Project Zero uncovers a nasty Wi-Fi chip exploit

Google’s Project Zero has been on a roll lately, unveiling sophisticated bugs in Cloudflare, LastPass and now Broadcom, a Wi-Fi chip supplier whose product is found in iPhones, Nexuses and Samsung devices.

Apple patched the bug in a security update yesterday (10.3.1 — and if you’re an Apple customer, you should install this update right away) and Project Zero researcher Gal Beniamini explained the exploit in detail in a blog post today.

“An attacker within range may be able to execute arbitrary code on the Wi-Fi chip,” Apple said in its security update notes. This is not good! It is quite bad, in fact, and that might explain why Apple pushed out 10.3.1 so quickly (10.3 was released only a week ago). Apple and Google declined to comment.

By chaining together a series of exploits on the Broadcom chip, Beniamini was able to demonstrate a “full device takeover by Wi-Fi proximity alone, requiring no user interaction.” This means an attacker on a shared Wi-Fi network could quietly compromise your device without ever tipping you off.

Beniamini demonstrated his research on a Nexus 6P, which might account for the equivocating “may be able” in Apple’s security update. Broadcom’s chips are widely used in the mobile phone industry, so the issue extends beyond Apple into other manufacturers, as well.

“Broadcom has been incredibly responsive and helpful, both in fixing the vulnerabilities and making the fixes available to affected vendors. For a complete timeline, see the bug tracker entries,” Beniamini wrote.

Expect more disclosures from Beniamini — the researcher promised to divulge more about the vulnerability soon.