If you haven't updated your iPhone or Android device lately, do it now. Until very recent patches, a bug in a little-examined Wi-Fi chip would have allowed a hacker to invisibly hack into any one of a billion devices. Yes, billion with a b.

A vulnerability that pervasive is rare, for good reason. Apple and Google pile millions of dollars into securing their mobile operating systems, layering on hurdles for hackers and paying bounties for information about vulnerabilities in their software. But a modern computer or smartphone is a kind of silicon Frankenstein, with components sourced from third-party companies whose code Apple and Google don't entirely control. And when security researcher Nitay Artenstein dug into the Broadcom chip module that helps power every iPhone and most modern Android devices, he found a flaw that had the potential to completely undermine the expensive security of all of them.

Over the last weeks, both Google and Apple have rushed to patch that bug, which Artenstein calls Broadpwn. Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim's phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.

While the vulnerability is now patched–seriously, get that update–Artenstein says it also offers broader lessons about the fundamental security of our devices. The near-future of smartphone hacking may focus less on operating systems, says Artenstein, and more on insidious flaws in those peripheral components.

"We’re witnessing a process in which mainstream systems like the application processors running iOS or Android have become so hardened by undergoing intense security research that security researchers are starting to look into other directions," says Artenstein, who presented his findings at the Black Hat security conference and in a subsequent WIRED interview. "They’re starting to look for that breach in the wall where exploitation still isn’t that difficult." As hackers search for increasingly rare attacks that don't require any interaction from users, like opening a malicious page in a browser, or clicking a link in a text message, they'll focus on third-party hardware components like Broadcom's chips, Artenstein says.

Broadpwn

Artenstein, a researcher for the security firm Exodus Intelligence, says he has suspected for years that Broadcom's Wi-Fi chip might offer new avenues into the guts of a smartphone. After all, the "kernel" of a modern phone---the core of its operating system---is now protected by measures like address space layout randomization, which randomizes code's location in memory to prevent a hacker from being able to exploit it, and data execution prevention, which prevents hackers from planting malicious commands in data to trick a computer into running them. They're locked down tight.

But Broadcom's Wi-Fi controllers have no such protections. And they're found across manufacturers and operating systems, from the latest Samsung Galaxy devices to every single iPhone. "Obviously, this is a much more interesting attack surface," Artenstein said in his Black Hat talk. "You don’t have to repeat your work. If you find one bug, you can use it plenty of places."

So about a year ago, Artenstein began the painstaking process of reverse-engineering the obscure firmware of Broadcom's chips. He was aided, he says, by an unexpected leak of the company's source code he found on Github, which Artenstein suspects was accidentally published by one of Broadcom's partners. And as he dug through the code, he quickly found opportunities for trouble. "If you look at these systems you find bugs like you used to in the good old days," Artenstein said.

He eventually spotted one crucial bug in particular, hidden in Broadcom's "association" process, which allows phones to search for familiar Wi-Fi networks before they connect to one. One part of the beginning of that handshake process didn't properly constrict a piece of data sent to it by the Wi-Fi access point back to the chip, a bug known as a "heap overflow." With a carefully crafted response, the access point could send data that corrupts the module's memory, overflowing into other parts of the memory to run as commands.