Skip Navigation
BlackBerry Blog

Broadpwn: The Mobile Exploit for Android and iPhones

FEATURE / 08.16.17 / Kim Crawley

I'm willing to bet that you possess at least one device that's either an iPhone or an Android phone. If my statement doesn't apply to you, you're definitely in a very small minority. If it does, you should be concerned about this recently discovered exploit.

We can thank security researcher Nitay Artenstein for his discovery, which he presented at Black Hat USA 2017 on July 27. He discovered a bug, which he named Broadpwn, affecting Broadcom Wifi chipsets which appear in iPhones and Android phones under the Samsung Galaxy, HTC, LG, and Nexus brands.

Malware can target the vulnerabilities in the Wifi chips themselves without much interaction with a phone's operating system, highlighting the cross-platform nature of the exploit. Make sure your device has either been updated to iOS 10.3.3, or has been updated with Android's recent security patch, which was released on July 5 in order to protect yourself against this latest exploit.

How It Works

If a user's device is attacked through the Broadpwn exploit, they won't know about it. Their device won't crash or reboot, and it will continue to behave normally as far as a user can determine. The user is unlikely to find any malicious files related to the exploit on their device, and they certainly won't see any new apps or any changes in their settings.

Broadpwn silently enables malicious attackers to take over a target's iPhone or Android phone in the same way carbon monoxide can kill while having an unnoticeable presence. That's why my home and office has a carbon monoxide detector, and that's also why you should apply the most recent security patches to your phone as soon as possible.

Artenstein says that as time moves on, smartphone cyberattackers may focus less on specific operating systems like iOS and Android, and more on the specific networking components that are common across computing platforms and device manufacturers, broadening their attack surface.

"We’re witnessing a process in which mainstream systems like the application processors running iOS or Android have become so hardened by undergoing intense security research that security researchers are starting to look into other directions. They’re starting to look for that breach in the wall where exploitation still isn’t that difficult," Artenstein said in an interview with WIRED magazine.

The Future of Mobile Cyberattacks

Cyberattacks on iOS and Android devices are becoming a greater challenge, with kernel-level security features like address space layout randomization. Address space layout randomization randomizes code in memory, which makes code more difficult for attackers to target.

Another kernel-level security feature, data execution prevention, makes it a lot more difficult for attackers to execute malicious code on a user's device. In other words, mobile phone manufacturers are trying to add more security features into the products before they even go to market, which is a great step forward in protecting consumers.

That said, Artenstein anticipates that more sophisticated cyberattacks will avoid mobile operating systems altogether and go straight for components such as Broadcom Wifi chipsets.

Artenstein compares the differences between attacking mobile operating systems to exploits like Broadpwn in a report for Exodus Intelligence:

“The main difficulty in writing a remote exploit is that some knowledge is needed about the address space of the attacked program. The other difficulty is that mistakes are often unforgivable: in a kernel remote exploit, for instance, any misstep will result in a kernel panic, immediately alerting the victim that something is wrong – especially if the crash is repeated several times.

In Broadpwn, both of these difficulties are mitigated by two main lucky facts:

First, the addresses of all the relevant structures and data that we will use during the exploit are consistent for a given firmware build, meaning that we do not need any knowledge of dynamic addresses – after testing the exploit once on a given firmware build, it will be consistently reproducible.

Second, crashing the chip is not particularly noisy. The main indication in the user interface is the disappearance of the Wifi icon, and a temporary disruption of connectivity as the chip resets.”

So the cat-and-mouse game of cyberattackers versus security researchers has now moved to specific platform independent mobile device components, and with good reason.

Fortunately, Broadpwn can be fixed by patching your iOS and Android devices. Will future mobile component exploits be that simple to protect against?

Kim Crawley

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance or BlackBerry Ltd.