames, with abnormal values in the metadata, to the Wi-Fi controller to overflow the firmware’s stack, and combine this with the chipset’s frequent timer firings to gradually overwrite specific chunks of device RAM until arbitrary code is executed. Beniamini described his findings, in the context of attacking a fully-patched Nexus 6P Android device running on 7.1.1 version NUF26K, which was the latest available at the time of testing in February.
The security flaw falls squarely in Broadcom’s lap since it designed the WiFi chip and its embedded software. According to Beniamini’s research Broadcom’s WiFi SoC “lacks basic exploit mitigations, such as stack cookies, safe unlinking,” and also doesn’t use the available memory protection features.
Google and Apple released security updates on Monday (April 03) which contained fixes for a security flaw in Broadcom WiFi SoC (Software on Chip) which otherwise could let attackers who are in WiFi range inject and run code on Android and iOS smartphones