Older versions of Broadcom firmware found in a number of mobile devices from major vendors including the Apple iPhone, iPad, Samsung Galaxy S and HTC Droid Incredible are vulnerable to a denial of service attack.
Researchers Andres Blanco and Matias Eissler of Core Security Technologies reported the vulnerability in August, and this week published details on proof-of-concept exploit code.
Broadcom has issued a firmware update and said customers are deploying the patch on a case by case basis. Most of the vulnerable mobile devices are no longer supported.
The vulnerability is an out-of-bounds read-error condition, Core and US-CERT said in an advisory. It exists in Broadcom BCM4325 and BCM4329 combo solutions firmware. Information disclosure is also possible, Core said. Broadcom said other chips are not affected.
“An attacker can send a RSN (802.11i) information element, which causes the Wi-Fi [network interface card] to stop responding,” the advisory said.
The Broadcom BCM4325 chipset is found in the iPhone 3GS, iPod 2G, HTC Droid Incredible, HTC Touch Pro 2 and the Ford Edge automobile. The BCM4329 is in the iPhone 4, iPod 3G, iPad 3G and Wi-Fi, Motorola Droid X2, Xoom and Atrix, the Samsung Galaxy Tab, Galaxy S 4G and Nexus S, among other devices.
Broadcom said an attacker would require “significant technical expertise” to execute the attack and cause the chips to experience a service interruption.