Broadcom Wifi hack bug?

[Dan Goodin]

A broad array of Android phones is vulnerable to attacks that use booby-trapped Wi-Fi signals to achieve full device takeover, a researcher has demonstrated.

The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday's release of iOS 10.3.1. "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple's accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P "by Wi-Fi proximity alone, requiring no user interaction."

Continue reading on ArsTechnica

 

[Morac]

I have an AC-88U which I've read has a Broadcom wifi chip. Today Google Project Zero released details of a buffer overrun for Broadcom's Wifi chip's TDLS implementation. It affects Apple and Android devices, but does it affect ASUS routers? I feel it should be no since TDLS has to do with peer to peer Wifi, but I'd like to be certain.

https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/

 

[sfx2000]

Exploiting Broadcom's WiFi Stack

Reading through - it's mostly on the full mac chipsets, but they hinted that soft mac isn't much different in this regard.

Apple has patched the current iDevices (10.3.1), Google has checked in changes, and I believe that they've patched up the Pixel and Nexus lines...

 

[Morac]

I know about Apple and Google, but I was wondering if it affected Wifi routers as the article I linked to implies.

 

[sfx2000]

I know about Apple and Google, but I was wondering if it affected Wifi routers as the article I linked to implies.

Perhaps - the SW stacks inside the chipsets are similar - that's pretty much all I can say...

 

[kvic]

Apple had to go back and patch as old as iPhone 5 where BCM4334 wifi chips were used. BCM4352(RT-AC56U), BCM4360(RT-AC68U) and BCM4366 (RT-AC88U) are used in Asus. I would bet they're affected. Newer models probably will receive fix through wireless driver update...through a future Asus firmware release.

 

[sfx2000]

Just consider that the RTOS that runs any and all WiFi chipsets - they're all now under attack...

Broadcom is in the crosshair right now, but QCA/Marvell/Realtek/MediaTek - folks are looking at this pretty hard right now - as it's a very wide threat surface...

Has nothing to do with Asus specifically - this is a chip issue outside of the vendor firmware.

 

[kvic]

Of cos not just Asus routers using Broadcom wifi chips but any vendor's product using Broadcom wifi chips. However, it's perhaps stretching too far to include QCA/Marvell/Realtek/MediaTek at the moment...

 

[drabisan]

Vulnerability is in the implementation of Tunneled Direct Link Setup. Purpose of TDLS is to establish a communication without involving the AP.
While reading the long and complex Google post my understanding is no router/AP should ever process to tlds discover request packets.
But that's the theory.

 

[sfx2000]

For this particular vuln - TDLS, which is more common than one would think...

The real tell however is how this bug pulls back the curtain on the MCU's and Real Time OS's that are running inside the chipset itself on both the AP and clients - go read the article, it's a nice insight into what happens inside the wifi chip itself.

And since this is not the Linux (or BSD/vxWorks/etc) running on the main System on Chip - it's likely not going to be logged in syslog...

 

[sfx2000]

Of cos not just Asus routers using Broadcom wifi chips but any vendor's product using Broadcom wifi chips. However, it's perhaps stretching too far to include QCA/Marvell/Realtek/MediaTek at the moment...

This particular vuln is specific to some Broadcom chips - but there's only so many ways to do things, and everyone pretty much does it the same way - specifics might be different, but at a high level, they're all very similar..

At one of the Chaos conferences, there was a similar approach to fuzzing 2G/3G modems from different vendors...

 

[swetoast]

urgh this is just making me hate Broadcom so much more... well again saw this article today and was thinking the exact thing if the routers are exploitable too, time will tell but ofc Broadcom wont tell us outright if there is since they dont like to share their sources.

the price of not being opensource.

 

[sfx2000]

the price of not being opensource.

Inside the chipset - nobody is open source... some vendors are more friendly than others with drivers, but the RTOS inside the chip itself - secret sauce...

Intel is more open about this than most, but even there stuff has some binary blobs inside...