Broadcom Wi-Fi chips embedded in Android and iOS devices are vulnerable to a bug that allows an attacker to execute code on their devices, without any interaction needed from the user.
The bug was discovered by security researcher Nitay Artenstein, is nicknamed Broadpwn, and tracked as CVE-2017-9417.
Artenstein reported the bug in private to Google, who included a fix for this issue in the Android Security Bulletin for July 2017, released this week, on July 5.
Artenstein has not disclosed any information about the bug or exploit to the public, and he's set to give a presentation about Broadpwn at this year's Black Hat USA security conference that will be held in Las Vegas at the start of August.
In the few details he revealed about the bug, Artenstein says Broadpwn "affects millions of Android and iOS devices" that use Broadcom Wi-Fi chips to handle network communications.
The researcher specifically points the finger at the Broadcom BCM43xx family of Wi-Fi chips included in "an extraordinarily wide range of mobile devices" from vendors such as Google (Nexus), Samsung, HTC, and LG.
Zhuowei Zhang, another Android security expert, has reversed engineered the Android July 2017 security patch just to dig out more details about Broadpwn.
Zhang says the bug appears to be a heap overflow in the firmware of Broadcom Wi-Fi chips. The researcher says exploitation takes place when the user's device "receives a WME (Quality-of-Service) information element with a malformed length from a connected network."
The attacker doesn't need any user interaction to exploit the feature. A victim only needs to walk into the attacker's Wi-Fi network range. Artenstein has later confirmed on Twitter that connecting to a malicious network is not necessary.
In its security bulletin, Google rated Broadpwn as a "critical" severity issue, meaning the company views it as a dangerous bug.
Zhang also says that Broadpwn appears to be related to another flaw in Broadcom Wi-Fi chips discovered by Google Project Zero researchers and patched in April 2017.
Users that didn't receive this month's Android security patch should only connect to trusted Wi-Fi networks and disable any "Wi-Fi auto-connect" feature, if using one.
There is no information on the status of this bug for iOS devices.
Article updated to reflect that the CVE-2017-9417 severity level has changed from medium to critical.