Broadpwn
Remote exploits that compromise Android and iOS devices without user interaction have become an endangered species in recent years. Such exploits present a unique challenge: Without access to the rich scripting environment of the browser, exploit developers have been having a hard time bypassing mitigations such as DEP and ASLR.
But what happens when, underneath your heavily hardened OS, a separate chip parses all your Wi-Fi packets – and runs with no exploit mitigations whatsoever?
Meet Broadpwn, a vulnerability in Broadcom’s Wi-Fi chipsets which affects millions of Android and iOS devices, and can be triggered remotely, without user interaction. The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices – from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices.
Nitay Artenstein dokumentierte die kritische Sicherheitslücke ausführlich in einem Blogpost. Gestern fand sein Vortrag auf der Black Hat statt. Bislang existiert davon nur ein siebenminütiger Wackel-Videomitschnitt aus dem Publikum.
iOS 10.3.3 stopfte vor 10 Tagen die Sicherheitslücke im WiFi-Chip, die alle Geräte ab dem iPhone 5 betraf. Google feierte bereits Anfang Juli seinen Mega-Patch-Day, der ebenfalls die Broadcom-Schwachstelle bedachte. Es bleibt zu hoffen, das möglichste viele Android-Hersteller zeitnah an der Update-Party teilnehmen.
Broadpwn gelangt nicht nur durch seine signifikante Reichweite an Popularität, sondern weil er von Nitay Artenstein als Computerwurm klassifiziert wird.
The nature of the bug, which can be triggered without any need for authentication, and the stability of the exploit, which deterministically and reliably reaches code execution, leads us to the return of an old friend: the self-propagating malware, also known as “worm”.
Worms died out around the end of the last decade, together with their essential companion, the remote exploit. They have died out for the same reason: software mitigations have become too mature, and automatic infection over the network became a distant memory. Until now.
Broadpwn is ideal for propagation over WLAN: It does not require authentication, doesn’t need an infoleak from the target device, and doesn’t require complicated logic to carry out. Using the information provided above, an attacker can turn a compromised device into a mobile infection station.