Security

Wi-Fi Bug Leaves Android & iPhone Seriously Vulnerable To Hackers

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

Apple and Google handsets have been patched, but other Android devices may still be vulnerable to the Broadcom Wi-Fi chipset attack

Computer security experts are warning users of Apple and Android mobile devices to apply patches to fix vulnerabilities affecting widely used Wi-Fi hardware.

The bugs, reported by Google’s Project Zero, affect Wi-Fi chips made by Broadcom, the most common Wi-Fi chipsets on mobile devices.

iPhone 7 red

iPhone, Android affected

The affected chipsets are used by all iPhones since the iPhone 4 , most Samsung flagship Android devices and Google’s Nexus 5, 6 and 6P, amongst other handsets, Google said.

Google has released a proof-of-concept exploit demonstrating that the bugs could be used to take over the Wi-Fi functions of the affected devices, and said it plans to demonstrate how that attack can then be used to take complete control of affected devices in a further advisory.

The attacks can be launched by anyone using the same Wi-Fi network as a vulnerable device, according to Google.

Apple said it fixed the issues in its iOS 10.3.1 update, released only days after the major iOS 10.3 release.

The company acknowledged the flaws could allow an attacker within range to “execute arbitrary code on the Wi-Fi chip”.

Google has also released patches for Android addressing the issues, but availability for specific devices varies by manufacturer or wireless carrier.

google-pixel-7

Security ‘lag’

That means Apple’s iPhones and Google’s Nexus and Pixel devices running up-to-date software are protected from the flaws, but other devices may still be vulnerable.

Google security researcher Gal Beniamini said the flaws result from the fact that Broadcom’s chips neglect to use modern security techniques such as code heap cookies, data execution prevention (DEP) and address space layout randomisation (ASLR). As a result, exploits including stack buffer overflows and heap overflows are made possible.

“While the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” he wrote.

He published exploit code demonstrating how an attacker could take over a Broadcom Wi-Fi chip.

The exploit could allow an attacker to steal information passing over the Wi-Fi connection, but could also be used to launch an attack on the main device, Beniamini said, promising to outline such an attack in a further blog post.

“We’ll see how we can use our assumed control of the Wi-Fi SoC in order to further escalate our privileges into the application processor, taking over the host’s operating system,” he wrote.

Security firm Sophos said the issues could easily extend to other Broadcom chipsets, making the scale of the security weaknesses involved difficult to estimate.

“The problem is that this particular bug and the current patches for it are more of an example and a symptom than a general fix,” wrote Sophos researcher Paul Ducklin in an advisory.

He said users should check with their smartphone wireless carrier or manufacturer for updates, and avoid using Wi-Fi in public places.

Do you know all about security in 2017? Try our quiz!