This content is part of the Conference Coverage: Black Hat 2017: Special conference coverage

Breaking down the Broadpwn exploit, world's first Wi-Fi worm

At Black Hat 2017, Exodus Intelligence researcher Nitay Artenstein unveiled the Broadpwn exploit, which he called the world's first Wi-Fi worm and which puts billions of iOS and Android devices at risk.

LAS VEGAS -- Nitay Artenstein has three simple rules an exploit must meet before it can be considered a "true" remote exploit.

The exploit must not require any human interaction to execute, it must not require any assumptions about the target system, and it must leave the system in a stable state to avoid detection.

And unfortunately, the Broadpwn exploit abides by all three of Artenstein's rules for remote exploits. Artenstein, vulnerability researcher at threat intelligence company Exodus Intelligence, presented the remote exploit at Black Hat 2017 and described how Broadpwn puts billions of mobile devices at risk -- and how a series of questionable design shortcomings, rather than one catastrophic zero-day vulnerability, led to the creation of a wormable Wi-Fi attack.

"We thought this was a really good occasion to make the first Wi-Fi worm," he said.

Artenstein explained that effective remote exploits for today's mobile devices are harder to come by because platforms like Google's Android and Apple's iOS operating systems are full hardened. The hardening includes address space layout randomization (ASLR) protection, which prevents buffer overflow attacks.

As a result, Artenstein said he and other Exodus researchers began "looking around the neighborhood" of mobile devices to see what other avenues might be available. That search led them to the Broadcom Wi-Fi controller chip, which is used in a wide range of Android and iOS devices -- and which has no ASLR or data execution prevention protection.

The Exodus research team began the process of reverse engineering and debugging the Wi-Fi controller's firmware, which was made much easier because of a number of factors, including the lack of integrity checks on the firmware and the fact that older versions of the source code could be downloaded from the web.

We thought this was a really good occasion to make the first Wi-Fi worm.
Nitay Artensteinvulnerability researcher, Exodus Intelligence

The team then began to explore options for creating a true remote exploit that required no human interaction, which led them to the 802.11 association process. Artenstein explained that modern mobile devices send out probe request packets for nearby Wi-Fi signals and will automatically connect to known access points -- or what the device believes is a known access point. Thanks to shortcomings in the association sequence's authentication process, Artenstein said, it's possible for an attacker using the Broadpwn exploit to pick up probe requests from a target device and trick that device into connecting to a malicious access point.

"It doesn't require any interaction," Artenstein said during a demonstration of the process. "As long as the victim has connected to an access point in the past, and if you stay around them for a minute or two, you should be seeing one of these [probe requests]. And the beauty of this thing is there's no authentication part of this process."

The Broadpwn exploit also took advantage of a bug in the Wireless Multimedia Extensions (WME), which is a quality-of-service extension for the 802.11 standard. Artenstein said the bug in WME, which helps access points prioritize traffic based on the type of content being steamed, allowed for buffer overflow attacks. As a result, an attack could send data to a device that corrupts the Broadcom Wi-Fi controller's memory, without alerting the user that anything is amiss.

The attack was further enabled by the Wi-Fi chip's packet ring buffer, which allowed the Exodus team to craft a small payload and deliver it to devices as they scan for available access points to connect to. During the presentation, Artenstein demonstrated the exploit using a test access point and explained that once a single device is infected, Broadpwn can spread quickly by connecting to other nearby devices.

Artenstein said that while a significant amount of work went into the researching and developing the Broadpwn exploit, he admitted the team was fortunate to find a series of issues and design flaws that made the proof-of-concept attack possible. "This is very simple, very clear," he said, "and it was our lucky day."

But Artenstein emphasized the exploit is very dangerous and powerful. In an Exodus blog post on Broadpwn, he wrote that worms and remote exploits could make a comeback and put mobile devices in jeopardy.

"Worms died out around the end of the last decade, together with their essential companion, the remote exploit," Artenstein wrote. "They have died out for the same reason: software mitigations have become too mature, and automatic infection over the network became a distant memory. Until now."

Next Steps

Learn the difference between a backdoor and security vulnerability

Read more about the Stuxnet worm

Secure the enterprise Wi-Fi

Dig Deeper on Threats and vulnerabilities