←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 3 comments | 26 Jul 17 19:51 UTC | HN request time: 0s | source
Show context
yifanlu ◴[26 Jul 17 21:55 UTC] No.14860722[source]
The article mentions

> Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.

But it doesn't go into any details on this privilege escalation actually works for iOS and more specifically that it doesn't require additional exploits. Can anyone explain this in more detail? If this actually allows code execution on iOS application processor, that means we have a jailbreak right?

replies(2): >>14861182 #>>14861247 #
ktRolster ◴[26 Jul 17 23:17 UTC] No.14861247[source]
They only hijacked the radio chip, they didn't escalate to the main processor.

One way of attacking would be to intercept someone's internet traffic, and redirect them to a different site (ie, instead of going to Google, you go to get-hacked which looks just like Google).

replies(2): >>14861298 #>>14861320 #
pmontra ◴[26 Jul 17 23:25 UTC] No.14861298[source]
They intercept and modify packets to redirect to a web site they control. It exploits the main processor through the browser.
replies(1): >>14861625 #
1. armitron ◴[27 Jul 17 00:23 UTC] No.14861625[source]
Assuming one has additional browser vulnerabilities, sandbox escapes and privilege escalation bugs. "Broadpwn" doesn't exploit main processor __anything__ by itself.
replies(1): >>14863412 #
2. kybernetikos ◴[27 Jul 17 07:49 UTC] No.14863412[source]
Does the broadcom processor normally have access to main memory? If so, I would have to consider that a complete attack absent any mitigation technology.
replies(1): >>14863724 #
3. londons_explore ◴[27 Jul 17 09:22 UTC] No.14863724[source]
No. It's a pci express device (or SDIO/usb for older chips). All modern platforms have IOMMU's for those, and every decent OS will enable it.