Security researcher Nitay Artenstein found a critical vulnerability allowing running code on Android and iOS devices without any user input. The vulnerability was called Broadpwn and CVE-2017-9417.

The problem affects the built-in smartphones Wi-Fi chips from the American manufacturer Broadcom. Artenstein notified Google about it privately, and on July 5, the company issued a fix in the framework of regular updates for Android. The researcher has not given the public any details about the vulnerability and intends to submit a report on Broadpwn at the Black Hat USA conference that will be held early next month in Las Vegas.

According to Artenshtein, the problem affects millions of Android and iOS devices that use wireless chips for the Broadcom series BCM43xx. In particular, these chips are used in mobile devices manufactured by Google (Nexus), Samsung, HTC, LG, etc..

In order to get more information about Broadpwn researcher Zhuowei Zhang (Zhuowei Zhang) carried out the reverse-engineering of the July updates for Android. As it turned out, the vulnerability is associated with a buffer overflow in the heap and is present in the firmware of Broadcom chips. To exploit it, an attacker must send an incorrectly-length WME (QoS) information element to the attacked device from the network to which it is connected,.

To successfully implement the attack, user participation is not required - the victim is only to be in the coverage area of ??the malicious Wi-Fi network.

Later Artenshtein said that the connection to the network is not necessary.

WME (Wireless Multimedia Extensions) - wireless multimedia extensions. A protocol based on the IEEE 802 standard. 11e, to provide basic QoS functions for wireless IEEE 802 networks. eleven. This mechanism provides network packages with multimedia applications with priority over conventional network data packets, allowing multimedia applications to work more robust and with fewer errors.