DOS Vulnerability Found in Wireless Chips Used by Apple, HTC, Samsung, Ford, Others

Researchers Andres Blanco and Matias Eissler from Core Security’s Core Impact team have uncovered a remotely exploitable vulnerability in Broadcom BCM4325 and BCM4329 wireless chipsets that could be leveraged by cybercriminals to launch a denial-of-service (DOS) attack.

According to advisories published by the United States Computer Emergency Readiness Team and Core Security, the vulnerability is caused by an out-of-bounds read error condition that exists in the chips’ firmware.

Apparently, an attacker sending an RSN (802.11i) information element can cause the WiFi NIC to stop responding.

The flaw affects Apple, HTC, Samsung, Acer, Motorola, LG, Sony Ericson and Asus products, including iPhone 4, iPod 3G, Xoom, Galaxy Tab, Nexus S, and Evo 4G. One interesting product that’s affected is Ford Edge – yes, the car.

The experts have notified Broadcom and although there have been some communication problems, in the end, the company has released an official statement to say that a patch has been developed.

“This DoS issue identified by CORE Security Technologies, which would require significant technical expertise to mount, could cause certain consumer electronics devices containing these chips to experience a transient WLAN service interruption as long as the DoS is active,” Broadcom representatives stated.

“During the service interruption, other phone/tablet features would be unaffected. The DoS issue does not in any way compromise the security of users' data. Broadcom has a patch available that addresses the issue and makes devices that include the BCM4325 and BCM4329 immune to a potential attack.”

Since many of the affected products are out of service, the patch will be provided to customers on a case-by-case basis.

“Broadcom has been working with our customers providing information and fixes as required and will continue doing so in response to address security and performance issues that may be identified,” Broadcom concluded its statement.

In the meantime, a technical description of the vulnerability and a proof-of-concept have been made available.