Broadcom closes leak that allows remote code execution on Wi-Fi chipset

Google researcher Gal Beniamini has discovered several vulnerabilities in the firmware of the Broadcom WiFi chipset, which can be found in recent iPhones, Nexus and Samsung devices, among others. Patches have since been released.

Beniamini detailed the process of finding the leaks in an extensive blog post. As a result, he was able to find some stack overflow vulnerabilities, as well as two vulnerabilities in the implementation of tdls, which allow Wi-Fi devices to exchange data without having to send it through an access point. The technology should therefore prevent network congestion. In his presentation, he focuses on those last two leaks.

To do this, the researcher wrote an exploit that allowed remote code execution on the Broadcom soc, without requiring any interaction on the victim’s side. It concerns a stack overflow by means of special tdls frames. He announces that he will describe in a second blog post how he accesses the kernel from there. The combination of both techniques eventually leads to the complete takeover of a device by only being within WiFi range. Beniamini carried out the attack on a then fully patched Nexus 6P with Android 7.1.1.

The researcher, who is part of the Project Zero team, informed Broadcom of his findings and the manufacturer has since released patches. The company also promises to implement hardware security and exploit mitigation in the future socs, which Beniamini describes as ‘an interesting development and a step in the right direction’. The availability of the Broadcom patches was the reason Apple released an emergency patch in iOS 10.3.1 this week, in which it refers to the vulnerability. It is unclear whether further access to the kernel was possible in that case. Google also released a patch.