back to article Apple fans, Android world scramble to patch Broadcom's nasty drive-by Wi-Fi security hole

Yesterday, Apple rushed out an emergency patch to plug a severe security hole that can be exploited to wirelessly and silently commandeer iPhones, iPads and iPods. Now we know why: this remote-code execution vulnerability lies in Broadcom's Wi-Fi stack, which Apple uses in its handhelds. Many other handsets and Wi-Fi routers …

  1. MNGrrrl
    FAIL

    Epic fail

    First, an explanation: Mobile phones are actually a globbed together mix of systems, not a single device as the average consumer believes. There is the communication stack -- the 'phone' part of your smart phone, and then there is the main system, the 'smart' part of your phone where all the apps and such live. Other systems that are hung off the main system include GPS, WiFi/Bluetooth (usually integrated), camera, and sometimes a GPIO (Generic Pin I/O) plug-in for a notification LED, auto-sensing headphone jack, camera flash, etc. These are each so-called 'systems on a chip' which are baked into your phone via a generic internal bus (USB for example). The main system accesses it via a primitive set of I/O calls.

    This design is to minimize development costs -- want to add a camera? You don't need to redesign the entire stack, just glom it to the bus and do the interface in software. The downside is that the system you're attaching can't be updated easily, if at all. Making matters worse, the internal bus used isn't usually something like USB where there is a clear device/host barrier (ie, the device can't access main memory); It is usually a bus (like PCI) that has access to every other peripheral and can raise interrupts, access main memory, etc. These SoCs follow the same pattern internally -- often they, themselves, are glommed together frankensteins with the glue logic sitting in firmware.

    The end result is your phone is basically a network internally, and what you're accessing (touchscreen, buttons, microphone) is just one device on this network. Worse, Android (unlike Apple) suffers from severe fracturing, meaning it's up to the manufacturer to release updates for each specific device. It's easier to just tell their customers to buy a new phone every year rather than properly support it with security and OS updates for its expected service life -- ie, until the hardware is simply not capable of doing what the user wants anymore.

    So yes, shame on Broadcom for crappy development practices, but this is really an industry problem. We can't keep borgifying our devices and assimilating everything into the everythings, then not supporting it, and expect it not to end in disaster. IT: The only branch of engineering where a trend of decreasing reliability and increasing costs doesn't alarm anyone. Because let's be honest: If we built our houses like we build our information systems, the first wood pecker to come along would destroy civilization.

    1. jacksmith21006

      Re: Epic fail

      What sophisticated product in our world is NOT a "globbed together mix"?

      A car is a bunch of parts from different companies. PC same. Dishwasher same. Everything is "globbed" together. That is how stuff is made in 2017 and usually from a bunch of different companies.

      To me you do the best you can. In the last couple of weeks Google has found very serious flaws in Edge and IE, broke SHA1, found Cloud bleed and found this. Think they are the best at keeping you secure than any other vendor I am aware of. Plus Google puts their $$$ behind it by paying people to find flaws.

      We only have three platforms now, MS Windows, Google (Chrome & Android) and Apple. Of the three Google is the new guy but the only one that seems to take security seriously.

      Would say MS is the worse. Google finds their flaws, makes them aware, gives them 90 days to fix and more than once fail to fix.

      1. Lord Elpuss Silver badge

        Re: Epic fail

        "Of the three Google is the new guy but the only one that seems to take security seriously."

        Are you fricking kidding me?

      2. TheVogon

        Re: Epic fail

        "Would say MS is the worse."

        Then you have install proved you don't have a clue what you are talking about. Microsoft are leagues ahead of Google and Apple in Mobile OS security. The have hardly been any exploits across dozens of Microsoft mobile OS versions versus dozens for Google and Apple.

        See for instance:

        http://news.softpedia.com/news/white-hat-hacker-claims-windows-phone-is-the-most-secure-mobile-platform-495841.shtml

        http://www.phonearena.com/news/Security-expert-Kaspersky-says-iOS-and-Android-are-the-most-vulnerable-platforms_id70318

        1. Anonymous Coward
          Anonymous Coward

          Re: Epic fail

          "The have hardly been any exploits across dozens of Microsoft mobile OS versions versus dozens for Google and Apple."

          Given Microsoft typical regard for security I am thinking it more likely that if MS can indeed suggest that they have less discovered vulnerabilities then it is down to size of userbase and hence security professional interest.

          That and how long their offerings last in the market would suggest that if any malware writers had bothered, then the next MS offering replaced it before vulnerabilites could be noticed being exploited.

