You’ve probably heard that using public or insecure Wi-Fi networks can be dangerous. Well, this point is now being reinforced by a recent disclosure by Google’s Project Zero concerning a serious security vulnerability in Broadcom Wi-Fi chips. This is the Wi-Fi hardware used by numerous smart devices, and there’s a good chance you might use an affected device.
Technically, this security vulnerability applies to both iOS and Android devices that use the affected Wi-Fi chips, Apple has plugged this hole in the iOS 10.3.1 update. Left exposed now, however, are Android devices which are slow to receive software updates, and many are likely not going to get any at all.
Official Google devices are set to receive the Wi-Fi fixes in the April security patches. Affected Google devices include: Nexus 6, Nexus 6P, Nexus 9, Pixel C and Nexus Player. If you have one of these devices, you should quickly check to see if you have the April update available. The Google Pixel and Pixel XL smartphones apparently don’t use these Broadcom Wi-Fi chips.
In a nutshell, this new vulnerability allows a malicious attacker, who is on the same Wi-Fi network as an affected device, to send specially crafted Wi-Fi frames that can cause the affected device to execute malicious code. No user interaction is required at all on the affected device.
In other words, if you own an affected Android device, and say join a public Wi-Fi network at your favourite cafe, a malicious attacker can sit down near you and potentially fully takeover your smartphone.
Project Zero’s researcher demonstrated the proof on a fully updated (at that time) Nexus 6P, running Android 7.1.1 version NUF26K. His very highly detailed blog post provides all the technical information.
While the demonstration uses just one specific attack vector, numerous vulnerabilities have been identified with the Broadcom Wi-Fi chip, or more specifically, the firmware on the Wi-Fi SoC (system-on-chip). The Broadcom Wi-Fi chip is very popularly used in numerous smart devices, including most Samsung flagships.
Most security research has been focused primarily in applications and operating systems, and lesser attention is given to firmware, and more specifically those on hardware components apart from the main processor unit. Wi-Fi features on smartphones, for example, are now commonly implemented in a system-on-chip that is pretty much a small computer of its own, capable of running software.
The Broadcom BCM4339 Wi-Fi SoC, for example, includes an ARM Cortex R4 core, 640 KB of ROM, and 768 KB of RAM.
Firmware on these devices can be incredibly complex, but they often lag behind in terms of security, and lack all basic exploit mitigations, compared with operating system and other software running on the main regular processor.
In this case, the fix is needed in the Broadcom firmware itself, not actually in the Android operating system per se. However, since unlike in a PC where you can separately install a driver update independently from the operating system, Android devices will necessitate an operating system update to introduce the firmware fix.
What can you do if you have an affected device, and you don’t have a software fix available?
You’ve to eliminate the possibility of a malicious attacker reaching your smart device over Wi-Fi. The best protection is to not use Wi-Fi, or at least not public Wi-Fi or any network you can’t completely trust.