iPhone disassembled

WiFi Chip Flaw in iPhone is Really Bad News for IoT

In-brief: a remotely exploitable flaw in a common hardware component used in phones by Apple, Samsung and others underscores the risk posed by software embedded in system on chip components that are found in almost every connected device, experts warn. 

Researchers for Google’s Project Zero security team warned on Tuesday that a flaw in a very common wireless chip by the firm Broadcom leaves millions of mobile phones and other devices vulnerable to simple hacking by way of wireless networks.

The post, which you can read here, follows an emergency patch for its iPhone iOS operating system to fix one of the discovered holes: a “stack buffer overflow” hole that would allow an attacker to “execute arbitrary code on the Wi-Fi Chip.

The Apple patch closes the security hole on iPhone version 5 and up, iPad 4th generation and later and iPod touch 6th generation and later. However, many other phones by different manufacturers are also believed to be vulnerable to attack over wireless networks.

Google’s Gal Beniamini described discovering four, serious vulnerabilities in the software, or “firmware” that runs Broadcom’s WiFI System on Chip (SoC) hardware. The vulnerabilities include different types of buffer overflows, a common form of programming flaw that allow attackers to overwrite designated parts of a device’s memory. Overflows can cause software applications to crash, or allow an attacker to place their own (malicious) code onto a device and then execute it.

In addition to allowing a remote attacker to use a wi-fi based attack to remotely execute (attack) code on a vulnerable chip. Beniamini also figured out a method for elevating privileges from the SoC to the operating system kernel, allowing “full device takeover by Wi-Fi proximity alone, requiring no user interaction.”

In case you’re in the dark about this: full remote takeover of a device like an Apple iPhone with no user interaction (i.e. installing an application, clicking a link) is pretty much the Holy Grail of device hacking these days and an exploit like that could fetch $1 million or more on the black market. It should be noted, though, that Beniamani tested his exploits on a fully updated (at the time, now fixed) Nexus 6P, running Android 7.1.1 version NUF26K.

However, while buffer overflows like those discovered in the Broadcom code are trivial and common programming errors, exploiting the holes in the SOC is difficult and a represents a high technical bar to clear, said Billy Rios of the firm Whitescope.

Broadcom’s Wi-Fi SoCs are the most common Wi-Fi chipset used on mobile devices, enabling WiFi connectivity features on the Nexus 5, 6 and 6P, Samsung devices and iPhones version 4 and higher, Google noted.

System on Chips (or SoCs) are ubiquitous in the mobile- and connected device space. Essentially mini computers on a single chip, they consolidate a range of formerly discrete functions like wireless networking, graphics processing (GPU) and coprocessors. Their increased use has enable far smaller and more powerful mobile devices that are also much more energy-efficient.

“This is a prime example of a supply chain security problem,” said Craig Young, computer security researcher for cyber security firm Tripwire’s VERT (Vulnerability and Exposures Research Team) in a statement.

 

“Pretty much every modern consumer Internet of Things device has a SOC,” said Rios. “It’s just how everyone does business.”

But the SOCs also contain software that are part and parcel of the SOC itself and beyond reach of downstream device makers that use the SOC.  The Google Zero research underscores the threat posed by that code, said Rios. The code that runs SOCs runs separate from the device operating system and kernel. As such, it is immune from the many, layered security features built into operating systems like Android and iOS.

“This system-on-chip (SoC) package providing Wi-Fi for all modern iPhones and several Samsung and Google/Nexus phones from recent years was never properly vetted for security issues before being integrated with any of these handsets,” wrote Young. “In general, packaged technology like this often evades security review, due to the difficulties associated with analyzing such low-level systems. ”

Broadcom took more than three months to address the issues reported by Google’s researchers – and that was with the knowledge that Apple’s iOS was affected, a factor that likely accelerated any patching efforts. Other, lower profile security holes could take much longer to research and fix, Rios said.

And, with just one mistake you could crash or disable the device – maybe permanently. And, even with a firmware patch available, device makers need to extensively test any updates on their own hardware before distributing a SOC firmware update. “If you’re a manufacturer of an IoT device you have dependencies on the company that makes the SOC, so its important to understand who you’re taking on board,” he said.

The discovery of so many firmware holes in a system on chip is likely to spur manufacturers and device makers like Apple, Samsung and others to devote more scrutiny to SOC and their software, perhaps hammering out deals with providers like Broadcom and Marvell that gives them privileged access to such platforms to ensure security, said Rios. Still, only the largest vendors have that kind of leverage. Smaller makers of connected devices will likely be left in the dark when future vulnerabilities in common system on chip components surface.

“I wouldn’t be surprised that there are consumer IoT devices that are never patched,” Rios said.

2 Comments

  1. iOS 10.3.1 solves this issue.