nnn
29-07-17, 20:14
Στο συνέδριο Black Hat, ο ερευνητής Nitay Artenstein, επέδειξε μια proof of concept επίθεση εναντίον συσκευών με Android και iOS, που εκμεταλλεύεται κενό ασφαλείας του Wi-Fi chip BCM43xx της Broadcom.
Η ευπάθεια της οικογένειας BCM43xx, εξέθεσε σε κίνδυνο πάνω από 1 δις συσκευές (όλα τα iPhones από την έκδοση 5, την σειρά Nexus, Samsung Note και η σειρά Galaxy από το S3 ως το S8), μέχρι τις αρχές Ιουλίου που οι Google και Apple -που είχαν ειδοποιηθεί ιδιωτικά- έδωσαν patch που κλείνει το κενό το οποίο εκμεταλλεύεται την ευπάθεια των chips της Broadcom.
Although the flaw is now closed, the hack has important lessons as engineers continue their quest to secure mobile phones and other computing devices. Security protections such as address space layout randomization and data execution prevention have now become standard parts of the operating systems and apps. As a result, attackers have to work hard to exploit buffer overflows and other types of software vulnerabilities. That extra work largely makes self-replicating worms impossible. Artenstein's exploit, however, suggests that such worms are by no means impossible.
"This research is an attempt to demonstrate what such an attack, and such a bug, will look like," the researcher wrote in a detailed blog post. "Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of Wi-Fi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
In sharp contrast to the kernels in iOS and Android, the Broadcom chips Artenstein targeted aren't protected by ASLR or DEP. That meant he could reliably know where his malicious code would be loaded in chip memory so he could ensure it got executed. Additionally, he found a flaw across various chipset firmware versions that allowed his code to work universally rather than having to be customized for each firmware build. Making the attack even more potent, targets didn't have to connect to the attacker's Wi-Fi network. Simply having Wi-Fi turned on was sufficient to being hacked.
Artenstein said his attack worked on a wide range of phones, including all iPhones since the iPhone 5, Google's Nexus 5, 6, 6X and 6P models, Samsung Notes 3 devices, and Samsung Galaxy devices from S3 to S8. After he privately reported the flaw, Google and Apple released patches that closed the underlying vulnerability that made the attack possible. Because Wi-Fi chipsets in laptop and desktop computers have more limited access to the computer's networking functions, the researcher doesn't believe they are vulnerable to the same attack. While Artenstein's proof of concept didn't spread from the Wi-Fi chip to infect the phone's kernel, he said that additional step is well within the means of determined hackers.
Πηγή : Ars Technica (https://arstechnica.com/information-technology/2017/07/broadcom-chip-bug-opened-1-billion-phones-to-a-wi-fi-hopping-worm-attack/)
Η ευπάθεια της οικογένειας BCM43xx, εξέθεσε σε κίνδυνο πάνω από 1 δις συσκευές (όλα τα iPhones από την έκδοση 5, την σειρά Nexus, Samsung Note και η σειρά Galaxy από το S3 ως το S8), μέχρι τις αρχές Ιουλίου που οι Google και Apple -που είχαν ειδοποιηθεί ιδιωτικά- έδωσαν patch που κλείνει το κενό το οποίο εκμεταλλεύεται την ευπάθεια των chips της Broadcom.
Although the flaw is now closed, the hack has important lessons as engineers continue their quest to secure mobile phones and other computing devices. Security protections such as address space layout randomization and data execution prevention have now become standard parts of the operating systems and apps. As a result, attackers have to work hard to exploit buffer overflows and other types of software vulnerabilities. That extra work largely makes self-replicating worms impossible. Artenstein's exploit, however, suggests that such worms are by no means impossible.
"This research is an attempt to demonstrate what such an attack, and such a bug, will look like," the researcher wrote in a detailed blog post. "Broadpwn is a fully remote attack against Broadcom’s BCM43xx family of Wi-Fi chipsets, which allows for code execution on the main application processor in both Android and iOS. It is based on an unusually powerful 0-day that allowed us to leverage it into a reliable, fully remote exploit."
In sharp contrast to the kernels in iOS and Android, the Broadcom chips Artenstein targeted aren't protected by ASLR or DEP. That meant he could reliably know where his malicious code would be loaded in chip memory so he could ensure it got executed. Additionally, he found a flaw across various chipset firmware versions that allowed his code to work universally rather than having to be customized for each firmware build. Making the attack even more potent, targets didn't have to connect to the attacker's Wi-Fi network. Simply having Wi-Fi turned on was sufficient to being hacked.
Artenstein said his attack worked on a wide range of phones, including all iPhones since the iPhone 5, Google's Nexus 5, 6, 6X and 6P models, Samsung Notes 3 devices, and Samsung Galaxy devices from S3 to S8. After he privately reported the flaw, Google and Apple released patches that closed the underlying vulnerability that made the attack possible. Because Wi-Fi chipsets in laptop and desktop computers have more limited access to the computer's networking functions, the researcher doesn't believe they are vulnerable to the same attack. While Artenstein's proof of concept didn't spread from the Wi-Fi chip to infect the phone's kernel, he said that additional step is well within the means of determined hackers.
Πηγή : Ars Technica (https://arstechnica.com/information-technology/2017/07/broadcom-chip-bug-opened-1-billion-phones-to-a-wi-fi-hopping-worm-attack/)