Google on Tuesday disclosed details and a proof-of-concept exploit for a Wi-Fi firmware vulnerability in Broadcom chipsets patched this week in iOS 11. The attack enables code execution and persistent presence on a compromised device.
“The exploit gains code execution on the Wi-Fi firmware on the iPhone 7,” said Google Project Zero researcher Gal Beniamini, whose comments were part of a bug reportmade public Tuesday. “Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” Beniamini said.
Beniamini said his exploit has been tested against the firmware packaged with iOS 10.2 and that it should work on versions up to and including 10.3.3. BCM4355C0 System on Chip with firmware version 18.104.22.168.0.1.56 is affected.
Apple said the bug, CVE-2017-11120, was a memory corruption issue and addressed it in the security update accompanying the release of iOS 11.
The vulnerability lives in Broadcom chips used by Apple in the iPhone and other products, including tvOS used in Apple TV and watchOS used in the Apple Watch. Android also makes use of the same chips, and Google patched the bug in the September Android Security Bulletin.