Broadcom Wi-Fi Chips in Android Devices Vulnerable to Booby-Trapped Signals

A commonly used Broadcom Wi-Fi chip available for both Android devices and iPhones has been deemed vulnerable to a stack overflow bug that allows remote code execution with no user interaction, provided the attacker is within Wi-Fi distance.

Although the vulnerability was addressed by Apple in the iOS 10.3.1 update, the Android fix is not publicly available yet, but is contained in the latest binary drivers for Nexus devices. While only select Android devices have the fix so far, Google”s April Security Bulletin will contain the generally available fix.

By broadcasting booby-trapped Wi-Fi frames that contain irregular values, security researcher Gal Beniamini managed to trigger a stack overflow in Broadcom”s SoC firmware and write specific regions within memory with arbitrary shellcode. This would allow an attack to execute malicious code without triggering any warnings on the targeted device.

“Putting it all together we can now hijack a code chunk to store our shellcode, then hijack a timer to point it at our stored shellcode,” reads the research paper. “Once the timer expires, our code will be executed on the firmware!”

Security researcher Gal Beniamini from Project Zero believes the proof-of-concept was possible because of poor security mechanisms built into both hardware and software platforms, making the Broadcom Wi-Fi SoC a likely candidate to be exploited.

“We”ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” Beniamini writes. “Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection (by means of an MPU).”

While there”s currently no mitigation for affected Android devices, users are strongly encouraged to start installing the update as soon as it”s out. Broadcom has allegedly already been informed of the vulnerability and said newer versions of the chipset will employ additional and unspecified security mechanisms that will prevent such tampering.