Most active commenters
  • thomastjeffery(5)
  • azernik(5)
  • mmjaa(3)

←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 52 comments | 26 Jul 17 19:51 UTC | HN request time: 0.907s | source | bottom
1. thomastjeffery ◴[26 Jul 17 23:00 UTC] No.14861166[source]
Why does Broadcom insist on proprietary drivers?

How could it possibly be detrimental for Broadcom to have free software drivers?

This article is a poignant example that it is detrimental for them to continue to keep their drivers proprietary.

replies(6): >>14861174 #>>14861519 #>>14862058 #>>14863796 #>>14867469 #>>14871284 #
2. whowouldathunk ◴[26 Jul 17 23:01 UTC] No.14861174[source]
The drivers are probably pretty complicated and thus valuable IP.
replies(2): >>14861236 #>>14867384 #
3. thomastjeffery ◴[26 Jul 17 23:15 UTC] No.14861236[source]
I don't buy that.

Every wifi chipset has working drivers; therefore there is little to no value in Broadcom's driver as "IP".

Contrast that to the value of having a free driver that can receive security patches from anyone at any time.

replies(6): >>14861326 #>>14861646 #>>14862004 #>>14862013 #>>14862510 #>>14863716 #
4. johncolanduoni ◴[26 Jul 17 23:29 UTC] No.14861326{3}[source]
Every GPU has working drivers, but optimizations within them can make huge differences in performance on the same hardware.
replies(3): >>14861387 #>>14861468 #>>14861658 #
5. thomastjeffery ◴[26 Jul 17 23:40 UTC] No.14861387{4}[source]
Comparing a Wifi chipset to a video card is like comparing a bicycle to a sports car.
6. monocasa ◴[26 Jul 17 23:55 UTC] No.14861468{4}[source]
The driver 'optimizations' in GPUs tend to boil down to hand written replacements for unoptimal/broken shaders and API call sequences on a per application basis.

I expect a network card to not 'interpret' my traffic in a similar way.

replies(2): >>14861597 #>>14861620 #
7. Scramblejams ◴[27 Jul 17 00:02 UTC] No.14861519[source]
One theory I've seen bandied about related to GPU drivers is that it's harder for your competitors to notice you're infringing on their patents if you don't ship your source code.
replies(1): >>14861779 #
8. vvanders ◴[27 Jul 17 00:18 UTC] No.14861597{5}[source]
As someone who spent a ton of time in this space(working with most mobile GPU vendors from Android E to L) you're talking about things just at the surface.

The way the drivers + backing architecture are built contains tons of IP and things that they would very much not want their competitors seeing.

Our team built our reputation and relationship on keeping that data separate and confidential despite working with just about every vendor out there.

9. agumonkey ◴[27 Jul 17 00:23 UTC] No.14861620{5}[source]
Adding the double blind optimizations leading to absurdly complex drivers that tries to guess how user code tries to guess driver logic... maybe vulkan will help open source GPU drivers in the end.
10. gleenn ◴[27 Jul 17 00:28 UTC] No.14861646{3}[source]
Tell that to the Open and guys who have been dying for wifi drivers for years. They are definitely not all open. Furthermore, not nearly as many people are running alternative OSes on their phones as they are on other types of computers.
11. fulafel ◴[27 Jul 17 00:30 UTC] No.14861658{4}[source]
GPU drivers are very bug ridden and 3D apps can easily cause OS crashes. Apps are tested so they don't trigger those bugs. Witness all the complaint comments on webgl posts about machine crashes - and that's with a thick driver bug workaround layer in browsers.
12. tedunangst ◴[27 Jul 17 00:58 UTC] No.14861779[source]
This seems unlikely. (Or maybe that's the reason given, but it seems implausible to be true.) Competitors have more than enough know how to determine if you're infringing a patent, source or no source.
replies(3): >>14861968 #>>14862322 #>>14863651 #
13. freyir ◴[27 Jul 17 01:36 UTC] No.14861968{3}[source]
> Competitors have more than enough know how to determine if you're infringing a patent

How do you figure? The detectability of infringement is a key factor in deciding whether to file a patent.

