This research is effectively a free audit of Broadcom's firmware by Google. At what point does Broadcom approach Google, have the appropriate NDAs signed, and give them access to the source code? If someone is providing a (very valuable) free service to you, wouldn't you want to make their lives easier?
I assume there are some important reasons why this wouldn't occur, but at first glance, it seems to me that the pros outweigh the cons.
Yeah... having worked in actual large secretive companies like Broadcom they're more likely thinking "Shiiit they found a security vulnerability using information from the datasheet, a memory-probing utility we provided and some of our open source code. We've got to make all of those secret!"
Which is so silly, as closing their code & datasheets just makes it harder to work with their chips and makes users of their products less secure. And that is why you see all these Single Board Computers not using Broadcom chips, they are nearly impossible to get docs for, let alone decent drivers.
I suspect every time something like this happens, Google gets a little more access into the stack of the various tech used in stuff it sells/runs from third parties. Broadcom of yesterday may never have handed the code over, Broadcom of today would probably send it over with a case of champagne and a stack of hardware to test with.
While I'm risking jumping in on the "me too" bandwagon - I don't think this is how it works. Perhaps Google is large enough for Broadcom to cop a different attitude with, but nothing about large hardware vendors makes me believe they think like you say.
I think more likely what is happening now are some execs and lawyers @ bcom HQ right now trying to figure out if they can sue Google over any of this. They likely will not, but I'm sure they'd play hardball with any small player and at minimum cease doing business with them. While I've not dealt with bcom directly myself, I can say this opinion comes from experience.
Why would Broadcom sue a large customer like Google? Check out what chips are in the motherboard picture in Wired's article from a few years ago about the Pluto switch.
At the same time, it potentially makes it more likely they'll find more bugs, and all Project Zero bugs are publicly disclosed, which is bad from a marketing point-of-view for Broadcom.
No, it would be a positive: after sending project 0 our source code and fixing everything they've found in the first 6 months they failed to find anything for the last 6 months. Compare to our competitors who are still subject to such finds roughly once per 2 month period.
I think you're assuming a somewhat redeemable codebase. For most I'd be guessing it's a choice between completely rewriting the drivers or a never ending game of wack-a-mole. Management will see both options as costing a lot and delivering zero value.
When has Broadcom ever given a sign that they care about their reputation among end users? They want the OEM design wins, and anything after that is not their problem.
It's not hard to imagine how this might be bad in an alternate universe. But i still dont see how it is going to matter in this universe where Bob doesn't stop shopping at Target or DSW after a big breach and where Alice does not research WiFi chip security history when she goes to buy a toss away IoT device.
They do know they're spending a lot of money on a shiny new samsung s8 and if it's bricked a month after use it's either going to cost samsung a lot in replacements or the person is unlikely to buy a samsung phone again. Just look at the damage the battery disaster had on samsungs brand, that was only a small percentage of phones with a problem.
Alice is going to revolt against Samsung when her s8 is bricked and go buy the new iPhone which also has a Broadcomm chip in it? How is this causing problems for Broadcomm's marketing department? When she goes to the store and explains how frustrated she is with Broadcomm surely the phone rep will point out that some phone makers were good about pushing out the update?
Moreover, heap overflows and videos of batteries exploding dont have the same staying power in consumer minds...
It causes a problem for Broadcomm because Samsung is losing sales and has to use a competitors chipsets. Or Samsung fixes their update issues to try and claw back sales. Or more likely Samsung do it because replacement units are expensive.
A heap overflow won't change minds, but millions of out of pocket consumers saying how shit Samsung is at every opportunity will.
Remember Samsung is a big brand too, the department that sells TVs aren't going to sit back while the phone department poisons their brand.
I assume there are some important reasons why this wouldn't occur, but at first glance, it seems to me that the pros outweigh the cons.