A new bug has been discovered that impacts both Android and iOS devices. If you use a smartphone that contains Broadcom Wi-Fi chips, and you probably do, the newly discovered exploit allows an attacker to execute malicious code on your device remotely with no input or action required by you.
The bug was discovered by the security firm Artenstein and reported to Google, but at this point, neither company has released any significant details about the issue. However, Google did release a security patch for it as of July 5. USA Today writes, “The dangerous vulnerability, called Broadpwn, had been exposed by a security researcher Nitay Artenstein of Exodus Intelligence, who indicated that a malicious hacker could compromise devices through a bug within Broadcom’s Wi-Fi chipsets. As long as the attacker is within range, he or she may be able to “execute arbitrary code on the Wi-Fi chip.” ”
Other security researchers have reverse-engineered Google’s patch to gain some insight as to exactly how the flaw works, and how it could be used.
It’s being called “Broadpwn,” and appears to be a stack overflow issue in Broadcom Wi-Fi chips. Exploitation can occur when the user’s device receives a WME (Quality of Service) element of malformed length from a network it’s connected to.
All you’d have to do to fall victim to this is walk into range of the attacker’s Wi-Fi network.
Given this, your best defense is to only connect to trusted networks and turn the autoconnect feature off of your phone, lest you risk giving a hacker unfettered control over your device.
Although it’s been patched, at least on the Android side, not everyone sets their devices up to automatically receive security updates. If yours is not set to do so, then take a few minutes to download this one.
This bug also underscores the importance of a growing problem. With Wi-Fi networks being so numerous and readily available these days, many, if not most people casually connect to any network in range without thinking or worrying about the potential downside. If you’re serious about data security, that practice needs to stop. f you have an iPhone or other iOS device, head to Settings, General and then Software Update to install iOS 10.3.3. The iOS update covers iPhone dating back to the iPhone 5, iPads dating back to the 4th generation, as well as the 6th generation iPod Touch. If you have Android, Google issued its own security patch earlier this month.
Mac users are urged to install the macOS Sierra update to version 10.12.6. Start by clicking the Updates tab within the Mac App Store.