Regardless, copyright infringement might also be an issue.

replies(1): >>14862259 #
14. freyir ◴[27 Jul 17 01:45 UTC] No.14862004{3}[source]
Every wifi chipset has working drivers

Every existing Wi-Fi chipset has working drivers. A startup begins from scratch, which is one more barrier to entry.

replies(1): >>14862140 #
15. colordrops ◴[27 Jul 17 01:48 UTC] No.14862013{3}[source]
It's not that other chipsets have working drivers, but that am open driver would reveal technical secrets of both their software and hardware design. Not saying I agree with proprietary drivers though.
16. paulie_a ◴[27 Jul 17 01:56 UTC] No.14862058[source]
There is no benefit. They probably have an embarrassing code base that is full of garbage and a bunch of lawyers paranoid about IP. Why would any manager suggest to take that risk that has very little potential upside.

It isn't that it would be realistically detrimental, it just has no value to the individual attempting to change the established course of the ship

replies(2): >>14862334 #>>14870283 #
17. justbuchanan ◴[27 Jul 17 02:11 UTC] No.14862140{4}[source]
True, but there are many open-source wi-fi drivers out there already. Unless broadcom's implementation is something out of the ordinary, releasing their driver doesn't really change the game.
replies(1): >>14863022 #
18. tedunangst ◴[27 Jul 17 02:36 UTC] No.14862259{4}[source]
Well, it's hard to be specific since nobody ever mentions which patents they're talking about. But I would assume that somebody at AMD has the skills to determine whether Nvidia uses the "good matrix" technique, or whatever it is people are assuming AMD patented that Nvidia is trying to hide.
replies(1): >>14862301 #
19. Justin_K ◴[27 Jul 17 02:47 UTC] No.14862301{5}[source]
In court, there's a big difference between your assumption vs. published code.
replies(1): >>14862338 #
20. kurthr ◴[27 Jul 17 02:52 UTC] No.14862322{3}[source]
The US legal system has discovery for patent cases. You can sue and then subpoena their code base to confirm whether they are in violation before going to court (and really racking up the fees). Since these are US companies I think that it's more likely fear that others would see the horrible hacks or clever trade secrets.

In other countries (most of Asia), where there is no discivery, it's almost impossible to prove hardware or software patent violations so your case is kicked out of court immediately, even if your patent claims are valid and their product reads into your claims. That's why most patent suits end up in the US or Europe (or in the even faster ITC import injunction).

21. wtallis ◴[27 Jul 17 02:55 UTC] No.14862334[source]
There are tons of benefits, to the end users. But most of them result in the user having less reason to buy a new device in the hopes of faster or more reliable WiFi.
replies(1): >>14863063 #
22. toast0 ◴[27 Jul 17 02:56 UTC] No.14862338{6}[source]
Drivers are published code, freely available. If the driver does something, and you can't find an expert witness to testify it does what it does, maybe it doesn't do what you think?

Reading assembly with no comments is a different skill than reading C or C++, especially since it's not always clear what's an instruction and what's data, but it's still reading code, and there are tools to help you trace through it. And most of the drivers aren't writing code like it's a 64k demo (where the code is the data, and the data is the code, and they both modify each other)

23. hedora ◴[27 Jul 17 03:35 UTC] No.14862510{3}[source]
I'd argue most wifi chipsets do not have working drivers, but I have an apparently high bar for "working": It has to stay authenticated to a given access point indefinitely, can't kernel panic or require reboots to switch to a new network, and needs to have competitive throughout and tail latencies under load.

Most wifi adapters fail at least one of these requirements under windows or linux.

24. cyphar ◴[27 Jul 17 06:11 UTC] No.14863022{5}[source]
And experience with Broadcom's wireless drivers (and NFC chips) tells me that the only thing extraordinary about them is how awful and limited they are.
25. Canada ◴[27 Jul 17 06:23 UTC] No.14863063{3}[source]
End users don't really matter to Broadcom. Chip makers don't sell product to end users, they sell to device manufacturers.
replies(1): >>14863113 #
26. axaxs ◴[27 Jul 17 06:38 UTC] No.14863113{4}[source]
absolutely true. But manufacturers are not going to use a wifi chip maker known to be repeatedly exploited, because of end user perception.
replies(3): >>14863189 #>>14864771 #>>14865994 #
27. Canada ◴[27 Jul 17 06:56 UTC] No.14863189{5}[source]
I hope that becomes true one day, but it's certainly not the case now.

Manufacturers currently have no choice but to ship devices running vulnerable application software that communicates with remote devices using vulnerable protocols. This is facilitated by vulnerable operating systems running many vulnerable device drivers communicate with devices that themselves have embedded processors running yet more vulnerable software.

All manufacturers can do is keep patching the morass of code that their offering depends on, but most device manufactures can't even manage that, or if they can they are unable do it fast enough and unwilling to do it for long enough.

