Explore a critical vulnerability in Broadcom's Wi-Fi chipsets affecting millions of Android and iOS devices in this Black Hat conference talk. Dive into the Broadpwn exploit, which can be triggered remotely without user interaction. Examine the widespread impact on popular mobile devices, including iPhones and Samsung flagships. Learn about remote exploit techniques, baseband fragmentation, and Wi-Fi association processes. Discover the research process, including firmware reverse engineering and source code analysis. Understand the attack surface, vulnerability identification, and exploitation techniques. Investigate write primitives, egg hunting, and exploit buffer layout. Gain insights into worm-like behavior and potential real-world implications. Conclude with a demonstration of the Broadpwn exploit in action.
Broadpwn - Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets
Overview
Syllabus
Introduction
What is a remote exploit
Google Project Zero
Mitigations
Baseband and WiFi
Baseband fragmentation
Market leader
Bonus
Research
Reversed Firmware
Source Leak
First Quiz
WiFi Association Process
Arrow Dump
Identifying Access Points
No Authentication
Attack Surface
Reverse Engineering
IAI Powers Function
Mapping xrefs
What is Wireless Media Extensions
Finding the bug
Checking the buffer size
Samsung S7 vulnerability
Mac vulnerability
Second Law of Remotes
What we want
What is PS
PS struct
Write primitive
Write to function table
Write to ring buffer
Egg hunting
Layout of exploit buffer
Third law of remotes
Worms and Stuxnet
How it works
Demo
Taught by
Black Hat
