SoylentNews

kaszz [soylentnews.org] writes:

In regard to Apple fans, Android world scramble to patch Broadcom's nasty drive-by Wi-Fi security hole [soylentnews.org]

A Broadcom chip [theregister.co.uk] that handles WiFi connections has serious over-the-air security flaws that makes it possible to take over the chip wirelessly. This affects LG/Google Nexus 5, 6, 6P, most Samsung flagship devices, all iPhone 4 and later, newer iPods and iPads.

The wireless system-on-chip (SoC) firmware can with carefully crafted wireless frames using abnormal values in the metadata be tricked into overrunning its stack buffers. This in combination with the frequent timer firings makes it possible to gradually overwrite specific chunks of system-on-chip RAM until arbitrary code is executed. Details of the security flaw is described here [blogspot.com.au].

Broadcom's hidden source code implementation is found to lag behind in modern security. Specifically, it lacks countermeasures like stack cookies, safe unlinking and access permission protection. Neglecting the security features in the microcontroller ARM Cortex R4 [wikipedia.org]. And once the system-on-chip is controlled. Escalation into the primary CPU can be attempted.

It seems the security flaw stems from the implementation of "Tunneled Direct Link Setup" (TDLS) [wikipedia.org] or 802.11z, a seamless way to stream data directly between devices already on the same Wi-Fi network.

Lesson: Broadcom sucks, closed source sucks and new features may be just that and then some..

Kind of reminds of DVB [soylentnews.org] over the air TV exploit. There sure are more wireless chips with clueless security.

Original Submission