Post Reply PSA: wifi chip is now hacked, update your android and iOS to avoid broadpwn
13826 cr points
Send Message: Send PM GB Post
☆Land of sweets☆
Offline
Posted 7/27/17
not too long ago, it was discovered that a flaw in the wifi chip allowed attackers to hack android and iOS devices, and get access to the main processor - allowing them to run virtually any program they wish. they could do anything with your phone, and you wouldn't even notice - as far as the phone/tablet is concerned, the hacker instructions came from the OS itself.



Broadcom Wi-Fi chips embedded in Android and iOS devices are vulnerable to a bug that allows an attacker to execute code on their devices, without any interaction needed from the user.
The bug was discovered by security researcher Nitay Artenstein, is nicknamed Broadpwn, and tracked as CVE-2017-9417.
Artenstein reported the bug in private to Google, who included a fix for this issue in the Android Security Bulletin for July 2017, released this week, on July 5.

https://www.bleepingcomputer.com/news/security/broadpwn-bug-affects-millions-of-android-and-ios-devices/


The most intriguing bug this month, however, is an RCE flaw in the Broadcom Wi-Fi code that’s used by Android devices equipped with certain Broadcom wireless chips.
According to Google, “a proximate attacker [could] execute arbitrary code within the context of the kernel”.
In plain English, that means a crook who’s within Wi-Fi range could fire off booby-trapped network packets at your Wi-Fi hardware, trigger a bug in the wireless device…
…and end up with the same programmatic powers as the Android operating system on your device.

https://nakedsecurity.sophos.com/2017/07/07/update-your-android-now-many-holes-fixed-including-broadpwn-wi-fi-bug/


Google released a security patch Wednesday that addresses a critical vulnerability dubbed “Broadpwn” found in millions of Android devices that could allow remote attackers to execute code on targeted devices.
The so-called Broadpwn bug is tied to a vulnerability in Broadcom’s BCM43xx family of WiFi chips. According to Nitay Artenstein, a researcher with Exodus Intelligence that discovered the vulnerability, Apple iOS devices are also impacted by the flawed chipset (CVE-2017-3544).
...
the vulnerability “is found in an extraordinarily wide range of mobile devices – from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices.”
The researcher said he was able to bypass mitigations such as DEP and ASLR and gain access to Broadcom’s BCM43xx WiFi chipset. He wrote, “…what happens when, underneath your heavily hardened OS, a separate chip parses all your Wi-Fi packets – and runs with no exploit mitigations whatsoever?”
...
Affected by the flaw are Android versions 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1.

https://threatpost.com/google-patches-critical-broadpwn-bug-in-july-security-update/126688/

this is serious stuff. update to the latest iOS (currently 10.3.3) or, if you're on android, update as soon as an update becomes available.
313 cr points
Send Message: Send PM GB Post
24 / A hookah bar
Offline
Posted 7/27/17
So you're saying that this bug can access the root of any phone and execute code at will, without the device prompting the connection to another device? That's pretty op.
1482 cr points
Send Message: Send PM GB Post
22 / M / Somewhere to my l...
Offline
Posted 7/27/17
for the majority of android users, we'll be getting that patch late because first it gotta be released by google, then edited and approved by our phone manufacturers, then approved by our cell carriers. By then, it'll be kind of late (time wise)
1886 cr points
Send Message: Send PM GB Post
38 / M / Shanghai China
Offline
Posted 7/27/17
That's why Android sucks its to regulated. I am switching back to an IPhone before I leave the USA and go back home to shanghai. I doubt my android phone will ever get android os 7 even though it was manufactured in 2016 so its not even a year old but thanks to google its considered obsolete already. Google and android create to much e-waste as well at least with iPhone when an update comes out I get it almost right away.
zuzma 
55224 cr points
Send Message: Send PM GB Post
Offline
Posted 7/27/17 , edited 7/27/17
Galaxy s8 uses a BCM4361. I know the US version hasn't been rooted yet and it could result in that if they don't patch the bug for it in time. All I'd really use it for is to remove some of the awful apps samsung and t-mobile loaded on to it
1482 cr points
Send Message: Send PM GB Post
22 / M / Somewhere to my l...
Offline
Posted 7/27/17

gsm642 wrote:

That's why Android sucks its to regulated. I am switching back to an IPhone before I leave the USA and go back home to shanghai. I doubt my android phone will ever get android os 7 even though it was manufactured in 2016 so its not even a year old but thanks to google its considered obsolete already. Google and android create to much e-waste as well at least with iPhone when an update comes out I get it almost right away.


The obsolete thing depends on the manufacturer. Most phones made in 2016 can still run Android 7 (My S7 Edge runs it smoothly)

In terms of updates, yes Android is a bit more regulated because of all the different manufacturers and devices and carrier specifications. In terms of app updates, no because google tends to have a policy that's a bit more lax than Apple's Walled Garden. Not saying one is better than the other, but each has their pros and cons
Posted 7/27/17


This has already been patched.
Broadpwn was reported the beginning of this month. Google patched it on July 5th (Source. Samsung, LG, and HTC have all patched their devices based off of the Android security update.
Apple released iOS 10.3.3 to patch this vulnerability as well.

At this point, it'll be your own fault for not updating your software.
39 cr points
Send Message: Send PM GB Post
28 / M
Offline
Posted 7/27/17 , edited 7/27/17

zuzma wrote:

Galaxy s8 uses a BCM4361. I know the US version hasn't been rooted yet and it could result in that if they don't patch the bug for it in time. All I'd really use it for is to remove some of the awful apps samsung and t-mobile loaded on to it


Set up your own Broadpwn and hack your phone to root it?
7379 cr points
Send Message: Send PM GB Post
35 / Pacific North West
Offline
Posted 7/27/17

gsm642 wrote:

That's why Android sucks its to regulated. I am switching back to an IPhone before I leave the USA and go back home to shanghai. I doubt my android phone will ever get android os 7 even though it was manufactured in 2016 so its not even a year old but thanks to google its considered obsolete already. Google and android create to much e-waste as well at least with iPhone when an update comes out I get it almost right away.


Atleast here in the US... Apple isnt doing so hot these days. They just lost a patent infringement lawsuit for using pentium-like(though Intel was sued by same company for their Pentium updates) chips in their phones.
http://www.reuters.com/article/us-apple-wisconsin-patent-idUSKCN0S72T320151013
As well as possibly being banned in the near future completely in the US because of copyright/patent lawsuits from QUALCOMM
https://www.cnet.com/news/qualcomm-could-seek-iphone-ban-in-the-us/

This is what happens to companies who become so commercially succesful they no longer think rules apply to them. All this and the ever back and forth lawsuits between apple and samsung... Apple is probably spending half their profits on their legal teams
Banned
1273 cr points
Send Message: Send PM GB Post
101 / O / bendover
Offline
Posted 7/27/17
Well here the latest patch/update for all the smartphones.
You must be logged in to post.