←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 3 comments | 26 Jul 17 19:51 UTC | HN request time: 2.006s | source
Show context
yifanlu ◴[26 Jul 17 21:55 UTC] No.14860722[source]
The article mentions

> Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.

But it doesn't go into any details on this privilege escalation actually works for iOS and more specifically that it doesn't require additional exploits. Can anyone explain this in more detail? If this actually allows code execution on iOS application processor, that means we have a jailbreak right?

replies(2): >>14861182 #>>14861247 #
revelation ◴[26 Jul 17 23:02 UTC] No.14861182[source]
The block diagram shows a PCIE connection to the application processor, which enables DMA. Most modern systems have a MMU to prevent the peripheral from DMAing to memory areas not specifically reserved for it, but given (certainly Android) systems run oldschool kernels hacked together by the last kind of crowd you want working on them it's probably not enabled or setup correctly.

The other more obvious privilege escalation is that there is still a kernel driver on the application processor talking to the chipset. There is per se no reason to distrust data coming from the chipset, so these often aren't written as defensive as they should be and could contain trivially exploitable assumptions on what the chipset will send and do.

replies(2): >>14861219 #>>14861336 #
1. viraptor ◴[26 Jul 17 23:30 UTC] No.14861336[source]
> hacked together by the last kind of crowd you want working on them

That was neither informative nor necessary, really... (And likely not true)

replies(1): >>14861435 #
2. revelation ◴[26 Jul 17 23:49 UTC] No.14861435[source]
The leading Android smartphone producer Samsung had on at least two of their flagship phones a world RW device that allowed full access to the entire system memory including the entirety of the kernel, deliberately:

http://www.securitytracker.com/id/1027894

They needed it to get the camera working. This is not an exaggeration, the people they have writing software for their phones will take every shortcut they can find or imagine to deliver another bullet point on the feature list. Security be damned.

replies(1): >>14872464 #
3. frankzinger ◴[28 Jul 17 06:50 UTC] No.14872464[source]
That's shocking, but it happened in 2012. How have they been doing for the past 5 years?