In another case that highlights the importance of mobile phone security, Google’s Project Zero has found a chip vulnerability in a commonly used Wi-Fi chip in Android and iOS devices, Digital Trends reported.
Built by Broadcom, the Wi-Fi Full MAC chips are used by mobile devices for Wi-Fi communications. The Wi-Fi tasks on cellphones are usually offloaded to such chips in order to save on battery life. Unfortunately, there is a vulnerability in the chip which could enable the hijacking of the mobile device.
The chip handles all the Wi-Fi communications, however, its stack could be overloaded, and when that happens, privileges could be elevated and this could lead to access to the kernel. With the proper privileges, a small program can be used to rewrite the kernel or to include malicious code without the owner’s knowledge.
Android and Apple operating systems are known to be strict about allowing root access to specific parts of the system. Even a root or admin user still has to key in the password before any system app is run. This vulnerability is deeply embedded, that strictly speaking, it is not even a part of the operating system. The vulnerable code resides on a separate chip which the OS communicates only via an API.
Computer developers, in general, look for vulnerabilities within the system code, or any other user created code interacting directly with the OS. It is seldom that embedded codes have these vulnerabilities. Or even if they did, these could not be exploited because of the nature of the larger systems. Security in computers is checked with almost every instance of a system call.
However, in the case of cellphones and other mobile devices, there is a degree of integration which is not found in computers. The embedded systems themselves communicate with one another. This method is done to save code space, faster execution, and ultimately saving on battery life. If the same chip were installed on a computer or laptop, there would have been no problem even if there was a stack overflow.
Some mobile devices which use the Broadcom chip include Samsung cellphones, Google’s Nexus phones, and Apple mobile devices. The chip is also used in Wi-Fi routers.
Project Zero is a Google program which aims to catch security vulnerabilities in operating systems before they can be used in a malicious manner. So far, the Wi-Fi Full MAC vulnerability has been patched up by Apple. IOS devices which were formerly vulnerable to this included iPhone 5 and later, 4th generation iPads and later, and the 6th generation iPod Touch.
Broadcom Takes Bold Steps To Improve
Meanwhile, Broadcom has already been informed about the chip vulnerability and have implemented a bold solution with its newer versions. Called the Memory Protection Unit, it manages user access privileges, including other hardware-embedded security features.