Google's top-notch vulnerability researchers rarely bring good news. They've found another whopper: Flaws in a microchip used widely in Apple and Android mobile devices could be used to remotely hack a device over Wi-Fi.
It's the kind of heart-stopping find that has unfortunately become routine for Google's Project Zero, which does deep research into critical software and components. Apple has issued a patch for the flaws, but Android devices remain unprotected.
The problems are contained within the firmware of a system on chip made by Broadcom that is used in mobile devices and Wi-Fi routers. The chips are in Google's flagship Nexus devices, Samsung's high-end devices and in Apple's iPhone 4 through later models.
Security folks tend to focus on a mobile device's application processor to find bugs. But mobile phones are a nest of densely packed components that are "elaborately communicating with one another," writes Gal Beniamini, a security researcher with Google Project Zero, in a blog post.
"Other components have seldom received the same scrutiny," he writes. "However, attackers tend to follow the path of least resistance. Improving the security of one component will inevitably cause some attackers to start looking elsewhere for an easier point of entry."
Mobile phones increasingly depend on a separate system on chip to deal with the complexities of managing Wi-Fi. The advantage of offloading these tasks to a separate chip - referred to as Wi-Fi FullMAC chips - improves battery life. But it's not without issues.
"All that said and done, the introduction of Wi-Fi FullMAC chips does not come without a cost," Beniamini writes. "Introducing these new pieces of hardware, running proprietary and complex code bases, may weaken the overall security of the devices and introduce vulnerabilities which could compromise the entire system."
Older Wi-Fi FullMAC chips have lagged behind in security, however, and don't have basic exploit mitigations. Google found a series of vulnerabilities that affect Broadcom's system-on-chip firmware, which then could allow someone to elevate privileges and get inside the operating system's kernel.
Essentially, the flaws in the firmware can be exploited via Wi-Fi frames to overflow the stack of the system on chip, allowing other code to run in memory. Beniamini describes how the researchers exploit the system on chip. A second post, due to be published soon, will show how that access is parlayed into access to the kernel.
"We'll demonstrate full device takeover by Wi-Fi proximity alone, requiring no user interaction," he writes.
Broadcom was notified of the flaws. Beniamini writes that Broadcom told Google that newer versions of its system on chips use what's termed a Memory Protection Unit, which manages access privileges, and have other hardware security features. Efforts to reach Broadcom officials were not immediately successful.
"This is an interesting development and a step in the right direction," Beniamini writes. Broadcom "is also considering implementing exploit mitigations in future firmware versions."
Apple's patch, released on April 3, improves input validation, according to its advisory. It fixes the issue on the iPhone 5 and up, iPad 4th generation and later and the iPod Touch 6th generation