Hacker News new | comments | ask | show | jobs | submit login
Broadpwn Bug Affects Millions of Android and iOS Devices (bleepingcomputer.com)
69 points by ivank on July 8, 2017 | hide | past | web | favorite | 49 comments

> Users that didn't receive this month's Android security patch should only connect to trusted Wi-Fi networks

Turning off Wi-Fi before leaving home and office helps. Apparently few people do that. A customer in the tracking industry (beacons estimating people in stores) told me that about 80% leave Wi-Fi always on.

I hope I'll get that patch soon. The last update for my Sony phone was the security update of May. Nothing on June. I guess that most Androids didn't and won't get anything.

>told me that about 80% leave Wi-Fi always on

which means 20% don't, which is suspiciously high considering how much of a hassle it is to turn wifi on/off. then again, they could have unlimited data on their phones.

> how much of a hassle it is to turn wifi on/off

It's not a hassle at all. Pull down the notification shade, touch the wifi icon.

And then forget to ever turn it back on. And that only works on some phones anyway. On mine I have to go into settings.

Windows Phone has a "turn back on in X hours" option. Best microsoft idea ever...

Is this an iPhone thing? Android phones have had access to all the important settings from the pull down menu for years, and most recently you've been able to add many of the less common settings like casting and NFC.

I have a two year old android that doesn't have that either. I think it's just a Samsung feature. Or at least it varies by manufacturer.

All of my Sony phones (Xperia Z and Z5) have had it as well as all of the Nexus phones I've tested on. I think maybe Samsung was the first to include it, but its standard now as far as I can tell on Android.

It was a Samsung feature for a long time but Google adopted it in Android 6.

I'm involved in the tracking industry. Where it used to be 70% of people trackable with WiFi we are now seeing >90%. This is in large cities in wealthy European countries.

Most powerusers run tasker or similar apps to automate these sort of stuff on android, so no hassle at all.

Maybe they just randomise broadcast packets MAC addr?

MAC address randomization must be implemented properly to be effective. This is not always the case (http://papers.mathyvanhoef.com/asiaccs2016.pdf)

You are actively encouraged to leave wifi on, on ios at least, to improve location accuracy.

Same on Android. In fact Android has a Location-feature called "Scanning" that allows apps and services to detect wifi networks at any time, even if you have your wifi disabled. Meaning you can turn wifi off but it will randomly turn it back on to help increase location accuracy. This feature is on by default.


I'm not one hundred percent certain, but I'm not aware of any Sony phones using Broadcom chipsets? Every Sony phone I'm aware of uses Qualcomm or the like.

Every American phone (except the iphone) uses a Qualcomm SOC due to some anticompetitive practices on their part. That might be why it seems that way. I'm quite certain Sony makes a phone that doesn't but it's only sold in Europe or so.

Interesting - I didn't know that. Can you elaborate?

Llama may be useful for that on Android - able to perform actions including turning wifi on and off by location.

... and IFTTT, Tasker, and any number of of automation apps that require the user to both be aware of and be bothered to set up correctly.

Developer preview 3 of Android O includes a great option in WiFi settings to automatically turn WiFi back on when you are in a location where you've connected to a 'high quality' WiFi network before (such as home or work), though I've not dug deep enough to find out what constitutes high quality, and it doesn't appear to be paired with a converse option to turn it off elsewhere.

I thought about mentioning Tasker and others, but those feel to me more like programming options with which you can achieve the goal, where Llama and some other apps are a bit more focused just on the question of wifi.

It's also a huge waste of battery to leave on.... not sure why more people don't disable Wi-Fi.

Is this true? I'd always been under the (unsourced) assumption that the Wi-Fi radio was more power-efficient and it was better to use that than 3G/4G/LTE.

When you are using 3G/4G, and not connected to Wifi, your phone still checks all the Wifi accesspoints continuously. When you know for yourself you don't connect to an accesspoint on that location, there is no point in having your phone search for one. You can save on battery there.

A personal experience from me (anecdotal)... I was using Wifi from my cable provider that is available all over town. But that means when going into town, I am jumping from one accesspoint to another, sometimes with good and bad connections. My experience was that a battery charge didn't last that long. Disabling that accesspoint on my phone made the batterycharge last much longer.

Because it's yet another thing to remember to turn on and off... I already have to turn off location so Google isn't tracking me all the time.


For tiny values of huge

> BCM43xx family of Wi-Fi chips included in "an extraordinarily wide range of mobile devices" from vendors such as Google (Nexus), Samsung, HTC, and LG.

