This post led to a NZ Herald article covering this issue.
Apple, we have a problem.
On 26 July, 2017, US security researcher Nitay Artenstein of Exodus Intelligence published a write-up of a very serious security vulnerability in Broadcom’s BCM43xx series of Wi-Fi chipsets. He went on to demonstrate the vulnerability and an exploit in action at DefCon 2017.
This vulnerability has been dubbed “Broadpwn”.
The flaw is pretty serious. It allows a “drive-by” compromise of the Wi-Fi on affected devices – and there are many affected devices – where the attack can take full control of the Wi-Fi hardware on victim devices and then hop onward from there to further victims in range. The flaw is such that it doesn’t need any user interaction to be expolited – your phone just has to be connected to any wireless network, regardless of that network’s security, or possibly even just scanning for available wireless networks. This is the return of the classic “worm”, not seen in any seriousness since 2009’s Conficker, although spreading more in local proximity, somewhat like how the flu spreads. For a non-technical primer on Broadpwn, see the Guardian’s write-up here.
This might not seem so bad until you remember the visuals in the closing titles of Rise of the Planet of the Apes (image right). Uh oh, Airport Wi-Fi. Even if you probably didn’t use it.
Unpatched Android devices are going to be a serious problem once this exploit is coupled with a payload. But bad as that is, that isn’t the point of this post.
Apple rushed out a patch for macOS (Sierra v10.12.6) and iOS (10.3.3). If you have a supported Mac or iOS device, update it now.
Unless, that is, you have an iPhone 4S or older, or a 3rd generation iPad or older, including the venerable iPad 2, of which thousands are still deployed at schools, and for which no update is coming.
And here is our timebomb.
Nitay’s research revealed that the BCM43xx series of Broadcom chipsets is vulnerable, and mentioned in his findings a non-exhaustive list of known affected devices, of which he listed “All iPhones after iPhone 5”. And Apple’s iOS 10.3.3 patch is available for the iPhone 5 and later. A lot of media reporting on this missed the term non-exhaustive and reported that the flaw affects the iPhone 5 and up. This isn’t quite right.
I got a little worried about the lack of mention of older hardware. This led me to iFixit, an excellent repair guide for many devices, who tore down an iPad 2 back when it was new and listed their parts. Guess what’s running the Wi-Fi:
A little shocked about this, and confused about lack of mention of the iPad 2 (and iPhone 4/4S) in media mention of Broadpwn, I reached out to tech journalist Juha Saarinen who went directly to Nitay himself who confirmed it. The iPad 2 is vulnerable.
Turns out most reports had taken the list of Apple devices presented as having an update available, and misinterpreted it as being a complete list of what was vulnerable. They missed the iPad 2 (and the folder first-gen iPad, and the iPhone 4 & 4S).
For one of our schools, most of their iPads are the iPad 2. Another school has over 150 of them (we can’t mention names due to each school’s media policies). They were in production until March 2014 and being sold at a really good price to schools as late as November 2014 – which the schools accepted as it meant they could buy more iPads to get in the hands of more students for their limited budgets. And you can be sure that there will be thousands more at other New Zealand schools, with many more again worldwide.
So, we have three things here:
- the iPad 2 is vulnerable to Broadpwn, leaving it wide open to a worm that can spread totally automatically between devices.
- the iPad 2 is no longer receiving updates from Apple, so as things stand as they are now, this flaw will not be fixed.
- There are thousands of these iPads in NZ schools alone. Factor in BYOD, and multiply by the rest of the world, and this could be a very serious security problem schools will face.
Right now we have a vulnerability with no known worms exploiting it – yet. That will change sometime in the next couple of weeks as kids with too much time on their hands write and unleash the first wave.
But it’s the second wave that will be of greater concern. Broadpwn on its own lets an attacker directly take over the Wi-Fi hardware but it doesn’t, on its own, give an attacker full control of the device. However, couple it with a second security vulnerability in the kernel, and an attacker could gain full control. The iPad 2 and iPhone 4S only run iOS 9.3.5 or older – a year old, with plenty of other vulnerabilities discovered since then, so it won’t take long for someone to find and exploit at least one of them. I anticipate we’ll start seeing some seriously nasty stuff emerge within three to six months.
We need Apple to step up and remedy this.
The two schools mentioned above will have to dump heaps of otherwise perfectly usable and useful educational resources, or replace them at a cost of over $80,000. That is a lot for these schools to have to suddenly cough up, but they face either having to do that, or lose a valuable educational resource, or open up their equipment and students to serious and unacceptable security risks.
Leaving a product that was sold up until quite recently and remains widely deployed in schools, vulnerable to such a massive security risk, is unacceptable. Expecting the schools to lose such a resource or suddenly have to spend so much to replace them is also unacceptable. Apple, you need to provide a remedy to this problem, and urgently.
Shoutouts: Thanks heaps to Juha Saarinen (@juhasaarinen) who made contact with Vitay Artenstein to verify these findings and is being instrumental in helping get the issue the coverage it needs. I’d also like to thank @kyhwana for a big part in raising my personal awareness in information security over the past couple of years, and for getting me along to @kiwicon – without your valuable input and feedback on a number of topics lately, I wouldn’t have developed the knowledge and suspicious mindset required to have discovered this!