          Certainly MS do not have a record of finding their own vulnerabilies and fixing them before someone else tells them, so since relatively no one has used MS since PDAs then who is going to notice

          1. Anonymous Coward
            Anonymous Coward

            Re: Epic fail

            "then it is down to size of userbase and hence security professional interest."

            Some fairly reputable security professionals have taken an interest and said it's more secure than the competition - see the links above.

    2. Jeffrey Nonken

      Re: Epic fail

      The internal combustion engine itself is an unholy marriage of a perfume sprayer, a device for detecting disease, and a bombast.

  2. Your alien overlord - fear me

    Haven't had a security patch on my Nexus 5 since October last year. Not holding out hope. Fortunately I don't switch on Wi-fi unless my 4G connection is bad *and* I'm at home on my own wi-fi network.

  3. nagyeger

    Full list?

    Anyone know where there's a full list of affected / patched devices?

    Is this only on "top end" devices, or is this affecting 89.4356% of everything?

    This started as "patch iOS" and now it looks like it's 'unless you're on patched iOS, turn off wifi'

    1. ACZ

      Re: Full list?

      Just working my way through Gal's Project Zero article (which is absolutely excellent - do read it), he says when searching for possible vulnerabilities to exploit:

      "Broadcom provides many features which can be licensed by customers -- not all features are present on all devices"

      However...

      "Searching through my firmware repository I can see that the vast majority of devices do, indeed, support TDLS. This includes all recent Nexus devices (Nexus 5, 6, 6P) and most Samsung flagships.

      "What’s more, TDLS is specified as part of the 802.11z standard ..."

      So basically, if the Broadcom WiFi SoC is 802.11z compliant, his TDLS-based attacks will work on it.

      He hasn't given a list of all affected devices, but clearly "the vast majority of devices" isn't good news.

      Go read the article - it's absolutely excellent :)

  4. m0rt

    'Broadcom added that it is "considering implementing exploit mitigations in future firmware versions."'

    Oh. Jolly good.

    1. Dan 55 Silver badge
      Megaphone

      This is a reason for Broadcomm to make their drivers open source, but they never do. Either they think someone might steal some amazing proprietary industrial secret that gives them a competitive edge (like how to bitbang a chip in C, which has never been done before) or they're just plain embarrassed.

      1. theblackhand

        Open source ARM drivers

        Broadcom like the closed source driver model - no need for maintenance releases that most manufacturers would release anyway and it provides a reason for next years latest and greatest hardware which is almost the same as the old hardware but with slightly better drivers...

  5. arthoss
    Thumb Up

    Cool hack!

    Drip-adding code is pretty cool

  6. Christopher Reeve's Horse
    Facepalm

    At least...

    With vendors and carriers not providing updates for most phones, at least there's a handy mechanism available to write the patch into the device memory yourself?

    1. Anonymous Coward
      Anonymous Coward

      Re: At least...

      Have no fear, in the real world, most manufacturers DO patch devices. My wife's 12 month old Samsung got these wifi fixes 2 days ago in a OTA update for 6.0.1, my Nexus devices all got it yesterday in 7.12. But Shhhh, don't tell the "journalists", their livelihoods depend on pretending otherwise.

      1. Christopher Reeve's Horse

        Re: At least...

        You say 12 months old like that's somehow decrepit?

        If you bought a decent laptop (seeing as the prices are comparable) should you be 'proud' that it still gets security patches after only 12 months? You'd be raging if it didn't.

        I use a laptop that's around 8 years old, and it still gets OS updates. Why should we have radically different expectations for phones?

        The last time I bought a 'flagship' phone (Galaxy S3) it cost ~£500 and got 2 or 3 updates within a year and then nothing. And funnily enough, that WAS the last time I bought a flagship phone... There should be a recognisable certification that a device will receive timely updates for a minimum of 3 or perhaps even 5 years. That way I'd me more inclined to invest in a phone that I expected to last more than 12 months.

        1. jason 7

          Re: At least...

          Yeah it's like people saying "I don't know what those poor starving folks in Africa have to moan about, Waitrose had lobster for just £10 last week!"

          My 'flagship' LG G4 is about 18 months old and now classed as a dinosaur. It got about 5 updates. Last was 12th August 2016.

          The likes of HP/Dell Asus etc. can keep churning out BIOS updates and driver fixes for the dozens of models and products they produce for 3-4 years but Phone manufacturers struggle to go past 6 months.

          Laughable.

          1. Boris the Cockroach Silver badge

            Re: At least...

            well if you carried on supporting phones that were more than 12 months old, you'd never sell any new ones

            Because I'm still quite happy pushing about a 5 yr old galaxy S2.. it makes phone calls, it surfs the net, in short it still works. why do I need to replace it? (apart from the fact its about as secure as a swiss cheese and I know it)

          2. Lord Elpuss Silver badge

            Re: At least...

