Emergency Patch for Broadcom Drive-By Wi-Fi Security Hole


Yesterday we received an emergency patch released by Apple with the purpose of plugging a security hole. This was a really serious issue, since it could be used in order to take control over iPhones, iPads and iPods in a silent and wireless manner.

What is the cause?

This happened because the remote-code execution issue appeared in the Wi-Fi stak from Broadcom, which is used for Apple products. Lots of other Wi-Fi routers and handsets rely on the HardMAC chipset made by Broadcom, and as a consequence we should expect soon other tablet and phone producers to release patches. At the moment, any gadget that is using the vulnerable technology provided by Broadcom is risking an OTA (over-the-air) hijacking, not just the Apple products.

Gal Beniamini, who works at the Google Project Zero, summarized the issue quite well. The firmware that is used by the Broadcom wireless SoC (system on chip) can be forced to overrun its own stack buffers. He could actually send wireless frames to the Wi-Fi controller in order to overflow the initial stack, and then combined this action with firings for the CPU frequent timer, and so he could overwrite specific parts of the RAM until he executed arbitrary code.

In basic English, someone who wants to attack your device only needs to be in the Wi-Fi range so that they can gain control over an Apple or Android device. The hacker needs to connect to the same wireless network or they have to set up an open access point and the victim connects to it.

The Android devices that use this technology are the Nexus 5, 6 and 6P, together with most Samsung flagship devices. When it comes to iPhones, all the iPhone since the iPhone 4 and newer models of iPod and iPads are at risk.