But indeed, only slightly. The title comes from a quote by the security researcher who discovered the bug. I'm guessing the lack of information is about whether or not anything has been done to patch the hole - my guess is that this bug, unless specifically protected against, affects the OS using the chip.
iOS does a lot to treat the networking stack and its third-party firmware code as untrusted, and limit its exposure as much as possible. So it sounds like the exploit can get to the Broadcom chip on iPhones but can’t pivot to the OS from there. Hooray for defense in depth!
> Artenstein has later confirmed on Twitter that connecting to a malicious network is not necessary.
> Users that didn't receive this month's Android security patch should only connect to trusted Wi-Fi networks and disable any "Wi-Fi auto-connect" feature, if using one.
Perhaps the auto-connect feature is what makes "connecting to a malicious network [not] necessary." It's easy to dismiss that second clause, but my guess is that it does some sort of network ping that opens itself up to the attack.
From what I can gather from a quick look at the 802.11e QoS spec* this is pretty much spot on. Many wireless clients (e.g. many phones) ping in order to discover networks faster than the access point's broadcast interval and to connect to 'hidden' APs that might not broadcast. In response, a malformed WME packet could be sent that the wireless chipset would listen to and parse.
> Users that didn't receive this month's Android security patch should only connect to trusted Wi-Fi networks
Turning off Wi-Fi before leaving home and office helps. Apparently few people do that. A customer in the tracking industry (beacons estimating people in stores) told me that about 80% leave Wi-Fi always on.
I hope I'll get that patch soon. The last update for my Sony phone was the security update of May. Nothing on June. I guess that most Androids didn't and won't get anything.
which means 20% don't, which is suspiciously high considering how much of a hassle it is to turn wifi on/off. then again, they could have unlimited data on their phones.
Is this an iPhone thing? Android phones have had access to all the important settings from the pull down menu for years, and most recently you've been able to add many of the less common settings like casting and NFC.
All of my Sony phones (Xperia Z and Z5) have had it as well as all of the Nexus phones I've tested on. I think maybe Samsung was the first to include it, but its standard now as far as I can tell on Android.
I'm involved in the tracking industry. Where it used to be 70% of people trackable with WiFi we are now seeing >90%. This is in large cities in wealthy European countries.
I'm not one hundred percent certain, but I'm not aware of any Sony phones using Broadcom chipsets? Every Sony phone I'm aware of uses Qualcomm or the like.
Every American phone (except the iphone) uses a Qualcomm SOC due to some anticompetitive practices on their part. That might be why it seems that way. I'm quite certain Sony makes a phone that doesn't but it's only sold in Europe or so.
Is this true? I'd always been under the (unsourced) assumption that the Wi-Fi radio was more power-efficient and it was better to use that than 3G/4G/LTE.
When you are using 3G/4G, and not connected to Wifi, your phone still checks all the Wifi accesspoints continuously. When you know for yourself you don't connect to an accesspoint on that location, there is no point in having your phone search for one. You can save on battery there.
A personal experience from me (anecdotal)... I was using Wifi from my cable provider that is available all over town. But that means when going into town, I am jumping from one accesspoint to another, sometimes with good and bad connections. My experience was that a battery charge didn't last that long. Disabling that accesspoint on my phone made the batterycharge last much longer.
... and IFTTT, Tasker, and any number of of automation apps that require the user to both be aware of and be bothered to set up correctly.
Developer preview 3 of Android O includes a great option in WiFi settings to automatically turn WiFi back on when you are in a location where you've connected to a 'high quality' WiFi network before (such as home or work), though I've not dug deep enough to find out what constitutes high quality, and it doesn't appear to be paired with a converse option to turn it off elsewhere.
I thought about mentioning Tasker and others, but those feel to me more like programming options with which you can achieve the goal, where Llama and some other apps are a bit more focused just on the question of wifi.
Same on Android. In fact Android has a Location-feature called "Scanning" that allows apps and services to detect wifi networks at any time, even if you have your wifi disabled. Meaning you can turn wifi off but it will randomly turn it back on to help increase location accuracy. This feature is on by default.
> The attacker doesn't need any user interaction to exploit the feature. A victim only needs to walk into the attacker's Wi-Fi network range.
> In its security bulletin, Google rated Broadpwn as a "medium" severity issue, meaning the company doesn't view it as a dangerous vulnerability, such as Stagefright.
Just guessing here but if it is true that you need to be connected to the rogue network for this flaw to be exposed, that could knock the severity down a notch. Like the difference between a pre-auth attack and an attack requiring authorized access.