            "The likes of HP/Dell Asus etc. can keep churning out BIOS updates and driver fixes for the dozens of models and products they produce for 3-4 years but Phone manufacturers struggle to go past 6 months."

            Only Androids struggle to go past 6 months. Apple is still supporting the nearly 6-year old iPhone 4S.

            1. Lord Elpuss Silver badge

              Re: At least...

              "...1 thumb down"

              You know it's true, so downvote all you like bitchezzzz :-DD

            2. asdf

              Re: At least...

              >Apple is still supporting the nearly 6-year old iPhone 4S.

              Almost makes up for supporting the first iPad for barely two years I suppose. Apple has a mixed record in this regard as well.

              1. Lord Elpuss Silver badge

                Re: At least...

                It's a question of perspective I guess - but given the ground they were breaking I consider it nothing less than a miracle of engineering that the Gen1 iPad had the 2-year lifecycle it did. Completely new product using untried technologies and interfaces*, being released into a market that didn't exist before it**, using a brand new operating system and developing an ecosystem (and business model) as it went along***.

                * No, the tablet PCs that went before the iPad don't count.

                ** The iPad created the 'Consumer Tablet' market - which was then swamped by a bunch of me-toos.

                *** Others had tried the walled garden before, but iPad brought it to the masses (and made Cupertino very rich indeed).

                1. asdf

                  Re: At least...

                  The other glaring example was Apple foisting the steaming pile of shit that was EFI32 onto 64 bit processors and chipsets and then refusing to support them past Mac OS X 10.7. Hell Linux and even Microsoft still support that hardware with security updates today more than 5 years after Apple stopped.

            3. Anonymous Coward
              Anonymous Coward

              Re: At least...

              You know it's nothing to do with android right? It's to do with the manufacturer. In your message you even confuse OS with OS vendor and hardware product.

              Nowt wrong with android if you buy a decent one, from a decent vendor. Given a decent one can be 1/3 the price of an iPhone, you could buy one every 18 months, throw the previous one in the bin and buy the latest model and still be quids in.

              1. Lord Elpuss Silver badge

                Re: At least...

                "Nowt wrong with android if you buy a decent one, from a decent vendor. Given a decent one can be 1/3 the price of an iPhone..."

                You can't buy an equivalent spec Android handset for 1/3 the price of an iPhone. Bear in mind that 'equivalent' means more than just the camera resolution or screen size.

                1. asdf

                  Re: At least...

                  Also this doesn't apply to me as I don't like dealing with people when I can avoid it but the Apple humpers on here always remind everyone that you tend to be able resale Apple 2nd hand for significantly more than Android.

          3. Outer mongolian custard monster from outer space (honest)

            Re: At least...

            Root it (trivial to do) and then reflash it with a newer rom yourself. I'm running 7.1.1 on a nexus4 currently and its snappy enough to not want to bother buying a new phone & I really like the inductive charging without having to faff round with conversion backs and dodgy add on antenna's that push on battery connections.

      2. LewisRage

        Re: At least...

        Mine hasn't had one for ages (LG G4) and I'm definintely running the affected SoC.

  7. James 29

    Pixel XL updated last night (now on 5th April Android patch level). Hope i'm OK!

    Good luck for all the peeps on landfill Android

    1. jacksmith21006

      This is the big plus on getting the Pixel. All these serious security flaws are being found by Google. The MS Edge and IE, Cloudbleed, cracking SHA1, etc.

      So with a Pixel you are going to get the most secure smartphone.

      1. Paul Woodhouse

        HAHA... I still have a Samsung Galaxy Nexus... s'been a cracking wee phone, I ain't whinging about it, suspect its not gonna receive a patch though.

      2. asdf

        >So with a Pixel you are going to get the most secure smartphone.

        Edit: Was going to say not even most secure Android because can't put CopperheadOS but looks like you can. Most secure smartphone um sure keep believing that.

      3. TheVogon

        "So with a Pixel you are going to get the most secure smartphone."

        Not while it runs Android you are not...

    2. Captain Badmouth
      Devil

      Android "Landfill"

      Perhaps they will bring out an update for android called "Landfill" instead of all those bubblegum etc. type names. More truthful.

      Made me laugh, have an upvote.

  8. gannett
    FAIL

    Item of interest

    I did wonder how "john" in Person of Interest took over phones just by being near them.

  9. Reader2435

    Drive-by or not drive-by?

