Broadcom chip bug opened 1 billion phones to a Wi-Fi-hopping worm attack

At the Black Hat security conference, Artenstein demonstrated proof-of-concept attack code that exploited a vulnerability in Wi-Fi chips manufactured by Broadcom. It fills the airwaves with probes that request connections to nearby computing devices. When the specially devised requests reach a device using the BCM43xx family of Wi-Fi chipsets, the attack rewrites the firmware that controls the chip. The compromised chip then sends the same malicious packets to other vulnerable devices, setting off a potential chain reaction. Until early July and last week—when Google and Apple issued patches respectively—an estimated 1 billion devices were vulnerable to the attack. Artenstein has dubbed the worm “Broadpwn.”

Although the flaw is now closed, the hack has important lessons as engineers continue their quest to secure mobile phones and other computing devices. Security protections such as address space layout randomization and data execution prevention have now become standard parts of the operating systems and apps. As a result, attackers have to work hard to exploit buffer overflows and other types of software vulnerabilities. That extra work largely makes self-replicating worms impossible. Artenstein’s exploit, however, suggests that such worms are by no means impossible.

Source