Gal Beniamini of Google Project Zero recently published a proof-of-concept for a remote code execution (RCE) vulnerability present in the Broadcom 802.11k Wi-Fi hardware, running firmware version BCM4355C0.
The flaw affects a number of smartphones, including the iPhone 7 and some Android devices, as well as smart TVs running tvOS.
This vulnerability (CVE-2017-11120) doesn’t need the victim to take any action aside from connecting to a rogue Wi-Fi network owned by the attacker—there’s no app that needs to be installed or phishy link that needs clicking. Once the victim connects their devices to the rogue network, the attacker can install a backdoor onto the victim’s device that gives them full read and write access to its firmware.
Not a big surprise then that Google Android gave this vulnerability the highest rating, Critical, in its September 5 security bulletin.
Researchers working on this vulnerability were able to confirm that it exists on the iPhone 7 and Galaxy S7 Edge firmware. It’s believed that it’s also present in all versions of iOS up to 10.3.3. Details weren’t published until 25 September 2017, by which date fixes for iOS, tvOS and Android had been made available.
This vulnerability has a number of similarities to another Broadcom flaw discovered earlier this year by Beniamini – colloquially called BroadPwn. NakedSecurity’s own Paul Ducklin did a remarkable job with a deep dive into BroadPwn and how it worked, so why not pour yourself a coffee and give that a read too.
Thankfully the fix for this serious problem is pretty simple for most users: update now.
Both BroadPwn and this yet-to-be-named vulnerability (The Return of BroadPwn?) serve as a reminder that keeping your mobile devices up-to-date is your first line of defense against potentially devastating RCEs. And in the case of this bug in particular, it’s also a warning about the dangers of connecting your devices to just any old public Wi-Fi.
Not sure if your device is affected? Some of the devices that should patch right away are below.
Update the following Apple products to the latest release (25 September release as of this writing)
- iPhone 5s or later
- iPad Air or later
- iPod Touch 6th generation or later
- Apple TV 4th generation
This vulnerability is addressed in the 2017-09-05 security patch for Android.