Apple, Google Patch Critical Wi-Fi Flaw; Other Phones Screwed
There’s normally a lot you can do to protect yourself from phone hackers, whether it’s avoiding suspicious links online or installing antivirus software.
They can't tell that the guy standing behind them has just hacked their smartphones. Credit: Monkey Business Images/Shutterstock
That’s not the case with a new vulnerability that affects the ubiquitous Broadcom mobile Wi-Fi chips. A very dedicated and skilled hacker could theoretically compromise any vulnerable phone logged into the same Wi-Fi network as the hacker.
Apple devices are safe as long as they update to iOS 10.3.1, and Google Nexus and Pixel phones if they install this month's Android security patch (both released Monday), but most Android users will either have to wait a while, or develop other methods to protect themselves.
Vulnerable phones include Google's Nexus 5, 6 and 6P, most high-end Samsung phones, and every iPhone since the iPhone 4. While some of these devices (such as the iPhone 5 and later and the Nexus 6 and later) can already be patched, other Android devices — particularly Samsung's, but likely other manufacturers' as well — remain vulnerable for now, and many will never be patched.
What To Do
First and foremost: To protect yourself from this flaw, ensure that you have the latest system software installed on your phone. Supported Apple and Nexus phones can already receive the patches, but their owners will have to authorize the updates.
If you've got an iPhone 4 or 4s or a Nexus 5 , you're out of luck — as those handsets are no longer supported, they will almost certainly never receive this patch. (Google did not list the Nexus 5X, which is still supported, as eligible for the patch. We've heard that that handset uses a Qualcomm rather than a Broadcom Wi-Fi chipset, so it may not be affected by this flaw. We're asking Google for more information.)
Other handset manufacturers will be scrambling to release patches. When those patches are ready, simply downloading and installing the updates should be enough to head this vulnerability off at the pass.
However, if you have a phone that doesn’t run stock Android, then you’re probably reliant on your wireless carrier for security updates, and wireless carriers tend to drag their heels — not least because they have to work out the kinks for each and every Android patch with each handset manufacturer that they buy devices from. And if your Android phone is more than 2 years old, it's unlikely that you'll receive a patch this flaw.
In that case, the simplest way to protect yourself is to disable Wi-Fi whenever you're not on a known network. Using your home or office Wi-Fi is probably not dangerous, since they're probably secured with a password and (at least in theory) you know everyone using them. Some phones can be set up so that Wi-Fi automatically switches off when you get out of range of a specific network.
The real danger comes from unsecured or public Wi-Fi networks, which can be used as part of an old hacker trick. If a malicious Wi-Fi hotspot has a commonly used network name — such as "LINKSYS", or "ATT Free Wi-Fi" — your phone will automatically connect to it as long as the phone has connected to a network with the same name in the past. Once you're connected, a hacker could exploit the Broadcom vulnerability and take over your phone completely.
To avoid unsecured Wi-Fi networks (which provide a whole host of problems beyond just proof-of-concept Broadcom flaws), access your Wi-Fi settings and selected Saved Networks. Then, instruct your phone to Forget anything that’s not a private, secured, known network that you use on a daily basis.
How It Works
The potentially devastating flaw was explained by Gal Beniamini, a researcher at Google’s Project Zero security initiative. In a blog posting yesterday (April 4), Beniamini describes, in exhaustive detail, how almost any phone with a Broadcom Wi-Fi chip could be compromised by his intricate exploit, and made to run malicious code.
The Broadcom vulnerability itself requires fairly deep knowledge of Wi-Fi chipsets to understand, let alone replicate. Still, in simple terms, Beniamini developed a way to attack the firmware on Broadcom's system-on-chip Wi-Fi.
Beniamini caused a stack buffer overflow, meaning he was able to make the chip try to record information in excess of its allotted memory. By transmitting data to the chip and arbitrarily rewriting values, he was able to take over the device’s RAM piece-by-piece, until he had enough computing power at his disposal to execute remote code.
If that sounds like a gross oversimplification, it is; the first of two blog posts explaining the process is almost 9,000 words long. Still, if Beniamini could do it, there’s likely at least one cybercriminal out there who could, too.
Beniamini had harsh words for Broadcom, claiming that its chip "lacks all basic exploit mitigations." Broadcom told Beniamini that its future chips will provide more security, both in terms of hardware and firmware.
In the meantime, it'll be up to phone manufacturers and wireless carriers to keep users safe — something that, apart from Apple and Google, they have a decidedly mixed record of doing.