A researcher from Google Project Zero recently disclosed a remote code execution exploit that can potentially take over a range of devices with Broadcom Wi-Fi chips. The exploit was tested on the iOS 10.2 platform, and the researcher added that all versions up to iOS 10.3.3 should be vulnerable as well. The exploit could also affect Android devices and other devices with Broadcom chips.
The exploit is rooted in CVE-2017-11120 and could permit an attacker to insert a backdoor and arbitrarily write commands.The vulnerability is in the firmware of Broadcom chips and allows attackers to trigger a heap overflow. This exploit is similar to Broadpwn, a widely-discussed zero-day that was exposed earlier this year.
The researcher highlights the severity of attacks related to these types of chips, which are capable of handling Wi-Fi related events without delegating to the host operating system. There have already been discussions about how these Wi-Fi controllers are promising avenues for attacking a smartphone because they don’t have strict protections, unlike the core OS or “kernel” of modern phones that are tightly secured.
Apple’s security updates released last week addressed this vulnerability, and the company released a fix for the tvOS as well. Google patched the vulnerability with their Android Security Bulletin, released on September 5.
Bad guys will never stop trying to find different ways to attack or exploit hardware or software flaws. Manufacturers are advised to take more precautions with third parties that supply their parts, or ensure that the OS has policies in place that can limit the damage these parts can cause if they have exploitable vulnerabilities.
To improve mobile security, users can strengthen their defenses with comprehensive solutions like Trend Micro™ Mobile Security for Android™ (available on Google Play) and Trend Micro™ Mobile Security for Apple devices (available on the App Store). Trend Micro’s Mobile App Reputation Service (MARS) already covers Android and iOS threats using leading sandbox and machine learning technology. It can protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.