Wi-Fi chips in phones, tablets, vulnerable to DoS attack

A vulnerability discovered in two Wi-Fi chipsets has placed a number of wireless devices at risk of a denial-of-service attack.
Written by Michael Lee, Contributor

Security researchers at Core Security have identified a denial-of-service (DoS) vulnerability in the firmware for Wi-Fi chips installed in several smartphones, tablets, laptops, and even a car.

The vulnerability is present in Broadcom BCM4325 and BCM4329 Wi-Fi chips, and has the potential to stop them from working, due to the firmware not validating what input is provided to it. Core Security stated in its security advisory that by using this bug, attackers could send certain input to the chip, which could cause the firmware to attempt to read information outside of the normal data that it is permitted to read — an out-of-bounds read error.

According to Core Security, this error can be used to deny the user any ability to use their Wi-Fi interface, and possibly disclose information that would normally be protected.

Part of the company's responsible disclosure was to inform Broadcom of the vulnerability prior to making a public advisory. It also notified the US Computer Emergency Response Team and several manufacturers that are known to be using the two affected chips. These include Apple, HTC, Motorola, Nokia, Samsung, Asus, LG Electronics, and Ford.

Broadcom has confirmed that the vulnerability exists, but has indicated that it is limited only to the two chips specified.

At the initial publication of this article, Broadcom's official statement, supplied by Core Security, stated that "this DoS issue, identified by CORE Security Technologies, [which] would require significant technical expertise to mount, could cause certain consumer electronics devices containing these chips to experience a transient WLAN service interruption as long as the DoS is active. During the service interruption, other phone/tablet features would be unaffected.

"The DoS issue does not in any way compromise the security of users' data."

Broadcom has since told ZDNet that this statement was incorrect, and has removed its reference to how difficult it would be to implement an attack. Its updated statement is as follows:

"CORE Security Technologies has identified a denial-of-service (DoS) vulnerability in the firmware running on two prior-generation Broadcom chips, the BCM4325 and BCM4329. Other Broadcom chips are not affected. This denial-of-service attack can cause an unpatched consumer electronics device to experience a WLAN service interruption. The vulnerability does not enable exposure of the consumer’s data. Broadcom has firmware patches for its OEM customers to address the issue.

"The vast majority of Broadcom's WLAN product portfolio is not subject to the DoS issue.

"Broadcom has been working with multiple customers, providing information and fixes as required, and will continue to address security issues that may be identified."

Core Security's advisory also includes complete proof-of-concept code, written in Python, that anyone can download and use to verify that the vulnerability exists. Unfortunately, it also provides any would-be attacker with the necessary information required to adapt it for their own malicious use.

Broadcom has released patches to protect the affected chips against attack; however, most smartphone and tablet users will be unable to apply them, as they will require an official patch from their device manufacturer.

Broadcom's original statement said that "customers are accepting the patch on a case-by-case basis, recognising that most affected devices are out of service," even though the affected devices include relatively recent devices, such as the Apple iPad 2, which was only released in March last year.

It has since revised its statement to say: "Broadcom makes corrected firmware available to the OEMs. Many affected devices are already out of service, and many others have updated firmware available."

Core Security's advisory contains a list of devices that it believes are vulnerable, and are reproduced below.

BCM4325 chipset

  • Apple iPhone 3GS

  • Apple iPod 2G

  • HTC Touch Pro 2

  • HTC Droid Incredible

  • Samsung Spica

  • Acer Liquid

  • Motorola Devour

  • Ford Edge.

BCM4329 chipset

  • Apple iPhone 4

  • Apple iPhone 4 Verizon

  • Apple iPod 3G

  • Apple iPad Wi-Fi

  • Apple iPad 3G

  • Apple iPad 2

  • Apple TV 2G

  • Motorola Xoom

  • Motorola Droid X2

  • Motorola Atrix

  • Samsung Galaxy Tab

  • Samsung Galaxy S 4G

  • Samsung Nexus S

  • Samsung Stratosphere

  • Samsung Fascinate

  • HTC Nexus One

  • HTC Evo 4G

  • HTC ThunderBolt

  • HTC Droid Incredible 2

  • LG Revolution

  • Sony Ericsson Xperia Play

  • Pantech Breakout

  • Nokia Lumia 800

  • Kyocera Echo

  • Asus Transformer Prime

  • Malata Zpad.

Updated on Friday, October 26, at 11:17 a.m. AEDST: Included updated statement from Broadcom.

Editorial standards