Home / Networking / iPhone, Android hit by Broadcom Wi-Fi chip bugs: Now Apple, Google plug flaws

iPhone, Android hit by Broadcom Wi-Fi chip bugs: Now Apple, Google plug flaws


Bugs in Broadcom’s Wi-Fi SoC affected the iPhone 5 through to the iPhone 7, along with many Android devices, including Google’s Nexus handsets, and Samsung’s latest Galaxy flagships.

Image: Sarah Tew/CNET

Patches released this week for Android and iOS draw attention to one of the softer targets powering our phones: increasingly complex, but not so well defended, Wi-Fi chips.

iPhone owners can thank Google Project Zero security researcher Gal Beniamini for the fix in iOS 10.3.1 that prevents an attacker executing code on its Wi-Fi chip. The bug affected the iPhone 5 through to the iPhone 7 which, like most smartphones, rely on a Broadcom Wi-Fi system on chip (SoC).

Many Android devices were also affected by several bugs Beniamini found in Broadcom’s Wi-Fi SoC, including Google’s Nexus handsets — which were patched in the April Android security update — and Samsung’s latest Galaxy flagships.

Besides smartphones and tablets, many other devices with Broadcom Wi-Fi chips could also be affected, including Wi-Fi routers, according to Beniamini.

A lot of work has gone into improving the security of code running on the application processor, such as the Android operating systems and its applications, the researcher explained in a blogpost published on Tuesday.

Given this work, and attackers’ tendency to pick the path of least resistance, it’s plausible they’d move on to a less difficult but attractive target in their search for remotely exploitable bugs. Broadcom’s Wi-Fi SoC is particularly attractive because it’s the most widely used Wi-Fi chip for mobile devices.

Such SoCs are also attractive because they’re running complex code that’s likely to introduce vulnerabilities. As noted by Beniamini, so-called FullMAC standalone Wi-Fi chips have been introduced on mobile devices to handle more complex Wi-Fi features and take some of the load off the application processor, helping extend battery life.

The tradeoff is that “running proprietary and complex code bases may weaken the overall security of the devices and introduce vulnerabilities, which could compromise the entire system”, he said.

Beniamini found two variants of a stack buffer overflow in Broadcom’s Wi-Fi SoC. One occurred during the handling of the IEEE 802.11r Fast BSS Transition Feature’s authentication response, while the other can be triggered when Cisco’s proprietary CCKM Fast and Secure Roaming feature parsed a reassociation response.

Both implementations allow a network to support wireless roaming, enabling devices to roam quickly between Wi-Fi access points.

Finding out which devices support the roaming feature requires an analysis of the chip’s firmware image. According to Beniamini, the 802.11r FT feature can be confirmed when finding the ‘fbt’ tag, while CKKM support can be found by the ‘ccx’ tag.

The ccx tag was found in several Galaxy models, including the “Galaxy S7 (G930F, G930V), the Galaxy S7 Edge (G935F, G9350), the Galaxy S6 Edge (G925V) and many more”, according to Beniamini, while iPhone and iPad support for the 802.11r FT implementation resulted in the iOS 10.3.1 update.

In both cases, insufficient validation allowed an attacker to craft an attack that triggers a stack buffer overflow.

He also found two other heap overflow bugs in the implementation of Tunneled Direct Link Setup (TDLS), which allows two peers on a Wi-Fi network to exchange data directly, instead of relying on the access point. Beniamini found that most Samsung devices support TDLS, as do the Nexus 5, Nexus 6, and Nexus 6P.

Project Zero reported the issues to Broadcom in late December and the chipmaker was able to release fixes to vendors by late March, in some cases requesting an extension on Google’s usual 90-day deadline.

Beniamini says his analysis showed that the Wi-Fi SoC is “incredibly complex” but still “lacks basic exploit mitigations, such as stack cookies, safe unlinking”.

It also didn’t use the Memory Protection Unit security feature available in the ARM Cortex R4 to protect access permissions over memory in RAM.

However, Broadcom says newer versions of its SoC do use MPU and other hardware security mechanisms, and it is considering exploit mitigations in future firmware.

