A security team from Google’s Project Zero has found several vulnerabilities on Broadcom’s Wi-Fi SoC, which affect most Android smartphones and tablets. Hackers can manipulate these vulnerabilities to gain code execution on the chip and eventually gain control of the device itself. Fortunately, the team has already worked with Broadcom to address these issues.
Fortunately, the team has already worked with Broadcom to address these issues.
In a two-part blog series, Google’s Project Zero team outlines the vulnerabilities presented by Broadcom’s Wi-Fi SoC, a chipset that is found inside a vast number of mobile devices: the majority of Nexus phones, most Samsung flagship devices as well as all recently-released iPhones. The team used a Nexus 6P running on Android 7.1.1 to demonstrate that while relatively complex, the Wi-Fi SoC’s security system is still susceptible to malicious exploits.
Essentially, the vulnerabilities allow outsiders to remotely gain code execution on the chip and into the operating system’s kernel. By feeding Wi-Fi frames with irregular values into the target device, the team created a stack overflow in the Broadcom firmware, making an opening to run arbitrary code on it. In other words, the team was able to perform a full device takeover by Wi-Fi proximity alone, requiring no user interaction, using the said full-fledged exploit.
The bottom line is that Broadcom’s Wi-Fi SoC lacked basic exploit mitigations such as stack cookies, safe unlinking, and access permission protection. However, Broadcom has worked with the Project Zero team to ensure that newer versions will utilize MPU as well as other hardware security mechanisms. According to the Project Zero blog post, Broadcom is also considering implementing exploit mitigations in future firmware versions.
As explained by Gal Beniamini, the blog post doesn’t have all the small details, so if you want the full exploit with detailed instructions, you can click here.