28. londons_explore ◴[27 Jul 17 08:58 UTC] No.14863651{3}[source]
But they need evidence.

Reverse engineering silicon to figure out if you used a specific type of patented algorithm is super hard.

Looking at open source code is waaaay easier.

29. londons_explore ◴[27 Jul 17 09:20 UTC] No.14863716{3}[source]
Many of the "features" of a wifi chipset are implemented in drivers or firmware. QoS? Smarter packet scheduling? Better interference protection? All of those are likley in the drivers.

Competitors could review the code and "copy" how great features work without actually copying the code.

30. mmjaa ◴[27 Jul 17 09:39 UTC] No.14863796[source]
>How could it possibly be detrimental for Broadcom to have free software drivers?

Because they are used as a front/vector for US intelligence agencies. Opening this firmware would not allow for the distribution of these implants.

replies(2): >>14864437 #>>14864550 #
31. nl ◴[27 Jul 17 12:03 UTC] No.14864437[source]
Well based on the number of NSA and CIA "implants" in Linux and other open source software it isn't clear that makes a lot of difference.
replies(1): >>14867183 #
32. FungalRaincloud ◴[27 Jul 17 12:19 UTC] No.14864550[source]
While I acknowledge that this is a very real possibility, I don't think it has anything to do with the motivation to keep the source closed. I think more to do with an old world mentality that all intellectual property is a trade secret. Why share, when there's no real penalty to not sharing?
replies(1): >>14867169 #
33. ethbro ◴[27 Jul 17 12:51 UTC] No.14864771{5}[source]
> But manufacturers are not going to use a wifi chip maker known to be repeatedly exploited, because of end user perception.

How many of your non-professionally-technical friends could tell you the manufacturer of their WiFi chip? Is it on the box? Could they even tell you who Broadcom is?

"Intel NIC" only recently became a very minor selling point in enthusiast desktop motherboards. I'm not holding out hope this is going to follow a more informed curve.

The gatekeepers (manufacturers) are the only ones informed enough to make the decision en mass. And they're not going to do so without a market reason. So barring something like "Broadcom stops providing security updates" or "New law holds device manufacturers liable for security bugs" they're going to save the few cents on BoM and continue using them.

replies(3): >>14865038 #>>14865831 #>>14865832 #
34. axaxs ◴[27 Jul 17 13:31 UTC] No.14865038{6}[source]
I agree, but these things go up the chain. Sure people won't say 'I wont buy broadcom', or 'i wont buy snapdragon.' But they will say 'I won't buy PhoneCoXYZ because they were in the news for being hacked.' Not after this necessarily, but after enough times, I think we'll see it.
replies(1): >>14867951 #
35. bonyt ◴[27 Jul 17 14:51 UTC] No.14865831{6}[source]
I've seen some manufacturers start to advertise which WiFi chipset a laptop has. For example, Qualcomm Atheros cards are now marketed as "Killer," and Intel Wifi cards are often referenced by model number in laptop specs.
36. zanny ◴[27 Jul 17 15:09 UTC] No.14865994{5}[source]
Atheros has been open and Broadcom closed for well on a decade now. That has not driven substantial adoption of Qualcomm's wifi platform.
37. mmjaa ◴[27 Jul 17 16:59 UTC] No.14867169{3}[source]
The question is, what value is secrecy, and alas the answer is that for those who want to exploit their technology prowess over others, secrets are a dire necessity.

An open ideology is one where everyone wins, even those who aren't on your team. The closed one is mostly to protect ones own team. I don't consider any of the reasons to be good reasons, personally. Commercially necessary, perhaps, as a conforming act as part of the "super-state", also perhaps.. but nevertheless, the best conclusion is that this situation is rotten enough to motivate someone to fix it.

Me personally .. I'd love to have the sources for every sub-processor/component in my system. It would be of immense value - commercially and otherwise - to me as an end-user. I hope I don't sit alone in this market...

38. mmjaa ◴[27 Jul 17 17:00 UTC] No.14867183{3}[source]
It is indeed a battle.
39. azernik ◴[27 Jul 17 17:19 UTC] No.14867384[source]
Having worked on enterprise APs using BCM and Atheros chipsets:

The driver is not deeply protected IP. They will hand out full copies to any device manufacturer that uses they're chipset, so that they can integrate it with their systems. The secret sauce, the bit that they won't share with anyone even if it's necessary for debugging, is the on-chip firmware. That's the stuff they take seriously. The driver itself is just a lawyer thing.

