Security researchers have found a crucial vulnerability in a popular chipset used in smartphones that allows for an attacker to launch a remote, Wi-Fi delivered virus to a targeted device.
Newer versions of Apple’s iPhone and many of Samsung’s flagship Android phones carry an affected Broadcom manufactured chipset. While Apple patched the vulnerability on Monday with the release of iOS 10.3.1, a variety of different Android devices remain susceptible to the proof-of-concept attack.
An Apple security advisory concerning the vulnerability notes, “an attacker within range may be able to execute arbitrary code on the Wi-Fi chip.” iOS 10.3.1 fixes the issue by patching a “stack buffer overflow” problem, the advisory reads.
The proof-of-concept exploit was developed by Google Project Zero researcher Gal Beniamini. Google plans to release its own patch in its April security bulletin, but the update will only be available to a “select number of device models,” according to ArsTechnica.
Beniamini found vulnerabilities in the chips’ firmware that relate to the implementation of Tunneled Direct Link Setup, or TDLS, that could be exploited with a stack overflow attack by using Wi-Fi frames with unusual values. While Beniamini overwrote areas of the device’s memory storage with arbitrary shellcode, a hacker could theoretically use this vulnerability to implant malicious code. To deliver a payload in this scenario, a hacker would need access to the same Wi-Fi network that the target is using.
While the chip contains a Memory Protection Unit, or MPU, which could feasible protect against elements of this exploit, Beniamini found that the MPU for the Broadcom product was implemented in such a way that the memory remains readable, writeable and executable.
“This saves us some hassle,” he wrote, ”we can conveniently execute our code directly from the heap.”
Generally speaking, the vulnerability found by Beniamini in the Broadcom chipset underscores a larger issue concerning a common lack of security protections in many different hardware platforms.
“We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” Beniamini wrote in a blog post, Monday. “Specifically, it lacks all basic exploit mitigations — including stack cookies, safe unlinking and access permission protection.”
He continued, “introducing these new pieces of hardware, running proprietary and complex code bases, may weaken the overall security of the devices and introduce vulnerabilities which could compromise the entire system.”
It’s not clear at the moment if a workaround exists for known, vulnerable Android devices.