CyberCrimeSecuritySecurity Management

Unpatched Smartphones ‘At Risk’ From Broadpwn Bug

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Android and iOS already issued patches for bug that could result in the spread of unstoppable malware

A bug in an obscure chip found in the world’s most popular smartphones could result in the unstoppable spread of malware from device to device.

This was the warning at this week’s Black Hat Security 2017 conference after Nitay Artenstein a vulnerability researcher at Exodus Intelligence, discovered the flaw.

The good news however that both Apple and Android have already rushed out patches, meaning that only unpatched iPhones and Android devices are vulnerable. The bug also affects the desktop macOS as well.

danger-wi-fiWi-Fi Chips

The bug discovered Artenstein is found in an obscure Wi-Fi chip made by Broadcom. This is a chip found in all iPhones and top Android handsets, including Samsung Galaxy devices as well as the Google Nexus smartphone.

But this flaw is so serious that it could spread like wildfire, and would allow a hacker to gain access to potentially billions of smartphones.

Artenstein is calling the flaw ‘Broadpwn’, and he responsibly reported the Broadpwn vulnerabilities to the impacted vendors, who have already patched the issue. Apple users should ensure their iPhones are updated immediately to iOS 10.3.3 (released 20 July), whereas Android users should apply the July security update for Android.

The flaw in the Broadcom Wi-Fi chip allows the attacker to attacker to write programs directly on to the chip, thereby seizing control of it. Artenstein at Black Hat demonstrated a proof-of-concept for what an attacker could do with the bug, a video of which can be viewed here.

He infected a Samsung Galaxy device with his custom “worm” (i.e self-replicating malware), and then watching as the Galaxy phone proceeded to infect another Samsung phone – with no intervention required.

This is what makes this vulnerability particularly special, interesting and powerful, Artenstein reportedly said. The victim doesn’t have to do anything to be infected, the attacker doesn’t need to know anything about the device they’re targeting, and the system being targeted can be taken over without crashing.

Worm Infection

“When I started working in this field, we had worms,” Atenstein was quoted by the Guardian newspaper as saying: “self-propagating malware which could be run across the network. There were quite a few in the good old days. They died out, together with remote exploits: worms pretty much need them to propagate.

“But Broadpwn is a perfect bug for this kind of thing,” he added. “A pretty good location to make the first wi-fi worm and the first network worm in a few years.”

The danger of this flaw was that it works like a normal everyday virus that infects humans. It simply needed two vulnerable devices to be close to one another for the worm to jump across and infect the second device.

The good news however is that the Broadpwn bug did have limitations, mainly the fact that it couldn’t jump from the Wi-Fi chip’s firmware to the actual device itself.

This is not the first time that a flaw has been found on Broadcom’s Wi-Fi chipset.

In April Google’s Project Zero, warned of a vulnerability with Broadcom’s Wi-Fi chips that allowed attackers to take over the Wi-Fi functions of the affected devices.

Quiz: Do you know all about security in 2017?