Up­date to iOS 10.3.3 now

Ap­ple patches se­ri­ous Wi-Fi ex­ploit.

iPad&iPhone user - - CONTENTS - Glenn Fleish­man re­ports

iOS users should up­date im­me­di­ately to ver­sion 10.3.3 to elim­i­nate the risk of a Wi-Fi-based ex­ploit that can be car­ried out by an at­tacker in prox­im­ity to a de­vice – or po­ten­tially through a com­pro­mised Wi-Fi router – with­out any in­ter­ac­tion from the user at all.

In the iOS 10.3.3 up­date, Ap­ple patched a bug that arises from how three mod­els of Broad­com wire­less chips, which Ap­ple uses in iOS hard­ware, pro­cesses data. The chips are de­signed for smart­phones and tablets, and aren’t used in Macs or other full-fea­tured

PCs. Se­cu­rity re­searcher Rich Mogull of Se­curo­sis said, “As de­scribed, the Broad­com vul­ner­a­bil­ity is ex­tremely se­ri­ous, but we will need to see the full ex­ploit de­tails to de­ter­mine the real risk to users on all the var­i­ous de­vices out there.”

Af­fected de­vices are the iPhone 5 and later, fourth­gen­er­a­tion iPads and later, and the sixth-gen­er­a­tion iPod touch. Ap­ple’s re­lease note ex­plained, “An at­tacker within range may be able to ex­e­cute ar­bi­trary code on the Wi-Fi chip,” and at­trib­uted its dis­cov­ery to Ni­tay Arten­stein of Ex­o­dus In­tel­li­gence.

Arten­stein in April sched­uled a talk about the vul­ner­a­bil­ity for the Black Hat se­cu­rity event hap­pen­ing in Las Ve­gas 22 to 27 July with­out pro­vid­ing de­tails. He la­belled the flaw ‘Broad­pwn’. Arten­stein hasn’t yet pro­vided fur­ther de­tails, al­though his talk says he’ll “tell the story of how we found the bug and ex­ploited it to achieve full code ex­e­cu­tion – and how we went on to lever­age our con­trol of the Wi-Fi chip in order to run code in the main ap­pli­ca­tion pro­ces­sor.”

To use this prox­im­ity at­tack, a ma­li­cious party would need to be within range of a user with a vul­ner­a­ble de­vice. That lim­its the po­ten­tial ef­fect, but also means that any­one with an un­patched de­vice re­mains at risk from hack­ers us­ing heav­ily traf­ficked pub­lic places or tar­geted em­ploy­ees of spe­cific com­pa­nies, or­ga­ni­za­tions, or gov­ern­ment agen­cies.

Wi-Fi routers and In­ter­net of Things (IoT) de­vices used by con­sumers and small busi­nesses have been cracked in the mil­lions world­wide, mak­ing that an un­for­tu­nately plau­si­ble vec­tor that by­passes the re­quire­ment for some­one to be within Wi-Fi range of a

vic­tim – or thou­sands of vic­tims. Com­pro­mised hard­ware could then be used to stage at­tacks.

On 5 July, Google re­leased a patch for the flaw for An­droid sys­tems. Ap­ple’s up­date came on 19 July. No re­ports have ap­peared of this flaw be­ing ex­ploited in the wild. It af­fects hun­dreds of mil­lions of smart­phones and other de­vices that use a set of Broad­com chips re­leased started a few years ago.

On­line met­rics show that iOS users tend to up­date to the lat­est re­leases rapidly, and this should be no dif­fer­ent. But if you haven’t yet, you can avoid any po­ten­tial of be­ing hit by this and other se­cu­rity ex­ploits by in­stalling the lat­est re­lease right away.

An­droid uses may have a more dif­fi­cult track, as even some mod­ern An­droid phones with the af­fected chips lack up­grade paths. Mogull notes, “Al­though most iOS de­vices with the vul­ner­a­ble chip can be patched, this likely doesn’t hold true for all An­droid (and other) de­vices.”

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.