I recently got asked about WiFi over-the-air exploits and my knowledge was a fairly rusty. In refreshing this I went over a number of papers and tooling - here is 8 of them! π§΅
1/ Exploring the attack surface of Broadcom Wi-Fi SoC, discovering and exploiting vulnerabilities googleprojectzero.blogspot.com and googleprojectzero.blogspot.com by @laginimaineb
2/ Zero Click Radio Proximity attacks against Apple iPhone's by @i41nbeer focusing on AWDL googleprojectzero.blogspot.com
3/ Firmware analysis, reverse engineering vuln finding on Broadcom WiFi by @quarkslab blog.quarkslab.com
4/ Focusing in on Qualcomm WLAN architecture, vulns and exploit i.blackhat.com
5/ Looking at Intel's WiFI Stack, firmware, drivers, vulns and exploitation #ghost-in-the-wireless-iwlwifi-edition-27062" target="_blank" rel="noopener" onclick="event.stopPropagation()">blackhat.com
6/ Another blog post on Broadcom by @nitayart describing a fully remote attack against Broadcomβs BCM43xx family of WiFi chipsets blog.exodusintel.com together with the paper from BH blackhat.com
7/ Tons of great tooling by @seemoolab github.com for a large number of areas in mobile networking. Tooling for WiFi firmware emulation (github.com), fuzzing, reversing. Even includes really modern tech such as Apple's U1 chip github.com
8/ Dive into Apple IO80211FamilyV2 i.blackhat.com looking at Apple's 802.11 subsystem. Focusing on the OS side, drivers, fuzzing and not chipset firmware.
What is your favourite public research in this area? Especially interested in more modern work published.
If you enjoyed this thread here's some others I have written in the past about platform security research:
macOS Kernel -
Windows Kernel -
Linux Kernel -
macOS Kernel -
Windows Kernel -
Linux Kernel -
Loading suggestions...