Millions of smartphones and smart gadgets, including Apple iOS and many Android handsets from various manufacturers, equipped with Broadcom Wifi chips that support Cisco Centralized Key Management (CKKM) Fast Secure Roaming feature are vulnerable to over-the-air hijacking without any user interaction.
Just yesterday, Apple rushed out an emergency iOS 10.3.1 patch update to address a serious bug that could allow an attacker within same Wifi network to remotely execute malicious code on the Broadcom WiFi SoC (Software-on-Chip) used in iPhones, iPads, and iPods.
The vulnerability (CVE-2017-6957) was described as the stack buffer overflow issue and was discovered by Google’s Project Zero staffer Gal Beniamini, who today detailed his research on a lengthy blog post, saying the flaw affects not only Apple but all those devices using Broadcom’s Wi-Fi stack.
Beniamini says this stack buffer overflow issue in the Broadcom firmware code could lead to remote code execution vulnerability, allowing an attacker in the smartphone’s WiFi range to send and execute code on the device.
Attackers with high skills can also deploy malicious code to take full control over the victim’s device and install malicious apps, like banking Trojans, ransomware, and adware, without the victim’s knowledge.
In his next blog post that’s already on its way, Beniamini will explain how attackers can use their assumed control of the Wi-Fi SoC in order to further escalate their privileges into the application processor, taking over the host’s operating system.
Over-the-Air Broadcom Wi-Fi SoC Hack
According to the researcher, the firmware running on Broadcom WiFi SoC can be tricked into overrunning its stack buffers, which allowed him to send carefully crafted WiFi frames, with abnormal values, to the Wi-Fi controller in order to overflow the firmware’s stack.
Beniamini then combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device’s memory (RAM) until his malicious code is executed.
So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it.
“While the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” Beniamini explains. “Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection.”
The researcher also detailed a proof-of-concept Wi-Fi remote code execution exploit in the blog post and successfully performed it on a then-fully updated (now fixed) Nexus 6P, running Android 7.1.1 version NUF26K – the latest available Nexus device at the time of testing in February.
The flaw is one of the several vulnerabilities discovered by Beniamini in the firmware version 22.214.171.124 of Broadcom Wi-Fi chips.
Security Patch for Nexus & iOS Released; Others Have to Wait!
Google Project Zero team reported the issue to Broadcom in December. Since the flaw is in Broadcom’s code, smartphone makers had to wait for a patch from the chip vendor before testing the patch and pushing it out to their own user base.
Both Apple and Google addressed the vulnerability with security updates released on Monday, with Google delivering updates via its Android April 2017 Security Bulletin and Apple releasing the iOS 10.3.1 update.
The flaw still affects most Samsung flagship devices, including Galaxy S7 (G930F, G930V), Galaxy S7 Edge (G935F, G9350), Galaxy S6 Edge (G925V), Galaxy S5 (G900F), and Galaxy Note 4 (N910F), the researcher says.
For more technical details head on to the blog post published by Google Project Zero team today.