←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 8 comments | 26 Jul 17 19:51 UTC | HN request time: 0s | source | bottom
Show context
thomastjeffery ◴[26 Jul 17 23:00 UTC] No.14861166[source]
Why does Broadcom insist on proprietary drivers?

How could it possibly be detrimental for Broadcom to have free software drivers?

This article is a poignant example that it is detrimental for them to continue to keep their drivers proprietary.

replies(6): >>14861174 #>>14861519 #>>14862058 #>>14863796 #>>14867469 #>>14871284 #
paulie_a ◴[27 Jul 17 01:56 UTC] No.14862058[source]
There is no benefit. They probably have an embarrassing code base that is full of garbage and a bunch of lawyers paranoid about IP. Why would any manager suggest to take that risk that has very little potential upside.

It isn't that it would be realistically detrimental, it just has no value to the individual attempting to change the established course of the ship

replies(2): >>14862334 #>>14870283 #
wtallis ◴[27 Jul 17 02:55 UTC] No.14862334[source]
There are tons of benefits, to the end users. But most of them result in the user having less reason to buy a new device in the hopes of faster or more reliable WiFi.
replies(1): >>14863063 #
1. Canada ◴[27 Jul 17 06:23 UTC] No.14863063[source]
End users don't really matter to Broadcom. Chip makers don't sell product to end users, they sell to device manufacturers.
replies(1): >>14863113 #
2. axaxs ◴[27 Jul 17 06:38 UTC] No.14863113[source]
absolutely true. But manufacturers are not going to use a wifi chip maker known to be repeatedly exploited, because of end user perception.
replies(3): >>14863189 #>>14864771 #>>14865994 #
3. Canada ◴[27 Jul 17 06:56 UTC] No.14863189[source]
I hope that becomes true one day, but it's certainly not the case now.

Manufacturers currently have no choice but to ship devices running vulnerable application software that communicates with remote devices using vulnerable protocols. This is facilitated by vulnerable operating systems running many vulnerable device drivers communicate with devices that themselves have embedded processors running yet more vulnerable software.

All manufacturers can do is keep patching the morass of code that their offering depends on, but most device manufactures can't even manage that, or if they can they are unable do it fast enough and unwilling to do it for long enough.

4. ethbro ◴[27 Jul 17 12:51 UTC] No.14864771[source]
> But manufacturers are not going to use a wifi chip maker known to be repeatedly exploited, because of end user perception.

How many of your non-professionally-technical friends could tell you the manufacturer of their WiFi chip? Is it on the box? Could they even tell you who Broadcom is?

"Intel NIC" only recently became a very minor selling point in enthusiast desktop motherboards. I'm not holding out hope this is going to follow a more informed curve.

The gatekeepers (manufacturers) are the only ones informed enough to make the decision en mass. And they're not going to do so without a market reason. So barring something like "Broadcom stops providing security updates" or "New law holds device manufacturers liable for security bugs" they're going to save the few cents on BoM and continue using them.

replies(3): >>14865038 #>>14865831 #>>14865832 #
5. axaxs ◴[27 Jul 17 13:31 UTC] No.14865038{3}[source]
I agree, but these things go up the chain. Sure people won't say 'I wont buy broadcom', or 'i wont buy snapdragon.' But they will say 'I won't buy PhoneCoXYZ because they were in the news for being hacked.' Not after this necessarily, but after enough times, I think we'll see it.
replies(1): >>14867951 #
6. bonyt ◴[27 Jul 17 14:51 UTC] No.14865831{3}[source]
I've seen some manufacturers start to advertise which WiFi chipset a laptop has. For example, Qualcomm Atheros cards are now marketed as "Killer," and Intel Wifi cards are often referenced by model number in laptop specs.
7. zanny ◴[27 Jul 17 15:09 UTC] No.14865994[source]
Atheros has been open and Broadcom closed for well on a decade now. That has not driven substantial adoption of Qualcomm's wifi platform.
8. ethbro ◴[27 Jul 17 18:16 UTC] No.14867951{4}[source]
I'd like to move more towards this. And the branding and identification is probably a big part of this. Pushing news to report the culpable parties by name. "Samsung / Google / Apple recently had a flaw in their {model} phone" vs "Another phone vulnerability" desensitization.