It would be great if there were a published list of exactly which devices are vulnerable, or a way to check your device for whether this part was present. Is there anything like 'adb shell lspci' I could run to find out whether my devices have the broadcom parts? I know my Nexus 5x has a QCOM SoC, so I assume it lacks broadcom WiFi. But the rest of the family's devices -- what of those?

On any device that isn't obscure, iFixit does a teardown detailing most of the parts on the board.

A lot of vendors have multiple designs hiding under the same model, either through time (e.g., PS3 and Xbox 360 each had something like 5 revisions with different chipsets, not all were accompanied by change in box design), or just sharding - iphone 6 had two different models at the same time (one broadcom and one qualcomm IIRC) because they couldn't or wouldn't source the quantities they needed from just one source.

iFixit is nice, but it is not an answer to the request made by GP (an answer to which would be useful).

Samsung are pretty notorious for this. Most of their phones come in many different models for different markets, from a quick google, both the S7 and S7 Edge have 14 different variants each. Some have different CPUs, many have differing internal parts, etc. It's a minefield.

[1] http://techbeasts.com/list-of-samsung-galaxy-s7-s7-edge-mode...

There are always corner cases. Most phones definitely have the same chipsets, with the exact same parts.

If you are looking for details directly from the device there are various commands to get info like dmesg, getprop. There are other ways (recommended if you have time and patience), like going into /sys/devices, but I really believe it is very common to have same parts for a single mobile device (I think Apple did it because of production problems)

> The attacker doesn't need any user interaction to exploit the feature. A victim only needs to walk into the attacker's Wi-Fi network range.

> In its security bulletin, Google rated Broadpwn as a "medium" severity issue, meaning the company doesn't view it as a dangerous vulnerability, such as Stagefright.

Wait, really?

Just guessing here but if it is true that you need to be connected to the rogue network for this flaw to be exposed, that could knock the severity down a notch. Like the difference between a pre-auth attack and an attack requiring authorized access.

> Artenstein has later confirmed on Twitter that connecting to a malicious network is not necessary.

> Users that didn't receive this month's Android security patch should only connect to trusted Wi-Fi networks and disable any "Wi-Fi auto-connect" feature, if using one.

What is the point of the second statement?

Perhaps the auto-connect feature is what makes "connecting to a malicious network [not] necessary." It's easy to dismiss that second clause, but my guess is that it does some sort of network ping that opens itself up to the attack.

From what I can gather from a quick look at the 802.11e QoS spec* this is pretty much spot on. Many wireless clients (e.g. many phones) ping in order to discover networks faster than the access point's broadcast interval and to connect to 'hidden' APs that might not broadcast. In response, a malformed WME packet could be sent that the wireless chipset would listen to and parse.

*I am definitely not deeply familiar with WME.

Apple patched it in iOS 10.3.1 according to this report: http://cert.europa.eu/static/SecurityAdvisories/2017/CERT-EU...

From what I can tell that is unfortunately not correct.

Broadpwn is another serious Broadcom WiFi security bug, different from the bugs patched when Google Project Zero revealed their research in April.

More details as well as how to trigger the bug and what devices have been tested against it: http://boosterok.com/blog/broadpwn/

We will know a lot more after @nitayart presents at BlackHat.

“There is no information on the status of this bug for iOS devices.”

That slightly contradicts the headline.

But indeed, only slightly. The title comes from a quote by the security researcher who discovered the bug. I'm guessing the lack of information is about whether or not anything has been done to patch the hole - my guess is that this bug, unless specifically protected against, affects the OS using the chip.

iOS does a lot to treat the networking stack and its third-party firmware code as untrusted, and limit its exposure as much as possible. So it sounds like the exploit can get to the Broadcom chip on iPhones but can’t pivot to the OS from there. Hooray for defense in depth!

Eeem... could you provide some sources on that or is it just speculation on your part?

You know it affects Android but you only suspect it might affect iOS. That headline is misleading. "The researcher specifically points the finger at the Broadcom BCM43xx family of Wi-Fi chips included in "an extraordinarily wide range of mobile devices" from vendors such as Google (Nexus), Samsung, HTC, and LG." is missing one rather obvious vendor.

To be fair, apple does its best to keep users in the dark in these matters. Every os release is full of security fixes they don't tell to about.

Given apples history with wifi exploits there is a reasonable chance they are vulnerable.

What about laptops with Broadcom Wi-Fi?

I wonder if they're patching the firmware or just the Linux driver for the chip.

Funny that Broadcom's Wifi business was just sold to Cypress last year.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact