←back to thread

Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

(blog.exodusintel.com)
387 points pedro84 | 1 comments | 26 Jul 17 19:51 UTC | HN request time: 0.217s | source
Show context
yifanlu ◴[26 Jul 17 21:55 UTC] No.14860722[source]
The article mentions

> Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.

But it doesn't go into any details on this privilege escalation actually works for iOS and more specifically that it doesn't require additional exploits. Can anyone explain this in more detail? If this actually allows code execution on iOS application processor, that means we have a jailbreak right?

replies(2): >>14861182 #>>14861247 #
ktRolster ◴[26 Jul 17 23:17 UTC] No.14861247[source]
They only hijacked the radio chip, they didn't escalate to the main processor.

One way of attacking would be to intercept someone's internet traffic, and redirect them to a different site (ie, instead of going to Google, you go to get-hacked which looks just like Google).

replies(2): >>14861298 #>>14861320 #
yifanlu ◴[26 Jul 17 23:28 UTC] No.14861320[source]
> Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.

This implies they have code execution on the application processor just from broadpwn (and not additional safari/ios exploits). Hijacking internet traffic is indeed serious but tech blog sites are already picking up on this and blowing it up. Example: https://9to5mac.com/2017/07/20/broadpwn-wifi-vulnerability-i...

> PSA: Update to iOS 10.3.3 to fix serious wifi vulnerability allowing attacker complete control

replies(1): >>14867536 #
1. azernik ◴[27 Jul 17 17:33 UTC] No.14867536[source]
Probably because a device on the system itself has tremendous privileges; aside from interacting with non-hardened kernel code (drivers generally trust the device but to be malicious), they generally have DMA access, in PCI can impersonate the CPU when speaking to other devices, and can generally cause all kinds of havoc.