If you haven’t updated your iPhone or Android device lately, do it now. Until very recent patches, a bug in a little-examined Wi-Fi chip would have allowed a hacker to invisibly hack into any one of a billion devices. Yes, billion with a b.
A vulnerability that pervasive is rare, for good reason. Apple and Google pile millions of dollars into securing their mobile operating systems, layering on hurdles for hackers and paying bounties for information about vulnerabilities in their software. But a modern computer or smartphone is a kind of silicon Frankenstein, with components sourced from third-party companies whose code Apple and Google don’t entirely control. And when security researcher Nitay Artenstein dug into the Broadcom chip module that helps power every iPhone and most modern Android devices, he found a flaw that had the potential to completely undermine the expensive security of all of them.
Over the last weeks, both Google and Apple have rushed to patch that bug, which Artenstein calls Broadpwn. Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim’s phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.
While the vulnerability is now patched–seriously, get that update–Artenstein says it also offers broader lessons about the fundamental security of our devices. The near-future of smartphone hacking may focus less on operating systems, says Artenstein, and more on insidious flaws in those peripheral components.
“We’re witnessing a process in which mainstream systems like the application processors running iOS or Android have become so hardened by undergoing intense security research that security researchers are starting to look into other directions,” says Artenstein, who presented his findings at the Black Hat security conference and in a subsequent…