TidBITS: iOS 10.3.3 Patches High-Profile BroadPwn Flaw

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

TidBITS: iOS 10.3.3 Patches High-Profile BroadPwn Flaw

TidBITS Articles
iOS 10.3.3 Patches High-Profile BroadPwn Flaw

This article was just published by TidBITS and sent to you at your request.

iOS 10.3.3 Patches High-Profile BroadPwn Flaw

By Adam C. Engst

The ThreatPost blog has called out the fact that Apple’s recently released iOS 10.3.3 patches a high-profile flaw known as BroadPwn. The BroadPwn vulnerability, which affects Broadcom’s BCM43xx family of Wi-Fi chips, allows an attacker within Wi-Fi range to execute code on the Wi-Fi chips of affected devices. Exactly what an attacker could do from that point remains unknown, but said code would be running underneath the operating system.

The practical upshot of this is that you should update to iOS 10.3.3 soon. Most security vulnerabilities are either limited in what they can do or how attackers can use them, but our security editor, Rich Mogull, said that BroadPwn looks to be one of the worst vulnerabilities he has seen in a while. So hey, just go to Settings > General > Software Update and update your iOS 10 devices right now.

What counts as an affected device? According to Nitay Artenstein, the Exodus Intelligence researcher who discovered BroadPwn, the vulnerability “is found in an extraordinarily wide range of mobile devices — from various iPhone models to HTC, LG, Nexus, and practically the full range of Samsung flagship devices.” Artenstein will be presenting a session on BroadPwn at the Black Hat USA 2017 Conference.

In its security notes about iOS 10.3.3, Apple says that the update patches the flaw on the iPhone 5 and newer, the fourth-generation iPad and newer, and the sixth-generation iPod touch. But that’s just because those are the only devices that can run iOS 10.

Older devices remain problematic. For instance, the iPhone 4 and iPhone 4S, among others, also use vulnerable Broadcom Wi-Fi chips, and because they can’t run iOS 10.3.3, they are likely vulnerable to BroadPwn.

As far as I can remember, Apple has never released a security update to a previous version of iOS, but since about 8 percent of iOS devices are still running an earlier version, that policy puts millions of people at risk. We’d like to see Apple follow the same policy it has with macOS, where two previous versions of the operating system receive security updates.

Of course, risk is relative. Most people with everyday data on their devices have little to worry about, particularly with BroadPwn, which requires that an attacker be within Wi-Fi range. However, if you use an older, BroadPwn-vulnerable iOS (or Android) device to communicate about sensitive government, corporate, or medical topics, now would be a good time to switch to a newer device.

Post a comment

TidBITS members can unsubscribe from just-published articles at http://tidbits.com/subscriptions. TidBITS Talk readers will need to create a filter to delete these articles.

Article copyright © 2017 By Adam C. Engst . Reuse governed by Creative Commons License.

____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____