Only the beginning: the Wi-Fi SoC is just one attack surface in a smartphone
Posted on 04/04/2017 6:33:53 PM PDT by markomalley
Yesterday, Apple rushed out an emergency patch to plug a severe security hole that can be exploited to wirelessly and silently commandeer iPhones, iPads and iPods.
Now we know why: this remote-code execution vulnerability lies in Broadcom's Wi-Fi stack, which Apple uses in its handhelds. Many other handsets also use Broadcom's naff chipset, and, as a result, we expect – and hope – a lot of other phone and tablet makers push out patches: any gadget using Broadcom's vulnerable tech is at risk to over-the-air hijacking, not just Apple's iThings.
Here's a summary of the work by Google Project Zero's Gal Beniamini: the firmware running on Broadcom's wireless system-on-chip (SoC) can be tricked into overrunning its stack buffers. He was able to send carefully crafted wireless frames, with abnormal values in the metadata, to the Wi-Fi controller to overflow the firmware's stack, and combine this with the chipset's frequent timer firings to gradually overwrite specific chunks of device RAM until arbitrary code is executed.
In other words, an attacker simply needs to be within Wi-Fi range to silently take over an at-risk Apple or Android device. Beniamini today detailed his research in this epic 8,500-word blog post.
What he found is that Broadcom's "firmware implementation ... lags behind in terms of security. Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection."
Android devices that use Broadcom's crappy SoC software include the Nexus 5, 6 and 6P, most Samsung flagship devices, plus all iPhones since the iPhone 4 and newer iPods and iPads: these will all need patching as soon as updates are available. The proof-of-concept exploit detailed in the blog post was successfully performed on an up-to-date Nexus 6P running Android 7.1.1 version NUF26K.
Project Zero didn't go to work as a hit job on Broadcom, Beniamini says. Rather, most vulnerability research focuses on application processors. Peripherals like Broadcom's Wi-Fi SoC don't get the same degree of scrutiny, and Broadcom is the nine-hundred-pound gorilla in the business.
Only the beginning: the Wi-Fi SoC is just one attack surface in a smartphone
After a lot of work to extract and analyse the chip's firmware – the blog post thanks various peeps for their assistance – and identify the Wi-Fi handling code in the binary image, Beniamini settled on Broadcom's implementation of tunneled direct link setup (TDLS).
Published as a standard in 2011 and given Wi-Fi Alliance certification in 2012, TDLS lets devices exchange data as peers, without passing data through an access point, as long as they're both associated with the same access point – for example, to send video from a phone to a Chromecast without clogging up the rest of the network.
TDLS has two characteristics that make it an attractive attack vector:
It turned out that TDLS frames had fields that could cause the firmware to overrun its buffers. "Putting it all together we can now hijack a code chunk to store our shellcode, then hijack a timer to point it at our stored shellcode. Once the timer expires, our code will be executed on the firmware," Beniamini explained.
Beniamini has promised a followup post explaining how to escalate the injected code from running on the SoC to running on the main application processor.
Broadcom said its latest firmware now uses the Wi-Fi SoC's ARM Cortex R4 core's builtin memory protection mechanisms to prevent code running from the stack. These mechanisms were effectively disabled on the versions probed by Beniamini, and all memory was marked as readable, writeable and executable, rendering exploitation easy peasy.
Broadcom added that it is "considering implementing exploit mitigations in future firmware versions." ®
ping!
Thanks to BullDog108 for the heads up on this article.
Pinging ThunderSleeps and dayglored because this is not only an Apple issue as many devices also use Broadcom WIFI chips.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
A purposefully undefended system (can you guess why?) and a decades old attack vector yields root.
Shocking, shocking!
The linked article is most interesting.
It seems like TDLS has to be carefully implemented. The standard put in all sorts of checks to make sure the devices establishing a TDLS connection were on the same network, but it seems like this vendor left in code that allows send a tunneled probe request without even having a TDLS connection. That was probably for convenience in debugging, but when you move something to production you’re supposed to take these hooks out.
Looking at the overall architecture described in the article, it looks pretty much like a kludge. They probably had multiple programmers working on it, and had to allow executable code in the stack to maintain memory-management discipline among the team.
‘Production’ environments (outside of specialized domains) have been In Name Only for close to a decade.
He who shoves crap out fastest in two week (or less) sprints is now winner.
If the patch is available for iPhone 5 and newer, does that mean the iPhone 4 is safe?
Hubby has one and has no desire for a newer phone.
That's how I read it. "...all iPhones since the iPhone 4..." are vulnerable.
They keep writing programs and writing programs and never get it quite right. Let’s hope the people who write programs for what is called “artificial intelligence “ have more talent than that.
I haven’t a clue what any of that means——but I have an IPod.
Oh well.
.
Thanks for the heads up. Alas, if only there was still a viable "Windows Phone". :-)
Steve Ballmer is very wealthy. Other than that, I can't imagine any positive attribute about the man.
This is what I found, buried in the link.
“The bug affected iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later.”
So I reckon his is okay, which is good, since he’s still pissed off about the iOS 6 update which ‘messed up’ his phone and I don’t want to have to argue him into updating it ever again.
My crappy old iPad 2 is not on the list, either, I see.
Yeah, I've got an old iPad 2 also. Quite a nice instrument in its day, cell radio, 32GB... I have used it extensively and pretty much daily since I got it in late 2011. It doesn't owe me anything at this point; it has served well.
OTOH, it has gotten noticeably slower, and I don't think it's just that I've gotten used to the faster speed of my iPhone 5c. It seems like it takes -much- longer to switch apps and bring up web pages (even FR's simple text), and there are more and more sites that cause Safari to lock up or show the dreaded "There was an error with the page and it is being reloaded". Granted, most of the other apps are still okay.
So I'm not ready to replace it -- it still works well enough for late-night FReeping, email, and the occasional round of Angry Birds. :-)
Forbes says take a deep breath everyone, this is a minor point upgrade and unless you work in a high security environment you can wait 24 to 48 hours for the dust to settle.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.