Gal Beniamini, a security researcher with Google Project Zero, has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and is hell easy to exploit.
This flaw is similar to the one Beniamini discovered in the Broadcom WiFi SoC (Software-on-Chip) back in April, and BroadPwn vulnerability disclosed by an Exodus Intelligence researcher Nitay Artenstein, earlier this summer. All flaws allow a remote takeover of smartphones over local Wi-Fi networks.
The newly discovered vulnerability, which Apple fixed with its major iOS update released on September 19, could allow hackers to take control over the victim's iPhone remotely. All they need is the iPhone's MAC address or network-port ID.
And since obtaining the MAC address of a connected device is easy, the vulnerability is considered a serious threat to iPhone users.
Beniamini informed WiFi chip maker Broadcom and privately reported this vulnerability in Google's Chromium bug-reporting system on August 23.
Now, following iOS 11 release, Beniamini published a proof-of-concept (PoC) exploit for the flaw to demonstrate the risks this flaw could pose on iPhone users.
Beniamini says the flaw exists on Broadcom chips running firmware version BCM4355C0, which is not only used by iPhones but also used by a large number of other devices, including Android smartphones, the Apple TV and smart TVs.
Once his exploit executes, Beniamini was able to insert a backdoor into Broadcom chip's firmware, which allowed him to remotely read and write commands to the firmware, "thus allowing easy remote control over the Wi-Fi chip."
Once all done, "you can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively."
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The researchers tested his exploit only against the Wi-Fi firmware in iOS 10.2 but believe the exploit should also work on all versions of iOS up to 10.3.3.
"However, some symbols might need to be adjusted for different versions of iOS, see 'exploit/symbols.py' for more information," Beniamini writes.
Since there is no way to find out if your device is running the firmware version BCM4355C0, users are advised to update iPhones to iOS 11. Apple has also patched the issue in the most recent version of tvOS.
Also, Google has addressed this issue on Nexus and Pixel devices, as well as Android devices earlier this month. However, Android users are required to wait for their handset manufacturers to push out the updates on their devices.