Calling all Android and Apple users: If you haven't grabbed that latest update for your mobile device, then you may be vulnerable to a remote attacker that could potentially access restricted memory or applications on your phone when it connects to a rogue Wi-Fi access point. Late September, both Android and Apple released a patch to fix this vulnerability in the Broadcom Wi-Fi driver chipset.
Although Android states that they have had no reports of active customer exploitation or abuse of these newly reported issue, they strongly urge users to update to the latest version. Their SEP 25 release catches these Wi-Fi bugs, but I would go ahead and update with their OCT 5 release, because it addresses issues that may allow escalation of privileges if left as is.
Apple also released patches on Sep 25th for iPhone 5s and later, iPad Air, and iPod touch (6th generation).
How does this vulnerability actually affect your device? The Broadcom Wi-Fi chipset is the component within our devices that allows us to connect to the Internet via Wi-Fi. Someone with malicious intent could leverage this vulnerability by setting up a rogue Wi-Fi with a catchy name like, 500mbps Super Fast Internet or Free Wi-Fi here. Then, when you—the unsuspecting user—clicks on it, a malicious file (in techy terms: "a payload") is installed on your device giving the bad actor access to your restricted kernel memory without having to enter a passcode. From there, the sky's the limit, since having access to the "kernel" is like having access to the root, or master, file of your device. The attacker can use your device to access your company data if you have your business applications running (e.g. zoom, skype, MS Outlook, Sales Force, to name a few). Or, the attacker can clean out your bank accounts if you have a bank app running. There is even potential for blackmail if you have certain private photos that could be posted on a public forum.
Bottom line: Keep up with updates on your mobile devices no matter what Operating System (OS) you are using!Worried about your connection? Check out these 5 Wi-Fi Hygiene Tips:
- Be wary of Wi-Fi access points with obvious names, such as "Free Public WiFi," "Airport Wi-Fi," "500GBPS Speed!" or other nearby store names
- Never access your personal bank account or other financial institution until you are on a secure network.
- Avoid personal email, work email, and social media accounts when you are on public Wi-Fi.
- Never disclose personally identifiable information (PII), like your Social Security number or birth date, over a public hotspot.
- Remember, a password posted on the wall of your location doesn't equal secure internet access.
For information on Cyber Liability insurance, contact Greg Cooke USI Affinity today.