Slashdot Mirror
Researchers Hack Wi-Fi driver to Breach Laptop
InfoWorldMike writes "Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver, reports Robert McMillan. The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California. They used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards and see if they fail. They declined to disclose the specific details of their attack before the August 2 presentation, but said it was potentially a huge hole because exploiters could simply sit in a public space and wait for the right type of machine to come into range to attack. "This would be the digital equivalent of a drive-by shooting," said Maynor. The victim would not even need to connect to a network for the attack to work, he said."
Ok, this might be a different bug; but FreeBSD fixed a remote kernel code execution bug which affected systems scanning for existing 802.11 wireless networks. The bug was discovered and reported to the FreeBSD Security Team by Karl Janmar.
Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver
Whether this is a new bug or not, it's certainly not a new type of bug.
Tarsnap: Online backups for the truly paranoid
Not necessarily.
In order for this hack to work it essential for the wireless driver to handle at least some MAC and encryption functions in software. In that case it is available for a hit simply by the fact of being active, regardless of the connection status. Most modern cards are like this (if not all). Atheros also definitely fits the bill. In fact it is more likely to fit the bill because more bits are implemented in software compared to Centrino. So do a few others.
As far as Centrino you are to some extent right that it is the most likely candidate. The reason for this is that it has "feature" called preassociation. It will search and connect to the strongest AP in the area even if you have set the connection inactive. It is enough to load the driver and not have the antenna off.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.
m p/~c105JANxzK:e11962:
Contrary to the FUD spread by DMCA opponents (I am not endorsing the DMCA, merely pointing out that all sides, "good" or "bad" engage in FUD), this is perfectly legal.
Quotes are from http://thomas.loc.gov/cgi-bin/query/F?c105:6:./te
First we have the government exception:
"David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California."
(e) LAW ENFORCEMENT, INTELLIGENCE, AND OTHER GOVERNMENT ACTIVITIES- This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term `information security' means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.
Then we also have a security research exemption:
`(j) SECURITY TESTING-
`(1) DEFINITION- For purposes of this subsection, the term `security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network.
`(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--
`(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and
`(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.
`(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2).
I'd cut and paste more but I think readers will get the point.
Don't worry, our govt. is going for it, I'm sure they'll let you know how it works out :
/ cmbills/119/06119.27-33.html#j383A
http://www.publications.parliament.uk/pa/cm200506
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
lorcon info: http://www.802.11mercenary.net/lorcon/e .tar.gz
lorcon d/l: http://802.11ninja.net/code/lorcon-current.tgz
airbase info: http://www.802.11mercenary.net/
airbase d/l: http://www.802.11mercenary.net/code/airbase-stabl
code mirror: http://www.qcs-rf.com/slashdot
There are only 10 types of people in the world: Those who understand binary, and those who don't.
Actually, you're wrong.
Lawrence Lessig in his book called Free Culture (freely downloadable in pdf, google it) details how is this broken.
The researchers are able to research, but they are not able to publish their findings. So they can't share what they've learned legally. This is the difference between theory and practice.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
> I would say that C's biggest strength is freedom of memory management.
The real "freedom" in C is pointer arithmetic and unchecked type-casting.
Originally in Fortran
Great minds think alike; fools seldom differ.
> Just think of the many DOS 3D-graphics libraries written in Pascal.
The Borland libraries were written in C and assembler. They had a bit of pascal glue so that you could do graphics from TP/BP.
> Their whole firmware is written in Forth.
Only little more than is needed to post, for example the analogue of a VGA BIOS. Later in boot drivers provided by the OS take over.
> TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.
What!? Some of the Symbolics Lisp Machines were used for animation, but the vast majority (of the small number made) were used for AI research, but that is tangental.
Further is your serial port driver going to be solving mazes or replacing mathmatica anytime soon? Also I use make for much more than compiling C programs. Funny how that that is, make has the single good idea from prolog and is useful outside toy experiments in computational logic.
Basically the reason drivers are written in C is that it is much like using assembler but with the benefit of being massively more portable.
Apart from the now old-school Lisp OS:
http://common-lisp.net/project/movitz/
there is someone who's working on booting SBCL cores directly with the bootloader in Forth) [it boots, but the cross-compiler has some issues]
there's a version of smalltalk (of squeak?) that runs without any underlying OS.
There were several lisp or scheme *chips* in the 70s and 80s.
Also, what exactly do you see in common between Java and Haskell?
Finally, how in the world is that comment even slightly interesting?
Try Corewar @ www.koth.org - rec.games.corewar
http://jnode.org/
Regards,
Steve
You did the right thing by replying. Mod points are not meant to be used for expressing support or disagreement, instead they should be used for indicating the quality of comments.
The Hacker's Guide To The Kernel: Don't panic()!