Researchers Hack Wi-Fi driver to Breach Laptop

InfoWorldMike writes "Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver, reports Robert McMillan. The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California. They used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards and see if they fail. They declined to disclose the specific details of their attack before the August 2 presentation, but said it was potentially a huge hole because exploiters could simply sit in a public space and wait for the right type of machine to come into range to attack. "This would be the digital equivalent of a drive-by shooting," said Maynor. The victim would not even need to connect to a network for the attack to work, he said."

Disclosure?

[MostAwesomeDude]

I wonder why they haven't disclosed the details. Hopefully they contacted the card manufacturer in order to get a new driver prepared for the masses before they uncover the full exploit at the conference.

Greater problem

[Casandro]

The problem is greater than that. It's probably not a single instance of wireless drivers that has such a bug, but in fact an extremely widespread problem.

I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

So, what will happen. The card-manufacturer might fix the bug, nobody updates, and 20 new bugs in other drivers are found, perhaps 10 of them beeing the same bug.

What's really nice about it is that Intel recently claimed, that something like this was not probable.

So, what's the solution?

1. Educate your programmers about the programmers about the language they are using. Most people who write in C(++) don't know anything about how the language works. A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

3. Build compatible devices. Make one standard like the old soundblaster one, or the AC97 so all WLAN-cards of a certain class are buildt equal. Then you could even build WLAN functionality into the BIOS. The code would only have to be written once and therefore would be less buggy.

Re:Greater problem

[Penguin+Programmer]

2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

Anyone ever heard of writing a device driver in a language other than C/C++ (or straight assembly)? I sure haven't. I mean, I suppose theoretically it would be possible, but I really don't think it's practical.

Better to go with option number 1. Don't put up with shitty programmers, just get better ones. If shitty programmers stop getting paid, shitty programmers will stop occurring.

Re:Greater problem

[Casandro]

There are lots of device drivers in other languages.

Just think of the many DOS 3D-graphics libraries written in Pascal. Those directly accessed your hardware.

Or think of (real) Macintoshes (not those Intel thingies). Their whole firmware is written in Forth. In fact all firmware device drivers of Macs and IBM P-Series as well as Sun computers are written in Forth, it's the "Open Firmware" standard.
In fact, the first Forth system was a computer designed to controll a telescope. The Forth programm directly accessed the hardware, probably via an internal layer of sub-routines.

Then of course, if you have watched TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.

So, why does nobody use any other language than C for that?
Well first of all, Unix was written in C. In fact it was even the reason why C was invented, to have a platform-independant "assembler" with some very limited high-level functionality.
The same language was also chosen for Windows, as well as Linux.
Now the point is, if you write a device driver for those modern OSes, you will find template programms or tutorials you just fill in your code. Those templates typically are in the language of the OS, which is now typically C.
The problem goes even further. I have seen university students studying informatics, and they don't even know a single language outside the Algol block. (=C, Pascal, C++, Java, VB...) They don't even know Forth or Lisp, let along Prolog. Some of those people have never considered looking out of their boxes into what's beyond Algol.

I'm not saying C is bad per se. What I am saying is that C may be mathematically universal, you can do everything with it in theory, but for any given slightly more complex task it's just not suitable.
If you are not convinced, write a little "derivation"-Programm in C where I can enter something like x^2 and out comes 2*x. Then look into the book "Programming in Prolog" and look at the examples, you will find one the deriving programm there has just a few lines. Maze-solving programms consist of about a handfull of lines plus a pine for every connections.
Now look at C. C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

C is good for number-crunching, but definitely not for anything touching strings.

Re:Greater problem

[maelstrom]

A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

I fail to see how this prevents someone from using libc functions in an unsafe way.

Re:Greater problem

C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

I agreed with you up to this point. Makefiles are used to compile *anything*, not just C programs, so I see no reason why they should be written in C. Further, most C compilers are written in C. And BTW, what language was your Prolog interpreter written in?

C is good for number-crunching, but definitely not for anything touching strings.

I would say that C's biggest strength is freedom of memory management. As a previous poster mentioned, much of the scientific community is still using Fortran for heavy-duty number crunching.

Re:Greater problem

[Viol8]

>I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

Well in that case that would include all your high level language interpreters and
compilers too and possibly the code they generate. After all , at some point someone
has to code to the metal.

>A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

Why? If they're writing device drivers I'd agree , but for other types of program
then you have to ask what knowing the I/O timings or interrupt levels on a CPU has to
do with whether a coder can use malloc() (for example) properly or not.

>If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

Why in gods name would someone whos got to deal with all the low level issues with
device drivers want to write in some fluffy high level language that presents a
completely different programming paradigm to the hardware he's trying to code to?
Don't be an ass.

