Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets

Presented at Black Hat USA 2017, July 27, 2017, 9:45 a.m. (50 minutes)

Remote exploits that compromise Android and iOS devices without user interaction have become an endangered species in recent years. Such exploits present a unique challenge: Without access to the rich scripting environment of the browser, exploit developers have been having a hard time bypassing mitigations such as DEP and ASLR.<br /> <br /> But what happens when, underneath your heavily hardened OS, a separate chip parses all your Wi-Fi packets - and runs with no exploit mitigations whatsoever?<br /> <br /> Meet Broadpwn, a vulnerability in Broadcom's Wi-Fi chipsets which affects millions of Android and iOS devices, and can be triggered remotely, without user interaction. The Broadcom BCM43xx family of Wi-Fi chips is found in an extraordinarily wide range of mobile devices - from various iPhone models, to HTC, LG, Nexus and practically the full range of Samsung flagship devices.<br /> <br /> In this talk, we'll take a deep dive into the internals of the BCM4354, 4358 and 4359 Wi-Fi chipsets, and explore the workings of the mysterious, closed-source HNDRTE operating system. Then, we'll plunge into the confusing universe of 802.11 standards in a quest to find promising attack surfaces.<br /> <br /> Finally, we'll tell the story of how we found the bug and exploited it to achieve full code execution - and how we went on to leverage our control of the Wi-Fi chip in order to run code in the main application processor.


  • Nitay Artenstein - Vulnerability Researcher, Exodus Intelligence
    Nitay Artenstein is a security researcher in the fields of reverse engineering, exploit development and vulnerability research. His fields of interest include Windows kernel exploitation, reverse engineering embedded systems and bug hunting in the Linux kernel. For the past two years, he has been working mainly on exploiting Android devices. He suffers from a severe addiction to IDA Pro (at least until radare come up with a decent decompiler), and generally gets a kick out of digging around where he's not supposed to.