40. azernik ◴[27 Jul 17 17:27 UTC] No.14867469[source]
The bugs in question here are not in the drivers (the bits that run in the OS kernel on the CPU). They are in the firmware (code that runs on a little ARM core on the WiFi chip itself - also called the microcode in the biz).

The driver is indeed "protected" for IP-lawyer reasons; they'll have it out under license to every Tom, Dick, and Jane looking to build a device with their chipset. The firmware, on the other hand, is very closely held, because that's where the chip's functionality lives. A WiFi chipset implements a fantastically complicated protocol, and no one wants to bake that into hardware that can't be updated as bugs are found; so they build relatively simple hardware, and slap a microcontroller right on the die that runs all the complicated logic.

This means that the microcode is as sensitive as The hardware specs on earlier generations of hardware; a competitor with a copy of that source can make a (perhaps better and improved) knockoff if they're not too worried about legal implications like, say, several dozen Chinese knockoff shops.

replies(1): >>14867534 #
41. thomastjeffery ◴[27 Jul 17 17:33 UTC] No.14867534[source]

    echo $original_comment | sed 's/driver/firmware/g'
replies(2): >>14867595 #>>14867621 #
42. ◴[27 Jul 17 17:40 UTC] No.14867595{3}[source]
43. azernik ◴[27 Jul 17 17:42 UTC] No.14867621{3}[source]
In which case this is your answer; they're worried about knockoffs, because without the firmware logic their devices are simple commodities, ie don't really have strong differentiators from the competition.
replies(2): >>14868177 #>>14870318 #
44. ethbro ◴[27 Jul 17 18:16 UTC] No.14867951{7}[source]
I'd like to move more towards this. And the branding and identification is probably a big part of this. Pushing news to report the culpable parties by name. "Samsung / Google / Apple recently had a flaw in their {model} phone" vs "Another phone vulnerability" desensitization.
45. thomastjeffery ◴[27 Jul 17 18:43 UTC] No.14868177{4}[source]
Is their firmware really noticeably better or have more features than competing chipsets?
replies(1): >>14868330 #
46. azernik ◴[27 Jul 17 19:02 UTC] No.14868330{5}[source]
Yes. 802.11ac, for example, takes both a faster transceiver and a bunch of firmware support, and time to market with this features was a big driver of sales. And that was an ongoing process - ac is actually a set of features, and it's taking years for all of them to be implemented.

Similarly, cheaper chips often don't support optional performance-enhancing features at layers 2 and 3 (link and MAC) that boost performance without any hardware investment.

47. azernik ◴[27 Jul 17 22:32 UTC] No.14870283[source]
Judging from what I've seen of their drivers, yeah, their firmware/microcode is probably an embarrassing bug-ridden code base. But it also represents a lot of investment in low-level/low-layer features that they would prefer to hide from competitors (much more sensitive than the higher-layer logic in the driver proper).
replies(2): >>14872638 #>>14873290 #
48. nucleardog ◴[27 Jul 17 22:37 UTC] No.14870318{4}[source]
The other hugely important side of this is that a lot of these devices have the ability to transmit on frequencies which they may not be licensed for, or may not be licensed for in all markets.

The easiest example being b/g channel 13. You're permitted to use it for WiFi in most of the world, but not North America. Keeping the firmware proprietary and "secure" is likely an important part of their FCC/IC certifications.

replies(1): >>14887299 #
49. 80211 ◴[28 Jul 17 01:50 UTC] No.14871284[source]
1. Why doesn't Apple open source iOS?

2. These weren't drivers. Did you read the article?

3. The larger share of the blame belongs to Apple. Why does Apple trust devices like this that are essentially independent computers? Why should anything this chip does be able to take over the phone and install software on it, in privileged mode, that replicates itself?

4. Why can't you see things rationally?

50. paulie_a ◴[28 Jul 17 07:37 UTC] No.14872638{3}[source]
While I can understand that sentiment and perspective. Those people are wrong, they are inconveniencing their competitors to a tiny degree and over estimating the value of those features due to the awful implenation.
51. mihular ◴[28 Jul 17 10:46 UTC] No.14873290{3}[source]
OTOH anybody can reverse engineer it. Just a tad bit more work.
52. zero_intp ◴[30 Jul 17 18:59 UTC] No.14887299{5}[source]
It is required(1). The FCC requires locking down the ability to transmit into regulated frequencies.

1. https://apps.fcc.gov/eas/comments/GetPublishedDocument.html?...