Broadcom WiFi bug lets you hack iPhone and Android phones over the air

Google Project Zero security researcher Gal Beniamini discovered gaping security flaws in a Broadcom WiFi SoC that is used by all iPhones since the iPhone 4, various iPads, as well as many Android-based smartphones and tablets, including the Google Nexus and most Samsung Galaxy flagship devices.

What makes the vulnerability worrying is that it allows attackers to perform a buffer overflow and execute arbitrary code on affected devices, without requiring any user input. An attacker merely needs to be within WiFi range.

Here's a summary of the work by Google Project Zero's Gal Beniamini: the firmware running on Broadcom's wireless system-on-chip (SoC) can be tricked into overrunning its stack buffers. He was able to send carefully crafted wireless frames, with abnormal values in the metadata, to the Wi-Fi controller to overflow the firmware's stack, and combine this with the chipset's frequent timer firings to gradually overwrite specific chunks of device RAM until arbitrary code is executed. In other words, an attacker simply needs to be within Wi-Fi range to silently take over an at-risk Apple or Android device.

Beniamini claims most security work focuses on application processors and that devices like the Broadcom WiFi SoC don't get a lot of attention, despite the fact that they're used in some of the best selling smartphones. He adds that Broadcom's firmware implementation is poor in terms of security, it lacks all basic exploit mitigation techniques, including stuff like stack cookies, safe unlinking and access permission protection.

Broadcom was made aware of the issue and has rolled out patches, which have been adopted by the latest versions of Apple's iOS and Google's Android.