Have MAC, will hack: iThings have trivial-to-exploit Wi-Fi bug

iThing owners, do not skip iOS 11: it plugs a dead-easy-to-exploit drive-by Wi-Fi bug.

All an attacker needed to own a phone with a vulnerable Broadcom Wi-Fi chip was the target's MAC address, and exploit code running on a laptop.

As shown in this now-unsealed Google bug thread, this discovery by Gal Beniamini – very like one he warned about in April – was first raised in June as an out-of-bounds write.

The thread says an oversized value can be put in the unvalidated “Channel Number” field in code handling Wi-Fi neighbour responses. It's the large value that lets an attacker write to an address that should be inaccessible to it.

Beniamini posted his exploit to the still-private discussion on August 23, and the post went public a week after iOS 11 landed.

“The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included)” the post states. “However, some symbols might need to be adjusted for different versions of iOS, see 'exploit/symbols.py' for more information.”

Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).

After that, it's child's play: “You can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively.”

While it's not the same as the bug Beniamini discovered in April, his subsequent work (in a follow-up also written in April) warned that system-on-chip processors in smartphones are a huge and unaudited attack surface. ®