Android WiFi – Broadpwn
This was lifted and adapted from a podcast – It is rather disturbing news around WiFi vulnerabilities in Android devices. You need to patch your Android phone like yesterday…..
This week's horrific Android vulnerability, we have Broadpwn, which we don't know everything about, and we won't until Black Hat. But we know a lot. First of all, it's very worrisome, affecting, at least millions of Android and probably iOS devices. Unpatched Broadcom WiFi chips, the WiFi chip, which are used in both Android and iOS devices, are vulnerable to a bug that allows an attacker to execute code on those devices without any interaction needed from the user and, even worse, simply by being within radio range of any malicious WiFi access point. You don't even have to join it. You don't have to do anything. Your mobile device just has to receive its signal. A security researcher named Nitay Artenstein discovered and nicknamed the Broadcom firmware flaw Broadpwn. CVE number 2017-9417. He will be delivering the full presentation about Broadpwn at this year's Black Hat USA security conference at the end of the month. He responsibly disclosed the bug to Google, who already included it in the Android fix which was available in the July 5th Android security update. Although little public information is available yet, we know, and Artenstein has said, that Broadpwn affects millions of Android and iOS devices that use Broadcom's WiFi chips. The flaw is present in the firmware for a huge and old line of Broadcom. It's the BCM4300 family, or 43xx family of WiFi chips, which are included in an extraordinary range of mobile devices, including vendors Google with the Nexus line, Samsung, HTC, and LG. And then, after being made curious about this, another Android security expert reverse-engineered the July security patch from Google to dig out more details about Broadpwn. He determined that the bug appears to be a heap overflow in the Broadcom firmware. The researcher said that the exploitation occurs when the user's device receives a WME, which is a quality-of-service information element, with a malformed length from any network. Exploitation does not require user interaction. The victim needs only to enter into the WiFi range of an attacker's signal. Artenstein has confirmed that even connecting to a malicious network is not necessary. Not surprisingly, Google's security bulletin last week rated Broadpwn as critical. https://nvd.nist.gov/vuln/detail/CVE-2017-9417 https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/