Read more on the iPhone

Source link

About admin

Check Also


​AMD makes its data center move: Will it be EPYC?

AMD is plotting a June launch for its EPYC server processor, formerly code-named Naples, as ...


  1. Sweet blog! I found it while surfing around on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Appreciate it

  2. What i do not realize is actually how you are not really much more well-liked than you might be right now. You are very intelligent. You realize therefore significantly relating to this subject, made me personally consider it from numerous varied angles. Its like women and men aren’t fascinated unless it’s one thing to accomplish with Lady gaga! Your own stuffs nice. Always maintain it up!

  3. After research a few of the weblog posts in your web site now, and I actually like your manner of blogging. I bookmarked it to my bookmark website list and shall be checking back soon. Pls take a look at my website online as properly and let me know what you think.

  4. obviously like your website but you need to check the spelling on several of your posts. Several of them are rife with spelling problems and I find it very bothersome to tell the truth nevertheless I’ll certainly come back again.

  5. Excellent post however , I was wanting to know if you could write a litte more on this subject? I’d be very thankful if you could elaborate a little bit more. Thanks!

  6. Youre so cool! I dont suppose Ive learn something like this before. So nice to search out someone with some unique thoughts on this subject. realy thank you for beginning this up. this web site is one thing that’s needed on the net, somebody with somewhat originality. helpful job for bringing one thing new to the web!

  7. Usually I do not read post on blogs, but I would like to say that this write-up very forced me to try and do so! Your writing style has been surprised me. Thanks, very nice post.

  8. Sweet blog! I found it while browsing on Yahoo News. Do you have any suggestions on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks

  9. I just want to say I am just beginner to blogging and site-building and definitely liked your website. Very likely I’m likely to bookmark your blog post . You actually come with fantastic articles and reviews. Kudos for sharing with us your web-site.

  10. Good ¡V I should certainly pronounce, impressed with your web site. I had no trouble navigating through all the tabs as well as related information ended up being truly simple to do to access. I recently found what I hoped for before you know it in the least. Reasonably unusual. Is likely to appreciate it for those who add forums or something, web site theme . a tones way for your client to communicate. Nice task..

  11. Thank you for the sensible critique. Me and my neighbor were just preparing to do a little research on this. We got a grab a book from our local library but I think I learned more from this post. I’m very glad to see such fantastic info being shared freely out there.

  12. Hi there, just became alert to your blog through Google, and found that it’s truly informative. I’m going to watch out for brussels. I’ll be grateful if you continue this in future. Lots of people will be benefited from your writing. Cheers!

  13. IMSC SEO is a Singapore SEO Company. They provide comprehensive Singapore SEO services to help SG businesses to gain traffic from search engine. Their SEO agency has many years of experiences working with overseas companies on more competitive grounds. They are the best seo company in Singapore you can find. Their SEO expert and consultant understand exactly what search engine optimization your company need to gain search engine traffic.

  14. I really need to share it with you that I am new to putting up a blog and pretty much enjoyed your page. More than likely I am going to save your blog post . You absolutely have wonderful article material. Get Pleasure From it for discussing with us your current url page

  15. Hey, you used to write fantastic, but the last few posts have been kinda boring¡K I miss your great writings. Past several posts are just a bit out of track! come on!

  16. Faytech specializes in the design, development, manufacturing and marketing of Capacitive touch screen, Resistive touch screen, Industrial touch screen, IP65 touch screen, touchscreen monitors and integrated touchscreen PCs. Contact us at http://www.faytech.us, 121 Varick Street,3rd Floor,New York, NY 10013,+1 646 205 3214

  17. Hiya, I am really glad I’ve found this info. Nowadays bloggers publish just about gossips and web and this is really frustrating. A good website with exciting content, that is what I need. Thank you for keeping this site, I will be visiting it. Do you do newsletters? Cant find it.

  18. Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. I think that you could do with a few pics to drive the message home a bit, but instead of that, this is great blog. A fantastic read. I will definitely be back.

  19. Nice post. I was checking constantly this blog and I am impressed! Extremely useful information specially the last part :) I care for such info much. I was looking for this particular information for a very long time. Thank you and good luck.