    From the article's title: "drive-by Wi-Fi security hole"

    From the article: "an attacker simply needs to be within Wi-Fi range to silently take over an at-risk Apple or Android device"

    Also from the same article: "Published as a standard in 2011 and given Wi-Fi Alliance certification in 2012, TDLS lets devices exchange data as peers, without passing data through an access point, as long as they're both associated with the same access point"

    It seems the title and first quote are wrong - an attacker and victim have to be associated with the same access point. It's still a big issue of course... but not for devices on your home network that don't roam (assuming you secure your home net)...

    1. Huey

      Re: Drive-by or not drive-by?

      Agreed somewhat but that's because the full blog covers explains why.

      From the article "So what about the other two vulnerabilities? Both of them relate to the implementation of Tunneled Direct Link Setup (TDLS)."

      There are more than just TDLS vulnerabilities but I think the author probably chose that attack vector as the others "require some set-up to get working. " and appeared to be supported by more devices as stated two of the features (802.11r FT & CCKM) weren't in the supported features list for the Nexus 6P.

      It is a great blog article even if it has some whoosh moments of complete lack of understanding from my part.

    2. Roland6 Silver badge

      Re: Drive-by or not drive-by?

      an attacker and victim have to be associated with the same access point. It's still a big issue of course...

      From reading the long blog, it would seem that the "drive by" aspect of the vulnerability is achieved by utilising either: the beacons WiFi clients have to send out to locate hidden SSID's, thus the client tells me what the SSID of my fake AP needs to be, or I use SSID's of common WiFi networks for my fake AP to broadcast and so capture clients who will auto-connect to known SSID's. Both of which are traditional precursors to man-in-the-middle style of attacks, for which the necessary tools are readily available.

      Once a client has connected to my fake AP, I can mount the TDLS attack.

      Naturally, I'm interested in the full exploit, namely using the TDLS attack to actually get something 'useful' off the compromised client system (remember given TDLS is part of 802.11z and hence the client can be iOS, Andriod, Windows, MacOS, Linux etc...)

    3. wrangler

      Re: Drive-by or not drive-by?

      From the article: "an attacker simply needs to be within Wi-Fi range to silently take over an at-risk Apple or Android device"

      And doesn't the phone's Wi-Fi have to be currently enabled? I can't be the only one who usually has it disabled.

    4. diodesign (Written by Reg staff) Silver badge

      Re: Drive-by or not drive-by?

      "an attacker and victim have to be associated with the same access point"

      For this particular firmware bug, yes. So if you can't get on the same network as the victim, set up a free access point and lure them on. Bingo.

      C.

      PS: If you spot any errors, email corrections@theregister.co.uk.

  10. hellwig

    That's not how that works

    " to send video from a phone to a Chromecast without clogging up the rest of the network."

    It still consumes bandwidth, whether it consumes access point processor power or not. Or do they actually negotiate to a separate channel? And how do they determine that channel and how does it not conflict with other Wi-Fi networks that may be attached to separate access points?

    1. ACZ

      Re: That's not how that works

      http://standards.ieee.org/news/2011/80211z.html -

      "1. IEEE 802.11z reduces the number of times a packet gets transmitted over the air from 2 to 1."

      "3. If client devices are perhaps newer and capable of operating at data rates or in frequency bands not supported by the access point they can do so."

      :)

    2. Roland6 Silver badge

      Re: That's not how that works

      It still consumes bandwidth, whether it consumes access point processor power or not. Or do they actually negotiate to a separate channel? And how do they determine that channel and how does it not conflict with other Wi-Fi networks that may be attached to separate access points?

      The two clients use the established AP connection as a control channel and negotiate to use a totally different channel for the TDLS connection. Effectively, TDLS take advantage of a client having multiple radio's to effectively use one for the AP connection and one (or more) other radio's for the TDLS, hence it is possible for two devices to be connected via an 802.11g AP, yet use TDLS to directly connect via 802.11n using a set of 5GHz channels.

      The channels etc. used for the TDLS are determined by the two client devices listening to the ether and sharing results via the AP mediated connection...

  11. Rich 30

    This is why I moved to iPhone when the 7 came out - security. They really do seem to be about the best in terms of updates; no need for Google to make update, then for the manufacture to review, test and release it across their many devices.

    I like that Android do release a lot of software updates via PlayStore now, but it's not quite the same

    1. Roland6 Silver badge

      >This is why I moved to iPhone when the 7 came out - security.

      The iPhone7 seems to suffer from exactly the same problem: https://www.theregister.co.uk/2017/04/03/driveby_wifi_ithing_fix/

      The only reason the iPhone is potentially more secure than an Android device is as you indicate the closely coupled chain of control that any vendor who owns both the hardware and software and the update distribution channel can have.; which if used effectively means fixes can be distributed in more timely manner.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like