Most active commenters
  • yifanlu(4)
  • revelation(3)

←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 18 comments | 26 Jul 17 19:51 UTC | HN request time: 1.311s | source | bottom
1. yifanlu ◴[26 Jul 17 21:55 UTC] No.14860722[source]
The article mentions

> Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.

But it doesn't go into any details on this privilege escalation actually works for iOS and more specifically that it doesn't require additional exploits. Can anyone explain this in more detail? If this actually allows code execution on iOS application processor, that means we have a jailbreak right?

replies(2): >>14861182 #>>14861247 #
2. revelation ◴[26 Jul 17 23:02 UTC] No.14861182[source]
The block diagram shows a PCIE connection to the application processor, which enables DMA. Most modern systems have a MMU to prevent the peripheral from DMAing to memory areas not specifically reserved for it, but given (certainly Android) systems run oldschool kernels hacked together by the last kind of crowd you want working on them it's probably not enabled or setup correctly.

The other more obvious privilege escalation is that there is still a kernel driver on the application processor talking to the chipset. There is per se no reason to distrust data coming from the chipset, so these often aren't written as defensive as they should be and could contain trivially exploitable assumptions on what the chipset will send and do.

replies(2): >>14861219 #>>14861336 #
3. yifanlu ◴[26 Jul 17 23:11 UTC] No.14861219[source]
> Most modern systems have a MMU to prevent the peripheral from DMAing to memory areas not specifically reserved for it, but given (certainly Android) systems run oldschool kernels hacked together by the last kind of crowd you want working on them it's probably not enabled or setup correctly.

I'm not sure it's fair to assume iOS IOMMU isn't set up properly just because that's the case on many (most?) android phones. According to the author, most android phones don't even have KASLR which iOS had since iOS6. I would assume IOMMU exists and is working properly unless someone has evidence otherwise (quick google shows very little information on iOS + IOMMU). If a DMA attack is indeed successful on iOS devices, I think that would be substantial enough to write about.

> The other more obvious privilege escalation is that there is still a kernel driver on the application processor talking to the chipset.

I would consider that a separate exploit--but even then you still need a KASLR bypass (another exploit?) at the very least to gain control.

> so these often aren't written as defensive as they should be

On the contrary, the market rate for a iOS jailbreak chain is upwards $1 million USD so I'd be surprised if a single exploit gives you full system control.

replies(1): >>14861261 #
4. ktRolster ◴[26 Jul 17 23:17 UTC] No.14861247[source]
They only hijacked the radio chip, they didn't escalate to the main processor.

One way of attacking would be to intercept someone's internet traffic, and redirect them to a different site (ie, instead of going to Google, you go to get-hacked which looks just like Google).

replies(2): >>14861298 #>>14861320 #
5. revelation ◴[26 Jul 17 23:20 UTC] No.14861261{3}[source]
I didn't want to suggest that iOS is insecure because Android systems are. For Android we know most of them are hopeless, on iOS it's security by obscurity all the way with just a generally good "track record".

Well, they patched something. Maybe they just patched the firmware image that is loaded onto the chipset on boot and there was no privilege escalation onto the iOS application processor. But if there was, the obscurity means criminals can easily look at the patch to see what it was and exploit that while the public knows nothing.

replies(3): >>14861307 #>>14861783 #>>14861946 #
6. pmontra ◴[26 Jul 17 23:25 UTC] No.14861298[source]
They intercept and modify packets to redirect to a web site they control. It exploits the main processor through the browser.
replies(1): >>14861625 #
7. yifanlu ◴[26 Jul 17 23:26 UTC] No.14861307{4}[source]
Right, I'm guessing they just patched the actual wifi chip vulnerability. That's why I would like someone (preferably the author) to disclose if there is indeed a privilege escalation or not and to provide more details if there is.
8. yifanlu ◴[26 Jul 17 23:28 UTC] No.14861320[source]
> Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.

This implies they have code execution on the application processor just from broadpwn (and not additional safari/ios exploits). Hijacking internet traffic is indeed serious but tech blog sites are already picking up on this and blowing it up. Example: https://9to5mac.com/2017/07/20/broadpwn-wifi-vulnerability-i...

> PSA: Update to iOS 10.3.3 to fix serious wifi vulnerability allowing attacker complete control

replies(1): >>14867536 #
9. viraptor ◴[26 Jul 17 23:30 UTC] No.14861336[source]
> hacked together by the last kind of crowd you want working on them

That was neither informative nor necessary, really... (And likely not true)

replies(1): >>14861435 #
10. revelation ◴[26 Jul 17 23:49 UTC] No.14861435{3}[source]
The leading Android smartphone producer Samsung had on at least two of their flagship phones a world RW device that allowed full access to the entire system memory including the entirety of the kernel, deliberately:

http://www.securitytracker.com/id/1027894

They needed it to get the camera working. This is not an exaggeration, the people they have writing software for their phones will take every shortcut they can find or imagine to deliver another bullet point on the feature list. Security be damned.

replies(1): >>14872464 #
11. armitron ◴[27 Jul 17 00:23 UTC] No.14861625{3}[source]
Assuming one has additional browser vulnerabilities, sandbox escapes and privilege escalation bugs. "Broadpwn" doesn't exploit main processor __anything__ by itself.
replies(1): >>14863412 #
12. amazingman ◴[27 Jul 17 00:59 UTC] No.14861783{4}[source]
How, specifically, is iOS "security by obscurity all the way"?
13. Gaelan ◴[27 Jul 17 01:30 UTC] No.14861946{4}[source]
> criminals can easily look at the patch to see what it was and exploit that while the public knows nothing.

Huh? If criminals can “easily” inspect the patch, why can’t the public?

replies(2): >>14862020 #>>14862021 #
14. doctorless ◴[27 Jul 17 01:50 UTC] No.14862020{5}[source]
They can, but ease is a term that is conditional on expertise.
15. kybernetikos ◴[27 Jul 17 07:49 UTC] No.14863412{4}[source]
Does the broadcom processor normally have access to main memory? If so, I would have to consider that a complete attack absent any mitigation technology.
replies(1): >>14863724 #
16. londons_explore ◴[27 Jul 17 09:22 UTC] No.14863724{5}[source]
No. It's a pci express device (or SDIO/usb for older chips). All modern platforms have IOMMU's for those, and every decent OS will enable it.
17. azernik ◴[27 Jul 17 17:33 UTC] No.14867536{3}[source]
Probably because a device on the system itself has tremendous privileges; aside from interacting with non-hardened kernel code (drivers generally trust the device but to be malicious), they generally have DMA access, in PCI can impersonate the CPU when speaking to other devices, and can generally cause all kinds of havoc.
18. frankzinger ◴[28 Jul 17 06:50 UTC] No.14872464{4}[source]
That's shocking, but it happened in 2012. How have they been doing for the past 5 years?