Broadpwn – The first Worm I’ve Heard Of In A Long Time

You know, it’s been a while since I have heard of a worm showing up amongst the various malware that keeps getting announced. Ransomware? That’s the malware of the day. Viruses? I don’t think those will ever go away. But Worms? I haven’t heard of one in quite a while. But, down at Black Hat, Exodus Intelligence researcher Nitay Artenstein announced a new worm / remote exploit that they had developed.

And it’s a doozy! It makes use of Cell Phone WiFi!

Now, in case you aren’t aware of what the definition of a worm is, it’s a piece of malware that doesn’t require any human interaction to execute, it doesn’t make any assumptions about the target it’s attacking, and it can’t be detected by the target. In short, it self-propagates, making use of an exploit on it’s target. But, in this case, it’s targets are cell phones.

Cell phones have been much more secure than any other device for the very simple reason that the underlying operating systems learned from the past mistakes of workstation or server Operating Systems and were designed from the outset to be secure. This goes for both Android and iOS devices though with slightly different approaches. Plus, the cell phone manufacturers are using communication chips that have also been hardened and have protections of their own.


I say generally because, in the case of Broadpwn, the exploit makes use of vulnerabilities in the underlying WiFi controller chip from Broadcom that doesn’t have the usual checks and balances that you see in other chips. There’s no randomized use of memory going on and a lack of protection from buffer overflows. It also makes use of a flaw in the WiFi protocol, 802.11

For this exploit to work, you set up a malicious WiFi access point. The cell phone will automatically connect to a unauthenticated WiFi access point and, if the chip used is from Broadcom, the cell phone will be owned. It’s just that easy.

So, a couple of things about this. First, this goes back to a product, in this case the Broadcom chipset, not being designed with security in mind. As a result, anything built on top of it becomes exposed. And THAT goes back to having a proper Secure Development LifeCycle (SDLC). Second, if you have a cell phone, don’t have it set to automatically connect to the nearest access point. Third, IF you are connecting to a WiFi access point and you don’t have to provide authentication, be VERY cautious.

This is like having sex with a stranger – if you don’t know your partner, you don’t know what disease you are going to pick up. At least say “Hi!” and tell each other your names!

Finally, the thing to remember about this particular malware is that a couple of things had to happen for it to occur. You had to have a chipset that had security issues and you had to have a protocol that had a bug in it. Two things that, by themselves, couldn’t be leveraged on their own. But, put together, and you had the makings of a worm. And having a combination of things occurring now seems to be the way that exploits are being made. Remember StuxNet? Well, that was a two step process because the Iranian systems they were accessing were secure of and by themselves. But by leveraging a couple of issues and the US could bypass the security layers.

So, for you budding Security Architects out there, “Security in Layers” isn’t necessarily good enough anymore. Attacks will now think in terms of multiple steps to access the crown jewels and not just look for single points of entry. So you have to make the assumption that each layer will be breached on it’s own, regardless of how far it is from the outer edge. So monitoring become very key as well as trying to add a randomization element somewhere that can’t be counted on.

It’s a whole new way to think about security architecture. I’m wondering what that design pattern will turn into.

Hope that helps …


One thought on “Broadpwn – The first Worm I’ve Heard Of In A Long Time

Leave a Reply

Your email address will not be published. Required fields are marked *