Project

General

Profile

Recent vulnerability in Broadcom's Wi-Fi firmware - are Replicant-based devices affected?

Added by NS von H over 1 year ago

A remote-code execution vulnerability has been recently discovered in Broadcom's Wi-Fi firmware:
https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/

(...) an attacker simply needs to be within Wi-Fi range to silently take over an at-risk Apple or Android device

I don't know if this buggy firmware can take over a Samsung device running Replicant but it certainly is a reminder that even firmware running on a separate processor (Wi-Fi in this case) with a free driver can be harmful to your system. And when its source is closed (like Broadcom's), things are getting even worse because it can contain anything.

I wonder if a bug in a GSM modem firmware could allow to take over e.g. Galaxy S3. Unfortunately there's no free replacement for the GSM modem. The safest solution still seems to be a GSM-disabled phone (https://redmine.replicant.us/boards/39/topics/13996) connected via free-firmware Wi-Fi card to an external MiFi device which connects to a GSM network. And on top of that VPN + SIP. But who has the patience? :D


Replies (2)

RE: Recent vulnerability in Broadcom's Wi-Fi firmware - are Replicant-based devices affected? - Added by Jeremy Rand over 1 year ago

It's not so much an issue of whether all the stuff your phone talks to is free (this isn't possible to achieve, even theoretically: at some point you'll be talking to other people's devices). It's more an issue of whether there are any non-free components that aren't properly isolated from your system.

WiFi devices, in theory, don't need to be trusted very much. They usually don't have access to much data that's valuable (they can only see your Internet traffic that you chose not to encrypt). They can see the SSID's within range of your device, but by itself that's not a huge threat. The main reason why WiFi devices tend to be dangerous is if they're not properly isolated from the rest of the system. There's a well-established method for isolating them: using an IOMMU. When an IOMMU isn't used to isolate WiFi devices, then all bets are off.

Basebands are somewhat similar, with the exception that they have access to much more metadata that could be dangerous (in particular, the ability to do location tracking). WiFi devices can do location tracking too, but basebands have a longer range and accordingly are more dangerous in that respect. The major problem with basebands, like with WiFi devices, is when they're not properly isolated. My understanding from reading what Paul has written, is that many phones give the baseband full access to the rest of the hardware. This means that, since the baseband isn't free, a nonfree program has full control of your system. That doesn't have to be the case. Some phones don't give the baseband full control; it appears that the Samsung phones supported by Replicant don't do that, which is presumably why Samsung needed to create a separate backdoor (which Replicant found and removed).

So, tl;dr: nonfree WiFi devices aren't inherently highly dangerous, but poor system design can make them a lot more dangerous than they need to be. I'd be somewhat surprised if many phones on the market actually isolate the WiFi device properly.

RE: Recent vulnerability in Broadcom's Wi-Fi firmware - are Replicant-based devices affected? - Added by Kurtis Hanna over 1 year ago

I could be mistaken, but I think the internal Broadcom Wi-Fi in Replicant devices don't work. This vulnerability would only be an issue if you added the propriety blob back to Replicant to get the internal Broadcom wifi to work. This isn't recommended by our project.

    (1-2/2)