Remotely Compromising Android and iOS via a bug in Broadcom's WI-FI Chipsets

Why does Broadcom insist on proprietary drivers?<p>How could it possibly be detrimental for Broadcom to have free software drivers?<p>This article is a poignant example that it <i>is</i> detrimental for them to continue to keep their drivers proprietary.

C&#x27;s lack of array size info strikes again:<p><pre><code> memcpy(current_wmm_ie, ie-&gt;data, ie-&gt;len); </code></pre> where &quot;ie&quot; points to data obtained from the net.

The article mentions<p>&gt; Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of WiFi chipsets, which allows for code execution on the main application processor in both Android and iOS.<p>But it doesn&#x27;t go into any details on this privilege escalation actually works for iOS and more specifically that it doesn&#x27;t require additional exploits. Can anyone explain this in more detail? If this actually allows code execution on iOS application processor, that means we have a jailbreak right?

Fortunately, this is being addressed in software updates. Unfortunately, people who own older devices are left with the vulnerability forever. The iPhone 4S alone sold ~60 million units (according to Wikipedia) and did not (and most likely will not) receive any updates.

This is kind of scary :(. How does one ensure that they aren&#x27;t vulnerable to this bug?

i&#x27;ve been hearing people complain about the seriousness of this attack vector for years. i&#x27;d be surprised if there weren&#x27;t intelligence agencies that have utilized it already.

Could please someone explain, 1) if firmware is stored on a Wifi chip or rather loaded during the boot process?<p>2) Do apple&#x2F;google have binary image from Broadcom or rather source code?<p>It is quite interesting how this patch production&#x2F;delivery process works.

How long until someone unleashes this? There are going to be millions of vulnerable Android phones for at least a couple of years to come. Surely it will happen.

I do wonder why most mobile chips are broadcom. There&#x27;s decent competition from Qualcomm atheros and mediatek.

If anyone wonders, this was patched in iOS 10.3.3 <a href="https:&#x2F;&#x2F;threatpost.com&#x2F;apple-patches-broadpwn-bug-in-ios-10-3-3&#x2F;126955&#x2F;" rel="nofollow">https:&#x2F;&#x2F;threatpost.com&#x2F;apple-patches-broadpwn-bug-in-ios-10-...</a>

<a href="http:&#x2F;&#x2F;boosterok.com&#x2F;blog&#x2F;broadpwn&#x2F;" rel="nofollow">http:&#x2F;&#x2F;boosterok.com&#x2F;blog&#x2F;broadpwn&#x2F;</a> shows a simple check using hostapd to see if a device is vulnerable

I already updated my phone. Is the iOS update that patches this available over a cell network? If not, as is usually the case, isn&#x27;t that Not Good?

Proprietary drivers, firmware blobs <i>and ASICs</i> are a national security threat. Without open code reviews, auditing and functional verification it&#x27;s impossible to trust there are both a minimum of exploitable bugs and&#x2F;or backdoors in a given software-hardware stack. This may require some sort of confidentiality rubric but there&#x27;s no shortcut to getting around this vital need.