Club Benefits
You are now subscribed
Your newsletter sign-up was successful
Want to add more newsletters?
Daily (Mon-Sun)
Tom's Guide Daily
Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.
Weekly on Thursday
Tom's AI Guide
Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!
Weekly on Friday
Tom's iGuide
Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.
Weekly on Monday
Tom's Streaming Guide
Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
It's time for bad news, good news and more bad news.
Information on the vulnerability comes from two sources: an Android security bulletin from July 5 and an abstract on a presentation scheduled for the upcoming Black Hat security conference (July 26-27) by Israeli researcher Nitay Artenstein. The flaw affects Broadcom Wi-Fi chips, hence its name, and could allow malefactors to hijack phones without any input on the owner’s part.
MORE: Best Android Antivirus Software and Apps
The exact details of how the vulnerability exploit works aren't available yet, but Artenstein and Google did provide a few hints. BroadPwn (or CVE-2017-9417, to use the official designation) takes advantage of the "mysterious, closed-source HNDRTE operating system," according to Artenstein's abstract. The flaw appears to affect Broadcom's BCM4354, 4358 and 4359 chips. A wide variety of phones use these chips to connect to Wi-Fi, including models from HTC, LG, Google, Samsung and Apple.
BroadPwn appears to be completely different from another Broadcom flaw, disclosed in April, that affected the Google Nexus 5, 6 and 6p, every iPhone since the iPhone 4 and most flagship Samsung phones. Apple (with iOS 10.3.1) and Google (with the April Android security bulletin) have patched the older flaw.
Google explained in the July Android security bulletin that BroadPwn could "execute arbitrary code within the context of the kernel," meaning that it could compromise a phone at the deepest level of software. Since you can't simply install an antivirus program for a Wi-Fi chipset the same way you can for a smartphone OS, the flaw could indeed be as devastating as Artenstein and Google suggested.
Apple has yet to issue any kind of statement on BroadPwn, which leaves many questions unresolved. It's not clear which iPhone models might be affected — most models since the iPhone 4 seem to use Broadcom chips — or whether Apple has already issued a patch. But the listed CVE number is not in Apple's three most recent iOS security bulletins, and given Apple's occasional tendency to drag its heels on security issues that it didn't discover itself, we'd give even odds that iPhones are not yet safe.
Furthermore, just because Google has issued an Android patch doesn’t mean that every Android phone will get it. Most phone manufacturers use slight variations on the Android OS for their handsets, and carriers then add additional modifications. When (or if) you get a BroadPwn patch will depend a lot more on Samsung, LG, Verizon and AT&T than it will on Google.
There's not much else you can do to protect yourself, since mobile antivirus software can’t prevent an attack at the level of a Wi-Fi chip. Google mentioned that it's not aware of the attack being used in the wild, so take solace that it's likely no one but Artenstein has figured out how to exploit it — yet. After Black Hat, all bets may be off.
