Google publishes attack code for wi-fi bug on iPhone 7
- 27 September, 2017 02:24
Following Apple’s iOS 11 release, which fixed a set of serious bugs in its Broadcom wi-fi chip, a Google security researcher has published an exploit for the flaw.
The exploit would allow an attacker in wi-fi range to take control of the wi-fi chip used on an iPhone 7. Project Zero researcher Gal Beniamini published attack code on Monday in accordance with the group’s 90 day disclosure policy.
Apple released iOS 11 a week ago with fixes for a bug tagged as CVE-2017-1121, one of several wi-fi bugs Beniamini reported. Once Beniamini’s exploit executes, he was able to insert a backdoor into Broadcom chip’s firmware, allowing remote read and write commands to be issued to the firmware, “thus allowing easy remote control over the Wi-Fi chip”.
He only tested the exploit on the wi-fi firmware in iOS 10.2 but says it should work on all version up to iOS 10.3.3. iOS 11 neutralizes the threat.
Similar to the Broadpwn bugs revealed earlier this year, this bug affects a range wi-fi enabled devices.
Though his exploit is for iOS, the vulnerability was also present in Samsung’s Galaxy S7 Edge.
Google patched the bug in the full Android September patch level, labelling it a critical bug in the wi-fi driver. Samsung does not list the CVE as being fixed in its September Android update for Galaxy phones.
Apple however fixed in the latest version of tvOS for Apple TV. There are several more fixes for the wi-fi credited to Benjamini in the watchOS update with a similar impact.
A memory corruption issue in watchOS meant that “malicious code executing on the Wi-Fi chip may be able to execute arbitrary code with kernel privileges on the application processor”.
The raft of wi-fi driver bugs reported by Benjamini follow criticism over Control Center in iOS 11, which doesn’t actually turn Bluetooth or wi-fi off when they’re toggled off in that screen. Toggling off wi-fi leaves auto-join on for nearby wi-fi networks, while Bluetooth is still available for things like Apple Watch and Hotspot, Apple notes in a support page. Actually turning them off requires adjusting Settings for the two radios.
It followed the recent disclosure of the so-called Blueborne bugs that affected Bluetooth stack in Android, an earlier version of iOS, Windows and some Linux distributions. Until patches were released, it was advised for users to disable Bluetooth. Similarly, devices affected by Broadpwn should have disabled wi-fi auto-join until they were patched.