goobering
Posts: 5
Joined: Tue Mar 18, 2014 3:07 pm

Security issue with the BCM43438 firmware?

Tue Apr 04, 2017 11:31 pm

I just finished reading this (very long, very dense, very boring) writeup relating to a few security problems with Broadcom's firmware on an unspecified number of its WiFi SoCs:

https://googleprojectzero.blogspot.co.u ... -fi_4.html

While I'm no security researcher, the chipper signoff:
'In the next blog post, we’ll see how we can use our assumed control of the Wi-Fi SoC in order to further escalate our privileges into the application processor, taking over the host’s operating system!'
...sounds like the kind of thing that's probably undesirable. Google and Apple have both released security updates to address the problem in phone handsets with affected Broadcom chipsets.

The article namedrops the BCM4339 and BCM4358, and the associated bug reports (https://bugs.chromium.org/p/project-zer ... il?id=1047) mysteriously end with '...I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions'. I'm not sure whether the BCM43438 is affected or not, but it would be interesting to know one way or another.

edge0f17
Posts: 17
Joined: Sun Oct 25, 2015 6:55 am

Re: Security issue with the BCM43438 firmware?

Wed Apr 05, 2017 8:12 am

The published attack only works from another device that is already connected to your network, but the RPi is at risk and the firmware should be updated.

goobering
Posts: 5
Joined: Tue Mar 18, 2014 3:07 pm

Re: Security issue with the BCM43438 firmware?

Wed Apr 05, 2017 2:59 pm

I raised it as an issue on the RPi Github here: https://github.com/raspberrypi/firmware ... -291857845. Sounds like nobody knows if it's a problem yet.

beta-tester
Posts: 1391
Joined: Fri Jan 04, 2013 1:57 pm
Location: de_DE

Re: Security issue with the BCM43438 firmware?

Sat Apr 08, 2017 7:49 pm

i love those descriptions that analyse, how things works and how they can be bended/tweaked/used to force the system to do other things...
thank you for pointing to that blog article.
{ I only give negative feedback }
RPi B (256MB), B (512MB), B+, ZeroW; 2B; 3B, 3B+; 4B (4GB)

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 27415
Joined: Sat Jul 30, 2011 7:41 pm

Re: Security issue with the BCM43438 firmware?

Sun Apr 09, 2017 4:53 pm

We started looking at this the moment the issue was posted here. Nothing yet to report.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

goobering
Posts: 5
Joined: Tue Mar 18, 2014 3:07 pm

Re: Security issue with the BCM43438 firmware?

Tue Apr 11, 2017 3:31 pm

Thanks for that james, I look forward to reading up on the outcome. Looks like hard sums to me, good luck with it!

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 27415
Joined: Sat Jul 30, 2011 7:41 pm

Re: Security issue with the BCM43438 firmware?

Wed Apr 12, 2017 9:33 am

goobering wrote:Thanks for that james, I look forward to reading up on the outcome. Looks like hard sums to me, good luck with it!
More down to Brcm really, they provide all the HW and the drivers for it.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

nicolap8
Posts: 572
Joined: Mon Mar 13, 2017 9:45 pm

Re: Security issue with the BCM43438 firmware?

Tue Jun 13, 2017 9:52 am

Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......

runboy93
Posts: 352
Joined: Tue Feb 28, 2017 1:17 pm
Location: Finland
Contact: Website

Re: Security issue with the BCM43438 firmware?

Tue Jun 13, 2017 9:56 am

Not affecting BCM43143?

Have you been in any contact with Broadcom?
Last edited by runboy93 on Tue Jun 13, 2017 10:02 am, edited 1 time in total.

nicolap8
Posts: 572
Joined: Mon Mar 13, 2017 9:45 pm

Re: Security issue with the BCM43438 firmware?

Tue Jun 13, 2017 10:00 am

runboy93 wrote:Not affecting BCM43143?
I haven't found an official list of affected RPis. (Why?)
So I assume that all with a Broadcom WIFI chip ARE affected!

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 27415
Joined: Sat Jul 30, 2011 7:41 pm

Re: Security issue with the BCM43438 firmware?

Tue Jun 13, 2017 2:18 pm

nicolap8 wrote:Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......
Not sure what you expect us to do about it, we don't have the source code for the firmware, that is at Broadcom, so they are the ONLY people who can fix it.

They know about the issue.

Meanwhile, this, as an exploit, is very difficult to take advantage of, but if you feel the Pi is insecure, either don't use it or keep it off the network.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

nicolap8
Posts: 572
Joined: Mon Mar 13, 2017 9:45 pm

Re: Security issue with the BCM43438 firmware?

Tue Jun 13, 2017 2:24 pm

jamesh wrote:
nicolap8 wrote:Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......
Not sure what you expect us to do about it, we don't have the source code for the firmware, that is at Broadcom, so they are the ONLY people who can fix it.

They know about the issue.
It's your duty to ask they solve the bug. Simple!
jamesh wrote:Meanwhile, this, as an exploit, is very difficult to take advantage of, but if you feel the Pi is insecure, either don't use it or keep it off the network.
Of course, we already stopped to buy RPis...

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 27415
Joined: Sat Jul 30, 2011 7:41 pm

Re: Security issue with the BCM43438 firmware?

Tue Jun 13, 2017 2:28 pm

nicolap8 wrote:
jamesh wrote:
nicolap8 wrote:Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......
Not sure what you expect us to do about it, we don't have the source code for the firmware, that is at Broadcom, so they are the ONLY people who can fix it.

They know about the issue.
It's your duty to ask they solve the bug. Simple!
jamesh wrote:Meanwhile, this, as an exploit, is very difficult to take advantage of, but if you feel the Pi is insecure, either don't use it or keep it off the network.
Of course, we already stopped to buy RPis...
I believe we have already reported it (of course, they would already have known about it).

I hope you have also stopped buying all other devices that use the same chip range (Mobiles, tablets, USB ethernet adapters, laptops, TV's etc) just to be on the safe side.

EDIT: You can turn the Wifi chip off and use an adaptor if you really need Wifi.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

Return to “Advanced users”