Apple recently released version 10.3.3 of its iOS software, which was largely security updates. One of the most critical ones was a patch for a Wi-Fi hack called Broadpwn, which targets Broadcom Wi-Fi chips common in many mobile devices.
iPhones as old as the 5 series will get the update, along with iPads from the 4th generation or newer and the 6th or newer iPods. There’s no word on whether older models are going to get the update, which is troubling: their Broadcom chips come from the same family and may be susceptible as well.
If they are then it’s just another security hole in the wild going unpatched.
What is Broadpwn?
Most iPhones, iPads, and iPods contain Wi-Fi chips made by Broadcom (although some contain Intel chips). The chips with model numbers BCM4354, BCM4358, and BCM4359 all have a vulnerability that allows a nearby attacker to take control of the affected device completely in the background.
SEE: iCloud Keychain encryption bug exposes iOS passwords, credit card numbers (TechRepublic)
A user with a Broadpwned device won’t even know they’re affected, yet all the while the attacker can inject code, steal data, and completely control the device.
Broadpwn is serious enough for the National Institute of Standards and Technology to rate it a 9.8 on a threat scale that goes up to 10. In short, you don’t want to fall prey to this hack.
Updates? Not all iPhones
Apple has used Broadcom chips in every generation of its iOS devices. Nitay Artenstein, the analyst who discovered the bug, says it affects all Broadcom BCM43xx chips. Older iPhones that aren’t getting the 10.3.3 update still contain BCM43xx chips, raising concerns that they could be vulnerable as well.
Apple hasn’t stated whether iOS devices older than the iPhone 5, iPad 4, and iPod 6 will get the update. If you’re using one of those devices it’s a good time to consider replacing it–hardware that’s past the end of its support life might still work just fine but it’s a ticking time bomb of vulnerabilities.
Not just an Apple problem
The Broadcom BCM43xx series is in a lot of mobile devices, including those manufactured by Samsung, HTC, Google, and LG. An Android update that addresses the issue has been released, but that doesn’t mean everyone has received it.
SEE: 2017 IT Security & Ethical Hacking Certification Training (TechRepublic Academy)
Android fragmentation means that there are potentially millions of unpatched devices being used. Users may largely be unaware of the flaw, and those who are aware likely don’t know when they’ll receive an OEM-certified update.
In the meantime it’s not a bad idea to turn off Wi-Fi on your Android device until you can be sure you received the update.
Top three takeaways for TechRepublic readers:
- A security flaw in Broadcom Wi-Fi chips has left unpatched iOS and Android devices hackable by attackers on the same Wi-Fi network.
- Google and Apple have released updates that address the flaw. Users are advised to update their iOS devices to 10.3.3 immediately. Android users should check with their manufacturer to see when they’ll get the July 2017 Android security update.
- Older iOS and Android devices likely won’t receive the update, but they may still contain a BCM43xx Wi-Fi chip that could be vulnerable to the hack. Those who still own older devices should consider replacing them.
- iOS and Android security: A timeline of the highlights and the lowlights (TechRepublic)
- New to iOS 11? Change these privacy and security settings right now (ZDNET)
- 5 data security and privacy tips for iOS (TechRepublic)
- The inner workings of eight Apple iOS vulnerabilities exposed (ZDNET)
- Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)