Four months ago, Google security researcher Gal Beniamini, a member of Project Zero, identified a string of critical security issues in Broadcom’s firmware. This firmware is fundamental to the operation of smartphones, and both Google and Apple have designed several key features of their respective OSs around it.
Normally, it is Google’s policy to notify the public after 90 days if the company responsible for fixing the bugs has not done so. In this case, Google made an exception, giving Broadcom an extra month to address all the issues because of their criticality, and because the company was working diligently on fixes for them.
Once Broadcom put the last of their fixes in place, it allowed Google and Apple to roll out patches to their code, which decisively ended the issue.
It’s a very good thing, too, because had these issues remained unpatched, it would have allowed any hacker to set up an “Evil WiFi Hotspot” (Evil Twin) that they could use to push malicious code onto any device making use of it.
There would be no way to stop it, and no way even to detect that it was being done until it was too late.
The exploits would have allowed literally any type of code to be inserted, from keyloggers, to fake banking apps capable of initiating rogue transactions to ransomware, or anything else the hacker wished to insert onto the user’s device.
That’s about as bad as it can possibly get, so if you don’t have automatic updates enabled, you should make it a point to grab this latest update. If you don’t, your device and every bit of data it contains is going to be at extreme risk.