This article originally appeared in TidBITS on 2017-07-21 at 11:30 a.m.
The permanent URL for this article is: http://tidbits.com/article/17352
Include images: Off

iOS 10.3.3 Patches High-Profile BroadPwn Flaw

by Adam C. Engst

The ThreatPost blog has called out the fact that Apple’s recently released iOS 10.3.3 patches a high-profile flaw known as BroadPwn. [1] The BroadPwn vulnerability, which affects Broadcom’s BCM43xx family of Wi-Fi chips, allows an attacker within Wi-Fi range to execute code on the Wi-Fi chips of affected devices. Exactly what an attacker could do from that point remains unknown, but said code would be running underneath the operating system.

(Everything we’ve seen talks about BroadPwn only in the context of iOS and Android, but Apple’s recent operating system updates all say that they fix the same bug, and Apple uses the affected Broadcom BCM43xx Wi-Fi chips across all of its hardware lines. So it seems likely that all of Apple’s platforms are vulnerable unless they are running the latest versions of their operating systems (see “Apple Releases macOS 10.12.6, iOS 10.3.3, watchOS 3.2.3, and tvOS 10.2.2 [2],” 19 July 2017). However, the security update for OS X 10.11.6 El Capitan and 10.10.5 Yosemite does not reference the BroadPwn bug.)

The practical upshot of this is that you should update to iOS 10.3.3 soon. Most security vulnerabilities are either limited in what they can do or how attackers can use them, but our security editor, Rich Mogull, said that BroadPwn looks to be one of the worst vulnerabilities he has seen in a while. So hey, just go to Settings > General > Software Update and update your iOS 10 devices right now.

What counts as an affected device? According to Nitay Artenstein, the Exodus Intelligence researcher who discovered BroadPwn, the vulnerability “is found in an extraordinarily wide range of mobile devices — from various iPhone models to HTC, LG, Nexus, and practically the full range of Samsung flagship devices.” Artenstein will be presenting a session on BroadPwn [3] at the Black Hat USA 2017 Conference.

In its security notes about iOS 10.3.3, Apple says that the update patches the flaw on the iPhone 5 and newer, the fourth-generation iPad and newer, and the sixth-generation iPod touch. But that’s just because those are the only devices that can run iOS 10.

Older devices remain problematic. For instance, the iPhone 4 and iPhone 4S, among others, also use vulnerable Broadcom Wi-Fi chips, and because they can’t run iOS 10.3.3, they are likely vulnerable to BroadPwn.

As far as I can remember, Apple has never released a security update to a previous version of iOS. Unfortunately, since about 8 percent of iOS devices are still running an earlier version [4] and there are well over 1 billion iOS devices in active use, that policy puts millions of people at risk. We’d like to see Apple follow the same policy it has with macOS, where two previous versions of the operating system receive security updates. We don’t know why Apple didn’t address BroadPwn for Yosemite and El Capitan; perhaps there’s other some reason they aren’t vulnerable.

Of course, risk is relative. Most people with everyday data on their devices have little to worry about, particularly with BroadPwn, which requires an attacker to be within Wi-Fi range. However, if you use an older, BroadPwn-vulnerable iOS (or Android) device to communicate about sensitive government, corporate, or medical topics, now would be a good time to switch to a newer device.

[1]: https://threatpost.com/apple-patches-broadpwn-bug-in-ios-10-3-3/126955/
[2]: http://tidbits.com/article/17349
[3]: https://www.blackhat.com/us-17/briefings.html#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets
[4]: https://mixpanel.com/trends/#report/ios_10