An urgent update to Apple’s iOS 10.3 was released only a few days before the official distribution to users around the world. This new version of an iOS operating system for mobile phones was supposed to be released to the iPad and iPhone users around the world when an urgent update was suddenly released.
This rushed update’s purpose was to patch up one single vulnerability that, if left unchecked, could have allowed hackers to infect the Wi-Fi chip with an arbitrary code. This chip is built into the 4th generation of iPad, iPhone 5, the 6th generation of iPod Touch and all later devices as well.
A potential hacker could exploit these vulnerabilities and run the code on any nearby device. This could be done by exploiting a stack buffer overflow in the newest version of this operating system.
Apparently, this flaw was discovered by a member of Google’s Project Zero team named Gal Beniamini, and after pointing it out, Apple has addressed this newly discovered vulnerability by correcting the data input validation.
The iOS 10.3 was released on March 28, and the update had patches for over 70 vulnerabilities. Out of those 70 flaws, at least 18 could have been used for executing codes remotely. Also, a beta iOS 10.3.2 version was released last week to the public for their users to test.
The details of the vulnerability were published by Gal Beniamini, and apparently, the problem was in the firmware of the wireless chip. It’s been discovered that the firmware doesn’t have some of the necessary security features, like safe unlinking, stack cookies, access permission protection and other similar features that were supposed to be built into the chip’s hardware.
Further analysis of the chip’s firmware and the ways of its interaction with the hardware allowed Beniamini to write a successful exploit. This exploit allowed him to overflow the stack buffer, and therefore overwrite the device’s memory, which in turn lead to the execution of the arbitrary code, and all of this was done through the wireless interface. And, since the Broadcom’s wireless SoCs are being used by Android device as well, he managed to use his concept code to exploit the similar flaw on a Google Nexus 6P.
Beniamini has stated that Broadcom has been extremely helpful and responsive in both, fixing these vulnerabilities and also at making the fixes available for all of the affected vendors as well. He also said that he’ll continue with his explorations in order to discover how to gain control of the Wi-Fi SoC and therefore take over the device’s operating system through wireless methods.