  20. As a Newbie, I am constantly exploring online for articles that can be of assistance to me. Thank you

  21. It is proper opportunity to have some preparations for the upcoming. I have scan this write-up and if I can, I wish to propose you couple unique ideas.

  22. I merely want to tell you that I am new to wordpress blogging and genuinely cherished your information. Probably I am inclined to save your blog post . You certainly have amazing article information. Value it for share-out with us your current web report

  23. Hello my family member! I wish to say that this article is awesome, nice written and include almost all vital infos. I¡¦d like to look extra posts like this .

  24. Some genuinely superb posts on this website, regards for contribution. “There is one universal gesture that has one universal message–a smile” by Valerie Sokolosky.

  25. I have recently started a web site, the info you provide on this website has helped me tremendously. Thanks for all of your time & work.

  26. This piece of writing gives clear idea in favor of the new people of blogging, that genuinely how to do blogging and site-building.|

  27. You made some nice points there. I did a search on the topic and found most individuals will consent with your website.

  28. Thank you for the good writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! By the way, how can we communicate?

  29. I like the valuable information you provide in your articles. I’ll bookmark your blog and check again here frequently. I’m quite certain I’ll learn many new stuff right here! Best of luck for the next!

  30. Thank you for the good writeup. It in fact was a amusement account it. Look advanced to more added agreeable from you! By the way, how could we communicate?

  31. I really wanted to write down a note in order to thank you for all of the marvelous facts you are placing at this website. My considerable internet lookup has now been honored with professional information to exchange with my close friends. I ‘d suppose that many of us website visitors actually are extremely endowed to dwell in a superb community with so many brilliant professionals with very helpful tips. I feel very grateful to have used your entire web site and look forward to really more exciting times reading here. Thanks again for everything.

  32. Hey, you used to write fantastic, but the last several posts have been kinda boring… I miss your tremendous writings. Past few posts are just a little bit out of track! come on!

  33. You are my breathing in, I own few blogs and occasionally run out from to brand.

  34. Thank you for the good writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! However, how could we communicate?

  35. I am really impressed with your writing skills and also with the layout on your blog. Is this a paid theme or did you modify it yourself? Anyway keep up the excellent quality writing, it is rare to see a great blog like this one nowadays..

  36. hey there and thank you for your information – I’ve certainly picked up anything new from right here. I did however expertise a few technical points using this website, since I experienced to reload the site lots of times previous to I could get it to load properly. I had been wondering if your web hosting is OK? Not that I’m complaining, but slow loading instances times will sometimes affect your placement in google and can damage your quality score if ads and marketing with Adwords. Anyway I am adding this RSS to my email and can look out for a lot more of your respective fascinating content. Ensure that you update this again very soon..

  37. Hiya, I am really glad I have found this info. Today bloggers publish only about gossips and web and this is really irritating. A good website with exciting content, this is what I need. Thank you for keeping this web-site, I’ll be visiting it. Do you do newsletters? Cant find it.

  38. Bonjour ! Je n’arrive pas à afficher toutes les pages du site ! J’ai des 404, c’est normal ?

  39. Excellent web site. A lot of helpful information here. I am sending it to several pals ans also sharing in delicious. And of course, thank you to your effort!

  40. Hello There. I found your blog using msn. This is a really well written article. I’ll make sure to bookmark it and return to read more of your useful info. Thanks for the post. I’ll definitely comeback.

  41. Very efficiently written post. It will be beneficial to anybody who employess it, including me. Keep up the good work – can’r wait to read more posts.

  42. Great tremendous issues here. I¡¦m very happy to peer your article. Thank you so much and i’m having a look ahead to touch you. Will you kindly drop me a e-mail?

  43. I got what you mean , thankyou for putting up.Woh I am glad to find this website through google. “Delay is preferable to error.” by Thomas Jefferson.

  44. A lot of thanks for your whole efforts on this website. My mother take interest in conducting investigations and it’s obvious why. Most of us know all concerning the dynamic form you present rewarding tips via this web site and welcome contribution from other ones about this issue and our favorite daughter has been learning a whole lot. Have fun with the remaining portion of the new year. You’re performing a really great job.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>