iPhones, Samsung Phones Hit by Scary New Security Flaw

It's time for bad news, good news and more bad news.

Credit: Shutterstock

(Image credit: Shutterstock)

Bad news: A security researcher has discovered a devastating vulnerability, dubbed BroadPwn, that can remotely compromise both Android devices and iPhones. Good news: Google has already issued an Android patch that fixes the flaw. More bad news: There's no fix for iPhones available, and unless you have a Pixel or Nexus phone, your Android device is still vulnerable too.

Information on the vulnerability comes from two sources: an Android security bulletin from July 5 and an abstract on a presentation scheduled for the upcoming Black Hat security conference (July 26-27) by Israeli researcher Nitay Artenstein. The flaw affects Broadcom Wi-Fi chips, hence its name, and could allow malefactors to hijack phones without any input on the owner’s part.

MORE: Best Android Antivirus Software and Apps

The exact details of how the vulnerability exploit works aren't available yet, but Artenstein and Google did provide a few hints. BroadPwn (or CVE-2017-9417, to use the official designation) takes advantage of the "mysterious, closed-source HNDRTE operating system," according to Artenstein's abstract. The flaw appears to affect Broadcom's BCM4354, 4358 and 4359 chips. A wide variety of phones use these chips to connect to Wi-Fi, including models from HTC, LG, Google, Samsung and Apple.

BroadPwn appears to be completely different from another Broadcom flaw, disclosed in April, that affected the Google Nexus 5, 6 and 6p, every iPhone since the iPhone 4 and most flagship Samsung phones. Apple (with iOS 10.3.1) and Google (with the April Android security bulletin) have patched the older flaw.

Google explained in the July Android security bulletin that BroadPwn could "execute arbitrary code within the context of the kernel," meaning that it could compromise a phone at the deepest level of software. Since you can't simply install an antivirus program for a Wi-Fi chipset the same way you can for a smartphone OS, the flaw could indeed be as devastating as Artenstein and Google suggested.

Apple has yet to issue any kind of statement on BroadPwn, which leaves many questions unresolved. It's not clear which iPhone models might be affected — most models since the iPhone 4 seem to use Broadcom chips — or whether Apple has already issued a patch. But the listed CVE number is not in Apple's three most recent iOS security bulletins, and given Apple's occasional tendency to drag its heels on security issues that it didn't discover itself, we'd give even odds that iPhones are not yet safe.

Furthermore, just because Google has issued an Android patch doesn’t mean that every Android phone will get it. Most phone manufacturers use slight variations on the Android OS for their handsets, and carriers then add additional modifications. When (or if) you get a BroadPwn patch will depend a lot more on Samsung, LG, Verizon and AT&T than it will on Google.

There's not much else you can do to protect yourself, since mobile antivirus software can’t prevent an attack at the level of a Wi-Fi chip. Google mentioned that it's not aware of the attack being used in the wild, so take solace that it's likely no one but Artenstein has figured out how to exploit it — yet. After Black Hat, all bets may be off.

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

Latest in iPhones
3D printed models of alleged iPhone 17 Air and iPhone 17 Pro design
iPhone 17 Air dummy model shows off Apple’s big design change
iPhone 16 Pro shown held in hand
iOS 19 may bring Apple Intelligence powers to more iPhone apps — but without any big new features
A render of the iPhone 17 Pro Max
iPhone 17 Pro Max — this new rumor could push people towards iPhone 17 Air
Apple Intelligence logo on iPhone
Apple confirms Siri 2.0 is delayed — 'it’s going to take us longer than we thought'
iPhone 17 Pro render
iPhone 17 Pro Max and iPhone 17 Air designs just teased in new video — here's your first look
Torras Ostand for iPhone 16e case being held in hand
Best iPhone 16e cases in 2025
Latest in News
Adam Scott in "Severance," now streaming on Apple TV Plus.
'Severance' season 2 finale runtime just revealed — expect a violent finale
Meta Ray-Ban smart glasses next to AirPods Pro 2
New report says Apple is working on Meta-style smart glasses and AirPods with cameras
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Crystle Stewart as Mallory in Tyler Perry's "Beauty in Black" on Netflix
Tyler Perry’s suspenseful drama series just crashed the Netflix top 10 — and you can stream new episodes now
JBL Charge 6 on beach
JBL just launched two new Bluetooth speakers with lossless audio — and my fave has 20 hours of battery life
ExpressVPN connected on Linux app
ExpressVPN launches huge Linux update – what you need to know