
Broadpwn Bug Affects Millions of Android and iOS Devices - ivank
https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/
======
pmontra
> Users that didn't receive this month's Android security patch should only
> connect to trusted Wi-Fi networks

Turning off Wi-Fi before leaving home and office helps. Apparently few people
do that. A customer in the tracking industry (beacons estimating people in
stores) told me that about 80% leave Wi-Fi always on.

I hope I'll get that patch soon. The last update for my Sony phone was the
security update of May. Nothing on June. I guess that most Androids didn't and
won't get anything.

~~~
gruez
>told me that about 80% leave Wi-Fi always on

which means 20% don't, which is suspiciously high considering how much of a
hassle it is to turn wifi on/off. then again, they could have unlimited data
on their phones.

~~~
baybal2
Maybe they just randomise broadcast packets MAC addr?

~~~
fstephany
MAC address randomization must be implemented properly to be effective. This
is not always the case
([http://papers.mathyvanhoef.com/asiaccs2016.pdf](http://papers.mathyvanhoef.com/asiaccs2016.pdf))

------
wyldfire
> BCM43xx family of Wi-Fi chips included in "an extraordinarily wide range of
> mobile devices" from vendors such as Google (Nexus), Samsung, HTC, and LG.

It would be great if there were a published list of exactly which devices are
vulnerable, or a way to check your device for whether this part was present.
Is there anything like 'adb shell lspci' I could run to find out whether my
devices have the broadcom parts? I know my Nexus 5x has a QCOM SoC, so I
assume it lacks broadcom WiFi. But the rest of the family's devices -- what of
those?

~~~
ktta
On any device that isn't obscure, iFixit does a teardown detailing most of the
parts on the board.

~~~
beagle3
A lot of vendors have multiple designs hiding under the same model, either
through time (e.g., PS3 and Xbox 360 each had something like 5 revisions with
different chipsets, not all were accompanied by change in box design), or just
sharding - iphone 6 had two different models at the same time (one broadcom
and one qualcomm IIRC) because they couldn't or wouldn't source the quantities
they needed from just one source.

iFixit is nice, but it is not an answer to the request made by GP (an answer
to which would be useful).

~~~
hrrsn
Samsung are pretty notorious for this. Most of their phones come in many
different models for different markets, from a quick google, both the S7 and
S7 Edge have 14 different variants each. Some have different CPUs, many have
differing internal parts, etc. It's a minefield.

[1] [http://techbeasts.com/list-of-samsung-galaxy-s7-s7-edge-
mode...](http://techbeasts.com/list-of-samsung-galaxy-s7-s7-edge-model-
numbers/)

------
vvanders
> The attacker doesn't need any user interaction to exploit the feature. A
> victim only needs to walk into the attacker's Wi-Fi network range.

> In its security bulletin, Google rated Broadpwn as a "medium" severity
> issue, meaning the company doesn't view it as a dangerous vulnerability,
> such as Stagefright.

Wait, really?

~~~
wglb
Just guessing here but if it is true that you need to be connected to the
rogue network for this flaw to be exposed, that could knock the severity down
a notch. Like the difference between a pre-auth attack and an attack requiring
authorized access.

------
Black-Plaid
> Artenstein has later confirmed on Twitter that connecting to a malicious
> network is not necessary.

> Users that didn't receive this month's Android security patch should only
> connect to trusted Wi-Fi networks and disable any "Wi-Fi auto-connect"
> feature, if using one.

What is the point of the second statement?

~~~
swsieber
Perhaps the auto-connect feature is what makes " _connecting to a malicious
network [not] necessary._ " It's easy to dismiss that second clause, but my
guess is that it does some sort of network ping that opens itself up to the
attack.

~~~
jwfxpr
From what I can gather from a quick look at the 802.11e QoS spec* this is
pretty much spot on. Many wireless clients (e.g. many phones) ping in order to
discover networks faster than the access point's broadcast interval and to
connect to 'hidden' APs that might not broadcast. In response, a malformed WME
packet could be sent that the wireless chipset would listen to and parse.

*I am definitely not deeply familiar with WME.

------
kalmi10
Apple patched it in iOS 10.3.1 according to this report:
[http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-
EU...](http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU-
SA2017-008.pdf)

~~~
osivertsson
From what I can tell that is unfortunately not correct.

Broadpwn is another serious Broadcom WiFi security bug, different from the
bugs patched when Google Project Zero revealed their research in April.

------
Kikawala
More details as well as how to trigger the bug and what devices have been
tested against it:
[http://boosterok.com/blog/broadpwn/](http://boosterok.com/blog/broadpwn/)

We will know a lot more after @nitayart presents at BlackHat.

------
robin_reala
“There is no information on the status of this bug for iOS devices.”

That slightly contradicts the headline.

~~~
Analemma_
iOS does a lot to treat the networking stack and its third-party firmware code
as untrusted, and limit its exposure as much as possible. So it sounds like
the exploit can get to the Broadcom chip on iPhones but can’t pivot to the OS
from there. Hooray for defense in depth!

~~~
izacus
Eeem... could you provide some sources on that or is it just speculation on
your part?

------
coldcode
You know it affects Android but you only suspect it might affect iOS. That
headline is misleading. "The researcher specifically points the finger at the
Broadcom BCM43xx family of Wi-Fi chips included in "an extraordinarily wide
range of mobile devices" from vendors such as Google (Nexus), Samsung, HTC,
and LG." is missing one rather obvious vendor.

~~~
bostand
To be fair, apple does its best to keep users in the dark in these matters.
Every os release is full of security fixes they don't tell to about.

Given apples history with wifi exploits there is a reasonable chance they are
vulnerable.

------
floatboth
What about laptops with Broadcom Wi-Fi?

------
swiley
I wonder if they're patching the firmware or just the Linux driver for the
chip.

------
jmole
Funny that Broadcom's Wifi business was just sold to Cypress last year.