> BCM43xx family of Wi-Fi chips included in "an extraordinarily wide range of mobile devices" from vendors such as Google (Nexus), Samsung, HTC, and LG.
It would be great if there were a published list of exactly which devices are vulnerable, or a way to check your device for whether this part was present. Is there anything like 'adb shell lspci' I could run to find out whether my devices have the broadcom parts? I know my Nexus 5x has a QCOM SoC, so I assume it lacks broadcom WiFi. But the rest of the family's devices -- what of those?
A lot of vendors have multiple designs hiding under the same model, either through time (e.g., PS3 and Xbox 360 each had something like 5 revisions with different chipsets, not all were accompanied by change in box design), or just sharding - iphone 6 had two different models at the same time (one broadcom and one qualcomm IIRC) because they couldn't or wouldn't source the quantities they needed from just one source.
iFixit is nice, but it is not an answer to the request made by GP (an answer to which would be useful).
There are always corner cases. Most phones definitely have the same chipsets, with the exact same parts.
If you are looking for details directly from the device there are various commands to get info like dmesg, getprop. There are other ways (recommended if you have time and patience), like going into /sys/devices, but I really believe it is very common to have same parts for a single mobile device (I think Apple did it because of production problems)
Samsung are pretty notorious for this. Most of their phones come in many different models for different markets, from a quick google, both the S7 and S7 Edge have 14 different variants each. Some have different CPUs, many have differing internal parts, etc. It's a minefield.
You know it affects Android but you only suspect it might affect iOS. That headline is misleading. "The researcher specifically points the finger at the Broadcom BCM43xx family of Wi-Fi chips included in "an extraordinarily wide range of mobile devices" from vendors such as Google (Nexus), Samsung, HTC, and LG." is missing one rather obvious vendor.
50 comments
[ 10.8 ms ] story [ 1504 ms ] threadThat slightly contradicts the headline.
> Users that didn't receive this month's Android security patch should only connect to trusted Wi-Fi networks and disable any "Wi-Fi auto-connect" feature, if using one.
What is the point of the second statement?
*I am definitely not deeply familiar with WME.
Turning off Wi-Fi before leaving home and office helps. Apparently few people do that. A customer in the tracking industry (beacons estimating people in stores) told me that about 80% leave Wi-Fi always on.
I hope I'll get that patch soon. The last update for my Sony phone was the security update of May. Nothing on June. I guess that most Androids didn't and won't get anything.
which means 20% don't, which is suspiciously high considering how much of a hassle it is to turn wifi on/off. then again, they could have unlimited data on their phones.
It's not a hassle at all. Pull down the notification shade, touch the wifi icon.
A personal experience from me (anecdotal)... I was using Wifi from my cable provider that is available all over town. But that means when going into town, I am jumping from one accesspoint to another, sometimes with good and bad connections. My experience was that a battery charge didn't last that long. Disabling that accesspoint on my phone made the batterycharge last much longer.
Developer preview 3 of Android O includes a great option in WiFi settings to automatically turn WiFi back on when you are in a location where you've connected to a 'high quality' WiFi network before (such as home or work), though I've not dug deep enough to find out what constitutes high quality, and it doesn't appear to be paired with a converse option to turn it off elsewhere.
https://www.reddit.com/r/Android/comments/3nrfa0/psa_wifi_sc...
We will know a lot more after @nitayart presents at BlackHat.
> In its security bulletin, Google rated Broadpwn as a "medium" severity issue, meaning the company doesn't view it as a dangerous vulnerability, such as Stagefright.
Wait, really?
It would be great if there were a published list of exactly which devices are vulnerable, or a way to check your device for whether this part was present. Is there anything like 'adb shell lspci' I could run to find out whether my devices have the broadcom parts? I know my Nexus 5x has a QCOM SoC, so I assume it lacks broadcom WiFi. But the rest of the family's devices -- what of those?
iFixit is nice, but it is not an answer to the request made by GP (an answer to which would be useful).
If you are looking for details directly from the device there are various commands to get info like dmesg, getprop. There are other ways (recommended if you have time and patience), like going into /sys/devices, but I really believe it is very common to have same parts for a single mobile device (I think Apple did it because of production problems)
[1] http://techbeasts.com/list-of-samsung-galaxy-s7-s7-edge-mode...
Broadpwn is another serious Broadcom WiFi security bug, different from the bugs patched when Google Project Zero revealed their research in April.
Given apples history with wifi exploits there is a reasonable chance they are vulnerable.