Pretty interesting development in security world. For a while now researchers/hackers have been examining subcomponents in computers/phones that heretofore have thought to be just pieces of hardware with no vulnerability. Op to now the focus has always been to break the operating system and have it do something on behalf of a third party. This latest breach however, successfully goes after a WiFi controller inside countless iPhones and Android phones by Broadcom (leader in wireless silicon such as Wifi and Bluetooth).
Like many subcomponents these days, processors have been put in them which execute software. By examining the leaked source code for this processor, a bug was found that allows the capability to make it do anything from another Wifi device. The last step of causing the WiFi controller to control the operating system was not done but it seems pretty feasible.
FYI there are even attempts to go after mundane things like the analog digital converter which exist in every phone and computer! The idea would be through radio frequencies to cause it to do things it would normally not do. One example would be to create an audio sequence that triggers a bug in some audio player and with it, take control of the machine. No longer would you click on an audio file sent to you to take over your machine! This is one is long ways from being there but the level of scrutiny of computer/phone components is unprecedented. And is taking the manufacturers of these components by surprise because they have not had to worry about such things before.
Make sure you update your phones. My update from Samsung came yesterday for my S8+. Be sure to do this as I am sure countless hackers are going after this now they know it can be done.
-------
https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/
IF YOU HAVEN'T updated your iPhone or Android device lately,
do it now. Until very recent patches, a bug in a little-examined Wi-Fi chip would have allowed a hacker to invisibly hack into any one of a billion devices. Yes, billion with a b.
[...]
Over the last weeks, both Google and Apple have rushed to patch that bug, which Artenstein calls Broadpwn. Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim's phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.
[...]
Broadpwn
Artenstein, a researcher for the security firm Exodus Intelligence, says he has suspected for years that Broadcom's Wi-Fi chip might offer new avenues into the guts of a smartphone. After all, the "kernel" of a modern phone—the core of its operating system—is now protected by measures like address space layout randomization, which randomizes code's location in memory to prevent a hacker from being able to exploit it, and data execution prevention, which prevents hackers from planting malicious commands in data to trick a computer into running them. They're locked down tight.
But Broadcom's Wi-Fi controllers have no such protections. And they're found across manufacturers and operating systems, from the latest Samsung Galaxy devices to every single iPhone. "Obviously, this is a much more interesting attack surface," Artenstein said in his Black Hat talk. "You don’t have to repeat your work. If you find one bug, you can use it plenty of places."
So about a year ago, Artenstein began the painstaking process of reverse-engineering the obscure firmware of Broadcom's chips. He was aided, he says, by an unexpected leak of the company's source code he found on Github, which Artenstein suspects was accidentally published by one of Broadcom's partners. And as he dug through the code, he quickly found opportunities for trouble. "If you look at these systems you find bugs like you used to in the good old days," Artenstein said.
He eventually spotted one crucial bug in particular, hidden in Broadcom's "association" process, which allows phones to search for familiar Wi-Fi networks before they connect to one. One part of the beginning of that handshake process didn't properly constrict a piece of data sent to it by the Wi-Fi access point back to the chip, a bug known as a "heap overflow." With a carefully crafted response, the access point could send data that corrupts the module's memory, overflowing into other parts of the memory to run as commands.
"You malform it in a special way that gives you the power to write anywhere in memory," Artenstein explains. That sort of overflow is vastly harder to exploit when a hacker is remotely attacking randomized, protected memory of modern operating systems, but worked perfectly in the memory of Broadcom's Wi-Fi module on smartphones. "It’s a pretty special bug," Artenstein says.
Because the flaw existed in the part of the Broadcom code that handles automatic communications between the phone and an access point, the entire process of taking over a Wi-Fi chip could occur without the user noticing anything at all amiss. To make matters worse, the attack could repurpose Wi-Fi chip as an access point itself, broadcasting the same attack to any vulnerable phones within range to exponentially spread through the smartphone world.
Artenstein notes, however, that he didn't go so far as to write the part of the attack that would spread from the Wi-Fi chip to the phone's kernel, though he believes that final step would be possible for motivated hackers. "For a real attacker with resources, it would not be an issue," Artenstein says.
Google pushed out an update for Android phones in early July, and Apple followed with an iOS fix last week, well before Artenstein revealed the
full details of his findings in a blog post Wednesday.