The Broadpwn Hack & the One Billion Smartphone Users at Risk

How to protect your company from the WiFi chip across iPhone & Apple that exposed one of the worst vulnerabilities in history: the Broadpwn hack

Diagnosis

Back in April, Exodus Intelligence security researcher, Nitay Artenstein, took a look at the chip module that powers every single iPhone and most Android devices; the Broadcom Wi-Fi chip. What he found was one of the most devastating flaws in security history: the Broadpwn Hack. The Broadpwn hack had the potential to hack one billion iPhone and Android smartphone users, but that wasn’t the worst of it, and it wasn’t the last of it.

In fact, the Broadpwn hack is currently one of the most dangerous active cyber threats that is still ongoing. It is classified as an “Over-the-Air” hack, which means to infect a smart device, it literally does nothing. Traditional hacks often require the user to open phishing mail, click on dangerous links, or somehow interact with infected malware. Over-the-air hacks, however, like the Broadpwn hack, can infect a nearby device without ever touching it at all. In other words, the Broadpwn hack doesn’t have to send or make contact with a device. All it has to do to infect a device is simply be near it.

In the Broadpwn hack’s case, Artenstein discovered that a vulnerability in Wi-Fi chips manufactured by Broadcom had the ability to fill airwaves with probes requesting connection to nearby devices. When the request finally reaches a nearby device that uses the BCM43xx family of Wi-Fi chipsets, the hack rewrites the firmware that controls the chip. It then infects the device, creating a self-replicating hack. The chip continues to send the same malicious packets to other nearby devices with the same vulnerability, creating a vicious digital malware cycle that never stops.

Remediation

How do you combat a phantom virus that can strike at any time, without you or your employees ever knowing? Education, implementation, and time. First, educate yourself on the hack and what it has affected. Second, implement an immediate course of action. Third, take all necessary steps as soon as possible to eliminate every threat in the office.

Artenstein reported that the Broadpwn hack affected a wide array of phones, including all iPhones since the iPhone 5, Google’s Nexus 5, 6, 6x, and 6P models, Samsung Notes 3 devices, and Samsung Galaxy devices from S3 to S8. Know the targeted models to help weed out threats from non-threats.

Google and Apple issued patches about a week ago. Up until that point, one billion users were wide open to the infection. The patch comes via the form of an automatic update for supported users only.  Supported devices include all Apple products and up-to-date Android devices. Android phones older than two years have no support entirely and therefore have no updates being pushed on them. Between at-risk users unsure of how to install the forced updates and a large majority of users unsupported, the chance of infection is still real.

It is important to note that the security patches pushed by Google and Apple are manualand must be installed by all users of the devices. That means, you and your staff must manually activate the patches on all work and personal devices.

In order to protect your Enterprise Data, you need to first ensure that all devices are updated with the patch within your business, and this needs to happen now. That means creating a plan of action to identify who has smart devices, who has installed the patch and who hasn’t, as well as devices that have the patch available but are unable to be installed due to technical issues. Then, start to identify devices that are out-of-date and are no longer receiving security patch updates. Knowing what assets you have and where your threats are (even if you can’t fix them) is a huge advantage. Finally, create a strong work policy for Smart Devices at work, both business and personal, and start employing them throughout the entire office.

One of the fastest and most effective ways to ensure that all of these things are happening is to employ a Mobile Device Management Platform with the help of a Technology Consulting firm. They can help organize and orchestrate vital actions that need to happen immediately, and organize what plans need to take place overtime that will begin to build a strong Mobile Device/Smart Device policy at your company.

Whether you choose to do-it-yourself or contact a tech firm, it is extremely important to take action now, because the severity of this incident is leaving your business wide open.

zbrella Technology Consulting is a leading cyber security specialist and IT Support firm in NYC who offers monthly Mobile Device Management Platform Plans for low monthly prices. Call 800-750-4296 and dial #2 today for sales.