Page 1 of 1

Security issue with the BCM43438 firmware?

Posted: Tue Apr 04, 2017 11:31 pm
by goobering
I just finished reading this (very long, very dense, very boring) writeup relating to a few security problems with Broadcom's firmware on an unspecified number of its WiFi SoCs:

https://googleprojectzero.blogspot.co.u ... -fi_4.html

While I'm no security researcher, the chipper signoff:
'In the next blog post, we’ll see how we can use our assumed control of the Wi-Fi SoC in order to further escalate our privileges into the application processor, taking over the host’s operating system!'
...sounds like the kind of thing that's probably undesirable. Google and Apple have both released security updates to address the problem in phone handsets with affected Broadcom chipsets.

The article namedrops the BCM4339 and BCM4358, and the associated bug reports (https://bugs.chromium.org/p/project-zer ... il?id=1047) mysteriously end with '...I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions'. I'm not sure whether the BCM43438 is affected or not, but it would be interesting to know one way or another.

Re: Security issue with the BCM43438 firmware?

Posted: Wed Apr 05, 2017 8:12 am
by edge0f17
The published attack only works from another device that is already connected to your network, but the RPi is at risk and the firmware should be updated.

Re: Security issue with the BCM43438 firmware?

Posted: Wed Apr 05, 2017 2:59 pm
by goobering
I raised it as an issue on the RPi Github here: https://github.com/raspberrypi/firmware ... -291857845. Sounds like nobody knows if it's a problem yet.

Re: Security issue with the BCM43438 firmware?

Posted: Sat Apr 08, 2017 7:49 pm
by beta-tester
i love those descriptions that analyse, how things works and how they can be bended/tweaked/used to force the system to do other things...
thank you for pointing to that blog article.

Re: Security issue with the BCM43438 firmware?

Posted: Sun Apr 09, 2017 4:53 pm
by jamesh
We started looking at this the moment the issue was posted here. Nothing yet to report.

Re: Security issue with the BCM43438 firmware?

Posted: Tue Apr 11, 2017 3:31 pm
by goobering
Thanks for that james, I look forward to reading up on the outcome. Looks like hard sums to me, good luck with it!

Re: Security issue with the BCM43438 firmware?

Posted: Wed Apr 12, 2017 9:33 am
by jamesh
goobering wrote:Thanks for that james, I look forward to reading up on the outcome. Looks like hard sums to me, good luck with it!
More down to Brcm really, they provide all the HW and the drivers for it.

Re: Security issue with the BCM43438 firmware?

Posted: Tue Jun 13, 2017 9:52 am
by nicolap8
Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......

Re: Security issue with the BCM43438 firmware?

Posted: Tue Jun 13, 2017 9:56 am
by runboy93
Not affecting BCM43143?

Have you been in any contact with Broadcom?

Re: Security issue with the BCM43438 firmware?

Posted: Tue Jun 13, 2017 10:00 am
by nicolap8
runboy93 wrote:Not affecting BCM43143?
I haven't found an official list of affected RPis. (Why?)
So I assume that all with a Broadcom WIFI chip ARE affected!

Re: Security issue with the BCM43438 firmware?

Posted: Tue Jun 13, 2017 2:18 pm
by jamesh
nicolap8 wrote:Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......
Not sure what you expect us to do about it, we don't have the source code for the firmware, that is at Broadcom, so they are the ONLY people who can fix it.

They know about the issue.

Meanwhile, this, as an exploit, is very difficult to take advantage of, but if you feel the Pi is insecure, either don't use it or keep it off the network.

Re: Security issue with the BCM43438 firmware?

Posted: Tue Jun 13, 2017 2:24 pm
by nicolap8
jamesh wrote:
nicolap8 wrote:Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......
Not sure what you expect us to do about it, we don't have the source code for the firmware, that is at Broadcom, so they are the ONLY people who can fix it.

They know about the issue.
It's your duty to ask they solve the bug. Simple!
jamesh wrote:Meanwhile, this, as an exploit, is very difficult to take advantage of, but if you feel the Pi is insecure, either don't use it or keep it off the network.
Of course, we already stopped to buy RPis...

Re: Security issue with the BCM43438 firmware?

Posted: Tue Jun 13, 2017 2:28 pm
by jamesh
nicolap8 wrote:
jamesh wrote:
nicolap8 wrote:Hey, two month and nothing new!
So the Raspberry PIs are UNSECURE.
Thanks......
Not sure what you expect us to do about it, we don't have the source code for the firmware, that is at Broadcom, so they are the ONLY people who can fix it.

They know about the issue.
It's your duty to ask they solve the bug. Simple!
jamesh wrote:Meanwhile, this, as an exploit, is very difficult to take advantage of, but if you feel the Pi is insecure, either don't use it or keep it off the network.
Of course, we already stopped to buy RPis...
I believe we have already reported it (of course, they would already have known about it).

I hope you have also stopped buying all other devices that use the same chip range (Mobiles, tablets, USB ethernet adapters, laptops, TV's etc) just to be on the safe side.

EDIT: You can turn the Wifi chip off and use an adaptor if you really need Wifi.