How the Broadpwn Wi-Fi Vulnerability Impacted a Billion iPhones and Android Phones

If you haven’t updated your iPhone or Android device lately, do it now. Until very recent patches, a bug in a little-examined Wi-Fi chip would have allowed a hacker to invisibly hack into any one of a billion devices. Yes, billion with a b.

A vulnerability that pervasive is rare, for good reason. Apple and Google pile millions of dollars into securing their mobile operating systems, layering on hurdles for hackers and paying bounties for information about vulnerabilities in their software. But a modern computer or smartphone is a kind of silicon Frankenstein, with components sourced from third-party companies whose code Apple and Google don’t entirely control. And when security researcher Nitay Artenstein dug into the Broadcom chip module that helps power every iPhone and most modern Android devices, he found a flaw that had the potential to completely undermine the expensive security of all of them.

Over the last weeks, both Google and Apple have rushed to patch that bug, which Artenstein calls Broadpwn. Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim’s phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.

While the vulnerability is now patched–seriously, get that update–Artenstein says it also offers broader lessons about the fundamental security of our devices. The near-future of smartphone hacking may focus less on operating systems, says Artenstein, and more on insidious flaws in those peripheral components.

“We’re witnessing a process in which mainstream systems like the application processors running iOS or Android have become so hardened by undergoing intense security research that security researchers are starting to look into other directions,” says Artenstein, who presented his findings at the Black Hat security conference and in a subsequent WIRED interview. “They’re starting to look for that breach in the wall where exploitation still isn’t that difficult.” As hackers search for increasingly rare attacks that don’t require any interaction from users, like opening a malicious page in a browser, or clicking a link in a text message, they’ll focus on third-party hardware components like Broadcom’s chips, Artenstein says.


Artenstein, a researcher for the security firm Exodus Intelligence, says he has suspected for years that Broadcom’s Wi-Fi chip might offer new avenues into the guts of a smartphone. After all, the “kernel” of a modern phone—the core of its operating system—is now protected by measures like address space layout randomization, which randomizes code’s location in memory to prevent a hacker from being able to exploit it, and data execution prevention, which prevents hackers from planting malicious commands in data to trick a computer into running them. They’re locked down tight.

Continue reading…