Broadpwn is a vulnerability in the Broadcom Wi-Fi chip that allows a hacker in Wi-Fi range of the device to intercept the network scanning signal, use that information to gain elevated privileges and potentially inject code into the main processor to take over the device. Over two years ago Skycure discovered No iOS Zone, a completely different proximity attack against iOS devices. In the case of No iOS Zone, the exploit came from a malicious router, causing the device to continually reboot, rendering it unusable. To recover from No iOS Zone, the victim must simply move away from the router. However, in the case of Broadpwn, once infected, only an OS update (to iOS 10.3.3 or later) can recover the device. Note that certain Android devices were susceptible as well, but a patch was issued earlier in the month.
We recently released our quarterly Mobile Threat Intelligence Report that focused on iOS in celebration of 10 years of the iPhone, detailing the colorful history of hacking the platform, yet many still insist security precautions are not necessary for iOS devices. In spite of the inherently secure design of the platform, Enterprise IT security admins know better than to believe that flaws still cannot be found, and Broadpwn seems to arrive just to prove that point. This time, the iOS software is not at all to blame, but that has always been only one entry point. A flawed Wi-Fi chip is clearly another way into the system and it is still part of the device. Enterprises must pay particular attention to these types of exploits because a compromised device may go unnoticed, providing an attacker with unrestricted access to corporate secrets and communications.
An attacker wishing to take advantage of the Broadpwn vulnerability would simply need to position themselves in a highly trafficked area, such as Times Square, one of the Top 15 Most Dangerous Spots for Wi-Fi Security, to find plenty of victims (The Today Show coverage here). For a targeted attack, knowing victim’s intended location may be sufficient to trap a specific person. A more flexible version of this exploit could be accomplished by setting up Wi-Fi routers with the exploit built in so that the attacker does not need to be present for every infection. Note that the user does not need to do anything specific to get infected – the phone just needs to be searching for a network to connect to. The exploit seems to take advantage of the emergency calling capability built into the Wi-Fi chip, which is designed specifically to provide communication access without logging into the device.
Stealth injection of code into the kernel is a very dangerous exploit, as it can provide unlimited access and control for the attacker, and most security products will not be able to detect it, potentially leaving the device vulnerable for long periods. Fortunately, Broadpwn was discovered by white hat researcher, Nitay Artenstein of Exodus Intelligence, and not by someone with malicious intent. That means that most are hearing about this after Apple has already patched the vulnerability, and there are no known malicious exploits. If you will be at Black Hat this week, you can see Nitay’s Broadpwn presentation Thursday.
Anyone that is staying up to date with their iOS security updates should be safe from Broadpwn since iOS 10.3.3 is available and patches the vulnerability. However, now that the CVE is published attackers could create an exploit to attack anyone who has not applied the update. Since I have Skycure on my device, I knew about the security update several days before friends of mine got their Apple notifications, providing me with greater protection from such risks.
To protect your device from Broadpwn and other mobile hazards, get Skycure.