An interesting vulnerability was just announced that affects both Apple and Google/Android phones. That is something that is very unusual.
The bug is tied to a part of all cell phones called the baseband processor. It is the part of the phone that controls the radios inside your phone. In this case, the chip is the Broadcom 43xx family of chips. According to Broadcom this chip can control your cellular radio, WiFi, Bluetooth and FM radio all on one chip.
Unfortunately, researchers found a bug in the WiFi code that would allow an attacker to take over the baseband processor and from there, the entire phone.
The reason this affects both Apple and Android phones is that this chip is used by almost everyone. From iPhone 5s to the newest Android phones, they are all impacted.
Apple just released iOS 10.3.3 (which may or may not have been downloaded to your iPhone yet) and Google just released an Android patch in the July updates. Unlike Apple devices, Android users have to wait for manufacturers to pick up Google’s fixes and test them and then wait again for carriers to make them available. The only users who do not have to wait are Google branded Android phone users. Those users get their patches directly from Google.
What can you do?
If you are an Apple user, download iOS 10.3.3 and install it. Done!
If you are a user who is running a relatively new version of the Android OS on your phone AND your phone manufacturer/carrier is actively releasing updates, you should install the July update as soon as it is available. That might be 30 days or more.
If you are running an older version of the Android OS and/or your carrier/phone vendor is not releasing security updates, you are kind of out of luck. Turn off your WiFi and DO NOT TURN IT ON EVER AGAIN. This is probably. for most people, time to get a new phone.
Why, you say, am I so aggressive about this?
The report is that you only have to be within radio range of the WiFi access point which is trying to attack you in order to be compromised. You DO NOT need to connect to that access point. You do not need to open a web browser. You do not need to install an app. You do not need to click on a link. All you need to do is be near a rogue WiFi access point – which could easily be hidden in someone’s backpack.
So, for now, until you have installed the patch, if you can, leave WiFi off. If you can’t, then only turn it on when you have to.
We will know more after the researcher presents his findings at Blackhat later this month, but at least from what we have heard, this don’t not affect Windows or Mac computers, only mobile devices. But, stay tuned; this is not the end of the story.
Information for this post came from Threatpost.