The discoverer of the Broadpwn leak, which was recently patched by Apple, among others, presented his research in Las Vegas on Thursday. During the presentation, Nilay Artenstein showed a demo of a worm that spreads to mobile devices via Wi-Fi.
For example, he showed how the malicious software could spread from phone to phone, without users having to take any action. With this he wanted to demonstrate the consequences of the Broadpwn leak, the details of which have now been described in a blog post. During his presentation, he discussed the discovery of this remote exploit that works on Android and iOS. The attack targets the Broadcom BCM 43xx Wi-Fi chipset and enables remote code execution in the application processor of vulnerable smartphones. Google and Apple have patched the vulnerability CVE-2017-9417.
Artenstein explained that there are three requirements to be able to speak of an actual remote exploit. For example, no human interaction should be necessary, no assumptions should be made about the target system because little is known about it, and the system should remain as stable as possible after running the exploit. Under these terms, he set out to find an exploit that would hit as many devices as possible.
Attacking the processor directly is difficult. That is why the Exodus Intelligence researcher looked at two chips that are connected to the processor: baseband and WiFi. These represent an opportunity to attack the kernel. The problem with baseband was that there is a lot of fragmentation between different manufacturers, so a single bug has a limited effect. That is why he focused on the WiFi chipset, which in all cases comes from Broadcom. A nice side effect is that there are no protective measures such as aslr and dep.
Another side-effect was that part of Broadcom was recently acquired by Cypress, which made many specifications public. With a view to the first ‘line’ of remote exploits, he set out to find an exploit that required no interaction. He made use of the fact that a WiFi device regularly broadcasts which access point it is looking for. For example, before a smartphone makes a connection secured via wpa2, there is an association process without authentication. Authentication packages are used for this, which, according to the researcher, had an interesting property. For example, the packet had a variable length section in which information could be stored.
Due to a bug in a protocol for prioritizing network traffic, he learned that this way he could overwrite the buffer on the chipset. The layout of the memory is thereby determined during boot, making it static. This ensures that it is easy to predict which part can be overwritten by means of the overflow, even after a restart of the device. With some luck, it was eventually possible to find a way to deliver a payload and execute code. The only thing a victim notices is that his WiFi icon disappears for a short time. For example, if the phone is in your pocket and Wi-Fi is on, it will often be invisible.
In this way, Artenstein was able to develop a worm that spreads from one infected device to another. According to the researcher, it is the first real network worm in a long time.