Project Zero Finds iPhone & Android Open to Bugs in Broadcom's Wi-Fi Chips
No one is safe anymore, it seems. Google's Project Zero has just uncovered how easy it is for attackers to target your phone's Wi-Fi chip, which is essentially a mini processor for Wi-Fi that detects and processes networks.
Most iPhone and Android phones run on a Broadcom Wi-Fi system on a chip (SoC). Google's security researcher Gal Beniamini found a number of bugs on these SoCs, which affect the iPhone 4 all the way through to the iPhone 7, most of Google's Nexus handsets, and almost all Samsung Galaxy devices.
The bugs don't stop there, either. Beniamini went on to note that Wi-Fi routers can be easy targets, too, so both sides of your phone's wireless internet connection could be vulnerable to theoretical attacks.
Android has done a lot of work to patch up its security system within the last year. Apple has also gone to great lengths to keep its systems secure, but this is where Beniamini says attackers found an opportunity to "pick the path of least resistance."
Broadcom's Wi-Fi chips were the most attractive and easy target for an attacker to get past an iOS or Android security system, because Broadcom is the most commonly-used Wi-Fi SoC for mobile devices. Wi-Fi chips run on extremely complex code—complex enough that they are susceptible to vulnerabilities that an attacker could use to sneak by without ever being detected by the phone's user.
According to Beniamini in his blog post on Broadcom's Wi-Fi stack:
We've seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations - including stack cookies, safe unlinking and access permission protection (by means of an MPU).
Two actual exploits that utilized the bug were triggered in Broadcom's Wi-Fi SoC when connecting to networks that allow wireless roaming. According to ZDNet, "one occurred during the handling of the IEEE 802.11r Fast BSS Transition Feature's authentication response, while the other can be triggered when Cisco's proprietary CCKM Fast and Secure Roaming feature parsed a reassociation response."
The attacker was able to trigger vulnerabilities within Broadcom's code simply by being on the same Wi-Fi network as the targeted phone. Beniamini was then able to backtrack and look for what he calls "tags," which are chunks of data, or "Information Elements" (IEs) within the Wi-Fi management system:
The presence of the 802.11r FT feature is indicated by the "fbt" tag. Similarly, support for CCKM is indicated by the "ccx" tag. Unfortunately, it seems that the Nexus 6P supports neither of these features. In fact, running a quick search for the "ccx" feature (CCKM support) on my own repository of Android firmware images revealed that this feature is not supported on any Nexus device, but is supported on a wide variety of Samsung flagship devices, a very partial list of which includes the Galaxy S7 (G930F, G930V), the Galaxy S7 Edge (G935F, G9350), the Galaxy S6 Edge (G925V) and many more.
While combing through the firmware repository, Beniamini found two other tags with the name "Tunneled Direct Link Setup" (TDLS). TDLS is a connection that allows you to share data with other people on a Wi-Fi network, similar to how AirDrop works on the iPhone, but most importantly for us here, this means that TDLS is a vulnerability that can be hacked into.
While researching TDLS, noted in the Wi-Fi firmware as "betdls" and "tdls" tags, Beniamini concluded that the attackers were able to leverage these bugs by exploiting TDLS vulnerabilities within the Wi-Fi SoC code as "a vast majority of devices do, indeed, support TDLS. This includes all recent Nexus devices (Nexus 5, 6, 6P) and most Samsung flagships."
Ultimately, the three companies are working to plug up all the holes. Beniamini patched up the vulnerabilities for iOS 10.3.1 for iPhone users, and also alerted Google. Broadcom is also working on fixing the vulnerabilities within its systems to prevent an attacker from executing code on its Wi-Fi chip, so stay on the lookout for firmware updates for both your phone and your router.