Imagine your smartphone or tablet getting hacked by simply walking past a Wifi access point. You don't need to do anything for the hack to happen, not even join the Wifi network, and you won't notice it.

That scenario could easily happen soon. Security researcher Nitay Artenstein - and Gal Beniamini from Google before him - have found a vulnerability in the very popular Broadcom Wifi chips used in heaps of Apple and Google Android devices that can be triggered like that.

Attacking devices via their built-in Wifi chips is novel, and could become a massive problem that's very hard to fix.

Artenstein called the vulnerability Broadpwn, a play on Broadcom and being "pwned" or owned, but he didn't stop there: the flaw can be used to create a nightmare scenario with self-propagating malware that automatically infects devices without their owners being able to do anything about it.


Such malware, called worms, have just about died out thanks to coders figuring out how to stop them from automatically spreading, in new software and hardware at least.

Worms were a real threat not so long ago though. IT and infosec people will remember the Welchia and Conficker worms that infected millions of Windows PCs less than ten years ago.

Conficker has turned out to be very hard to kill, as there are still lots of older and vulnerable computers around.

Therein lies the rub: Apple and Google have issued security updates that take care of the Broadpwn vulnerability, but we could still be looking at a worldwide worm epidemic soon.
That's because millions of older devices out there won't get the digital worm pills and be secured. As Artenstein wryly told me, "patching is an issue on many older devices - especially Androids by the way."

Android devices are often abandoned by vendors after one or two years, and won't ever be updated. Updates are a problem for older Apple devices too: the fix for Broadpwn is in the latest 10.3.3 version of the iOS operating system, which for instance iPhone 4 and iPad 2 won't get.

The two Apple devices appear to have the vulnerable Broadcom chipset and they are still very much in use, Andrew Walters of Sirius Information Services that manages IT solutions for Auckland schools.

What's more, the older devices won't have new, and more secure hardware and software features that this year's gear has, which means they're easier to hack.

Schools have thousands of older iPads that won't get updates, Walters said. They work just fine, being only three to four year old. Besides, which school has the money to replace them?

If they can't be updated and made secure, the situation is a ticking time bomb as Walters puts it.

Also, Broadpwn goes further than iPhones, iPads and Androids: Apple updated the macOS operating system for desktops and laptops fix the flaw, and techies are looking at Windows computers from major vendors to work out if they are Broadpwn-able too and need patches.

The cat's out of the bag and it's a safe bet that someone will write a Broadpwn worm and start spreading it, perhaps with a ransomware or otherwise destructive payload.

Google and Apple need to act urgently. They should tap into their considerable profits and cash reserves to exchange the vulnerable devices in schools, hospitals and other public institutions before the Broadpwn worm turns and we're in the middle of the next malware disaster.