iPhone, Android Exposed to Broadpwn Security Flaw, Google Patch Available

Share this…

The world’s two most popular mobile platforms are affected by a security vulnerability called Broadpwn and which allows attackers to gain remote code execution rights on unpatched devices.

The security flaw was discovered by Exodus Intelligence researcher Nitay Artenstein and is documented in CVE-2017-3544. It describes a vulnerability in Broadcom’s BCM43xx Wi-Fi chips that are being used on a wide variety of Android devices, as well as on Apple’s iPhone.

Google rushed to patch the vulnerability with the July Android Security Bulletin, confirming that Broadpwn can even be triggered remotely with zero user interaction. This means that attackers could exploit the vulnerability without users noticing it, and they can bypass modern security solutions like DEP and ASLR.

The majority of Android phones are said to be vulnerable to attacks as well, including models from HTC, LG, and Samsung, and it’s critical for users to deploy the latest updates as soon as possible.

Many other phone models also affected

And this is where OEMs come into play. It’s not a secret that some phone makers typically need more time to release the latest security updates for all their models, as it’s the case of Samsung, and unless users install the July security patch, they would remain vulnerable to attacks.

As far as Apple goes, iPhone devices are also said to be exposed, though details are pretty scarce at this time. Cupertino hasn’t provided any information on this bug despite the concerns that its devices could be vulnerable to attacks, and it’s not known which models need to be patched.

Also, without official statements from the company, nobody can tell for sure if a fix has already been issued, but given that Apple has never rushed to patch security vulnerabilities, we wouldn’t be surprised to see the company wait until the next major OS update.

For the time being, what Android users need to do is patch their devices as soon as possible, especially now that more details about the vulnerability have been made public.