BSides Toronto 2023

Attila Szasz

Researcher in computer security, reported vulnerabilities in Google Chrome, Intel DRM technologies, ASUS routers, SONY consumer products, and even Ghidra. Founder and general manager of BugProve Inc, an IoT security startup.


Broadcom router SDK vulnerabilities - the uncomfortable reality of the IoT Linux kernel space
Attila Szasz

This research uncovers the CVE-2023-31070 vulnerability, a concerning issue within the IoT Linux kernel space, specifically affecting the Broadcom BCM47xx SDK. This vulnerability resides in the Efficient Multicast Forwarding (EMF) slab-out-of-bounds write, and it has significant implications for IoT device security. The Broadcom BCM47xx SDK serves as the reference implementation in numerous router models, making it a ubiquitous presence in the IoT landscape. In fact, the issue affects router devices from at least 14 manufacturers, and more than 50 popular models, therefore affecting a significant market share of small office home networking devices.

The EMF module, responsible for optimizing multicast traffic, is a crucial component, particularly in applications like IPTV.

Within this SDK, a critical flaw lurks in the EMF kernel driver, emf.ko, primarily used for IGMP snooping. Through careful analysis and reverse engineering, the vulnerable code within emf.ko is dissected, revealing how an attacker can manipulate kernel module data structures with specifically crafted data. The ultimate goal of this exploitation is to achieve kernel-mode code execution, posing a substantial security risk.

To illustrate the practical implications of CVE-2023-31070, a demonstration is provided, showcasing how an attacker can trigger an out-of-bounds access in the kernel space, eventually causing system crashes. This demonstration, conducted on an ASUS AC87U device, serves as a real-world example of the potential consequences of this vulnerability.

This research journey also sheds light on the complexity of addressing such vulnerabilities. Close collaboration with Broadcom was required to get a fix, however, they have no control over the security update process of their OEMs and customers. In many cases, the affected models are no longer supported, even though tens of thousands of samples are still operated on public networks. This case study underscores the need for effective coordination in addressing vulnerabilities within interconnected systems.

This presentation will provide an in-depth examination of CVE-2023-31070, offering valuable insights into the IoT security landscape and the imperative to secure our interconnected devices. The talk aims to foster a discussion within the security community and raise awareness of the challenges posed by vulnerabilities in IoT ecosystems.

ENG 103