Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets

[thiggins]

"Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
https://blog.exodusintel.com/2017/07/26/broadpwn/

Note that patches have been issued by Google for Android and Apple for iOS.

Other coverage:
Broadcom chip bug opened 1 billion phones to a Wi-Fi-hopping worm attack

How To Check If Your Android Device Is Vulnerable To Broadpwn

 

[Deleted member 22229]

I have a older ipad that apple wont update im stuck with 9.3 firmware how do i find out if this device is affected ??

 

[sfx2000]

I have a older ipad that apple wont update im stuck with 9.3 firmware how do i find out if this device is affected ??

Yah, feel it - that old iPad, unless Apple releases an update... but not all are a problem here.

I'm more worried about the Raspbian RPi's at the moment - as many of them are deployed as IoT devices..

 

[RMerlin]

There's not enough details provided about this exploit to determine if it would affect other devices than the Android/iOS platforms mentioned so far. Could possibly be tied to specific driver releases, or when running in STA mode. Without any further info, it's pointless to start panicking.

 

[degrub]

what is STA mode ?

 

[thiggins]

The Exodus post cites specific BCM chip part numbers.

Look on ifixit for a teardown that should ID the WiFi chip.

 

[sfx2000]

There's not enough details provided about this exploit to determine if it would affect other devices than the Android/iOS platforms mentioned so far. Could possibly be tied to specific driver releases, or when running in STA mode. Without any further info, it's pointless to start panicking.

Apple patched the OSX drivers for the BCM4360 chips used in Macs... and provided updated drivers for Windows for BootCamp...

So this might be more than just Android/iOS...

 

[sfx2000]

The Exodus post cites specific BCM chip part numbers.

Look on ifixit for a teardown that should ID the WiFi chip.

Keeping in mind that many vendors use System in Package Modules -- so it might not be entirely obvious that there is a Broadcom wifi chip inside the module.

 

[Manny]

"Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
https://blog.exodusintel.com/2017/07/26/broadpwn/

Note that patches have been issued by Google for Android and Apple for iOS.

Other coverage:
Broadcom chip bug opened 1 billion phones to a Wi-Fi-hopping worm attack

How To Check If Your Android Device Is Vulnerable To Broadpwn

I was wondering about this issue with the iPhone & iPad, I had everyone update there devices to iOS 10.3.3. I think that was the issue with someone getting in to my
RT-AC88U what do you think...

Thank You,

 

[Manny]

Is there a way to setup access the RT-AC88U wired LAN only?

Thank You,

 

[sfx2000]

Raspbian has updated firmware for Jessie...

the normal sudo apt-get update && sudo apt-get dist-upgrade will get the updated broadcom firmware for the bcm43143 wifi chip...

after a reboot... can confirm..

$ dmesg | grep brcmfmac
[    3.924654] brcmfmac: Firmware version = wl0: Aug  7 2017 00:46:29 version 7.45.41.46 (r666254 CY) FWID 01-f8a78378

Note - the updated broadcom wifi firmware is also included with the Raspbian Stretch release, but if one has jessie, the package update is good enough.