Behind the scenes of Apple’s latest security update and what it has to do with Google and Broadcom
Early last week Apple released iOS 10.3.1, a security update to patch a critical vulnerability in apple device’s Wi-Fi mechanism. A day later, a post by a Google’s Project Zero researcher gave some more background on this vulnerability. Yes, the same vulnerability affects mobile devices, whether iOS or Android.
So, what is it about? Why is it critical, and why does it affect both platforms? Well, the vulnerability resides in a widely-used Wi-Fi SoC (system-on-chip) chipset manufactured by Broadcom and used in both iOS and Android devices. To demonstrate its wide distribution, a partial list of devices which make use of this SoC includes the Nexus 5, 6 and 6P, most Samsung flagship devices, and all iPhones since the iPhone 4.
As the research outlines, this vulnerability, turned into an exploit, allows an attacker to remotely gain code execution on the chip. Leveraging this ability, the attacker can further elevate privileges from the SoC into the operating system’s kernel. Chaining the two together, the attacker will gain full device takeover by “Wi-Fi proximity alone, requiring no user interaction”, as the research indicates.
Looking at more in-depth technical details, the vulnerability can be exploited by causing a Heap overflow in TDLS (Tunneled Direct Link Setup) Teardown Request. A proof-of-concept exploit that was developed by the Project Zero researcher uses Wi-Fi frames that contain irregular values. The values, in turn, cause the firmware running on Broadcom’s wireless SoC to overflow its stack. By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks, the attack can overwrite specific regions of device memory with arbitrary shellcode. The proof-of-concept code does nothing more than write a benign value to a specific memory address. Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point.
Given the severity of the vulnerability, users with affected devices should install a patch as soon as it’s available. For those with vulnerable iPhones, that’s easy enough, as Apple indeed published the update last week, while Google is in the process of releasing an update in its April security bulletin. This fix is available only to a select number of android device models, and even then, it can take two weeks or more to be available as an over-the-air update to those who are eligible.
Currently, it’s not clear if there are effective workarounds available for vulnerable devices. Turning off Wi-Fi is one possibility.
Security admins who are concerned about possible breaches in their mobile users’ fleet can utilize Kaymera’s mobile threat defense solution, which alerts vulnerable devices, and remediates immediately when possible.
Contributed by Effi Goldstein, VP Products