Google's Project Zero shows how attackers could target increasingly powerful Wi-Fi chips on phones as low-hanging fruit.
Bugs in Broadcom's Wi-Fi SoC affected the iPhone 5 through to the iPhone 7, along with many Android devices, including Google's Nexus handsets, and Samsung's latest Galaxy flagships. Image: Sarah Tew/CNET
Patches released this week for Android and iOS draw attention to one of the softer targets powering our phones: increasingly complex, but not so well defended, Wi-Fi chips.
iPhone owners can thank Google Project Zero security researcher Gal Beniamini for the fix in iOS 10.3.1 that prevents an attacker executing code on its Wi-Fi chip. The bug affected the iPhone 5 through to the iPhone 7 which, like most smartphones, rely on a Broadcom Wi-Fi system on chip (SoC).
Many Android devices were also affected by several bugs Beniamini found in Broadcom's Wi-Fi SoC, including Google's Nexus handsets -- which were patched in the April Android security update -- and Samsung's latest Galaxy flagships.
Besides smartphones and tablets, many other devices with Broadcom Wi-Fi chips could also be affected, including Wi-Fi routers, according to Beniamini.
A lot of work has gone into improving the security of code running on the application processor, such as the Android operating systems and its applications, the researcher explained in a blogpost published on Tuesday.
Given this work, and attackers' tendency to pick the path of least resistance, it's plausible they'd move on to a less difficult but attractive target in their search for remotely exploitable bugs. Broadcom's Wi-Fi SoC is particularly attractive because it's the most widely used Wi-Fi chip for mobile devices.
Such SoCs are also attractive because they're running complex code that's likely to introduce vulnerabilities. As noted by Beniamini, so-called FullMAC standalone Wi-Fi chips have been introduced on mobile devices to handle more complex Wi-Fi features and take some of the load off the application processor, helping extend battery life.
The tradeoff is that "running proprietary and complex code bases may weaken the overall security of the devices and introduce vulnerabilities, which could compromise the entire system", he said.
Beniamini found two variants of a stack buffer overflow in Broadcom's Wi-Fi SoC. One occurred during the handling of the IEEE 802.11r Fast BSS Transition Feature's authentication response, while the other can be triggered when Cisco's proprietary CCKM Fast and Secure Roaming feature parsed a reassociation response.
Both implementations allow a network to support wireless roaming, enabling devices to roam quickly between Wi-Fi access points.
Finding out which devices support the roaming feature requires an analysis of the chip's firmware image. According to Beniamini, the 802.11r FT feature can be confirmed when finding the 'fbt' tag, while CKKM support can be found by the 'ccx' tag.
The ccx tag was found in several Galaxy models, including the "Galaxy S7 (G930F, G930V), the Galaxy S7 Edge (G935F, G9350), the Galaxy S6 Edge (G925V) and many more", according to Beniamini, while iPhone and iPad support for the 802.11r FT implementation resulted in the iOS 10.3.1 update.
In both cases, insufficient validation allowed an attacker to craft an attack that triggers a stack buffer overflow.
He also found two other heap overflow bugs in the implementation of Tunneled Direct Link Setup (TDLS), which allows two peers on a Wi-Fi network to exchange data directly, instead of relying on the access point. Beniamini found that most Samsung devices support TDLS, as do the Nexus 5, Nexus 6, and Nexus 6P.
Project Zero reported the issues to Broadcom in late December and the chipmaker was able to release fixes to vendors by late March, in some cases requesting an extension on Google's usual 90-day deadline.
Beniamini says his analysis showed that the Wi-Fi SoC is "incredibly complex" but still "lacks basic exploit mitigations, such as stack cookies, safe unlinking".
It also didn't use the Memory Protection Unit security feature available in the ARM Cortex R4 to protect access permissions over memory in RAM.
However, Broadcom says newer versions of its SoC do use MPU and other hardware security mechanisms, and it is considering exploit mitigations in future firmware.