14 DAY TRIAL // Security researchers from Google's Project Zero have discovered a sophisticated and nasty bug affecting Wi-Fi chips from Broadcom, a supplier who provides gear for iPhones, Nexuses and Samsung devices.
According to Gal Baniamini, the Project Zero researcher signing the detailed blog post on the exploit, by chaining together a series of exploits, an attacker could perform a full device takeover via Wi-Fi proximity alone, requiring no user interaction. In plain speak, if you're on the same Wi-Fi network as the attacker, like a public hotspot, they could quietly compromise your device without you even knowing.
The demonstration was made on a Nexus 6P, but the problem affects all devices running on Broadcom WiFi SoCs, including Nexus 5 and 6, most Samsung flagship devices, and all iPhones since the iPhone 4. Broadcom has already been notified and collaborated with Google on fixing the problem, while also making fixes available to affected vendors.
Fixes rolling out
Apple has already issued a patch fixing the problem in the most recent update (10.3.1, which you should install as soon as possible). "An attacker within range may be able to execute arbitrary code on the Wi-Fi chip," Apple notes in its security files. The problem is so dire that Apple pushed the new update just one week after the previous one.
"We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations - including stack cookies, safe unlinking and access permission protection (by means of an MPU)," writes Beniamini. "Broadcom has informed me that newer versions of the SoC utilize the MPU, along with several additional hardware security mechanisms. This is an interesting development and a step in the right direction. They are also considering implementing exploit mitigations in future firmware versions."