Re:Greater problem

[modeless]

Educating all the bad programmers in the world has always been a stupid idea. It's like saying we should stop spammers by teaching people not to click on their links, or eliminate viruses by teaching people not to open suspicious attachments, or bring about world peace by all holding hands and singing "Kumbaya". It might help just a little, but it won't solve the problem. It didn't before, it isn't now, and if you can't see the future trend, you must have some sort of learning disability.

At some point, when an entire population of users spends years using a tool wrong, you have to stop blaming the users and start fixing the tools.

Re:Greater problem

A tool does whatever its user wants. If what users want can't work, the tool can never be fixed to accomodate them. They need a walkthrough document or a wizard or something because they're not ready to use any tool unaided.

Even Greater Problem

[cloricus]

No one will update. And I'm serious; no one .

I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

This will be a huge problem no matter how you look at it full stop.

While on one hand I can't wait to get my hands on the sploit I'm just thinking how painful this will be unless Windows (and this is the only OS I'm worried about as most Linux and Mac users will get a new driver in their regular updates if they are effected) works out some way to force an update for all wireless drivers out there.

Re:Even Greater Problem

[jawtheshark]

even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

I know we are talking about exploits here and exploits should be fixed. I disagree, however, that you should upgrade your drivers continuously *without a good reason*.

First it requires you to keep track about all driver releases of your system (if you're a network admin, it might even be many more configurations) Upgrading some point releases will probably not do much.

Second is stability: if your system is stable with your current drivers and performs well, why would you upgrade? Upgrading drivers always jeopardizes your system. Windows might not like the driver or the combination of drivers you need. That's a good reason to standarize the drivers you put on your machines.

Third, you need to realise that a "driver update" might not even concern your hardware device. Many drivers these days are unified. Is a point-release going to affect you at all. For example, if you have an older GeForce MX2, will the latest NVidia driver include *any* changes for you? I doubt it. It might even introduce new bugs because said driver has been optimized for a newer card and breaks compatibility with your older card. The last argument of course, brings us back to point two.

Fourth: many third party drivers are bad as hell and the standard Windows drivers do a good enough job. For many devices, there is no need at all to install drivers in the first place. Do you really install the Logitec drivers for your standard 3-button/scrollwheel mouse? I most certainly do not.

Essentially, it all boils down to: if it ain't broke, don't fix it.

Re:Even Greater Problem

even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

That's because laptop drivers are of notoriously shitty quality. IMHO the non-upgradeability of laptops favors a "whole system" approach over more modular designs. Somehow programmers of drivers for laptop hardware seem to think it's ok to write to one specified configuration, validate the whole system and be done with it. They take all sorts of shortcuts and ignore interoperability design guidelines. It's just this one configuration anyway, you know, and as long as that works, they've done their job. But whenever one of the other hardware makers changes a thing, either in the hardware or the software, things begin to break. Thus, even the slightly geeky users learn that, especially with laptops, it's best to "never change a running system".

Buffer or Integer overflow?

[orospakr]

A native code exploit in kernel space?! GASP! Nobody saw that coming!

Re:Clearly the solution is...

[WatchTheTramCarPleas]

Then you would have the problem of defining what a hacking tool actualy is. A definition inclusive enough to actualy be usefull would likely include tools that were not intended to be used for hacking and have legitamate uses.

Is this supposed to be sarcastic?

[Steeltoe]

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

When open source hacking tools are made criminal, only criminals have access to security.

I thought the purpose was to find security holes and close them?

I can only hope this is supposed to be sarcastic, but it was modded +4 interesting. With no tags or marks, over the medium it's impossible to tell.

Once again....

[Corbets]

Security is an intuitive thing. I'm not saying this could be avoided, but you can bet that I've always turned off my wireless card when I'm not using it. I never heard of anyone doing this before, but I've always figured it was possible.

Unfortunately, any bit of code that runs on your computer is a potential vulnerability. The best possible solution is to minimize what's running, and update quickly if possible... but even that isn't necessarily protection. I seriously believe that the bad guys will always be one step ahead. Makes my career in security a bitch, but at least guarantees a paycheck. ;-)

ugh. Head in Sand Defense.

[twitter]

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal.

That's a bad joke, please? Bad because people might get ideas. Makers of crappy devices will soon say much the same. It makes me ill.

The real solution, of course, is to avoid crappy closed source drivers. Efforts such as ndis wrapper, while a nice, bring closed source fragility to free software. Free drivers, when broken will be fixed. Good luck getting a fix for that ancient POS you bought at the CompUSA taken care of.

Sticking your head in the sand won't fix your closed source driver. Free tools will help find the problem. Not having the tool won't make the problem disappear and the kinds of people who would bother with a "drive by" will keep doing it despite any silly laws.

Save battery = save DoS

[xav_jones]

"The victim would not even need to connect to a network for the attack to work", he said.

Presumably you must still have WiFi turned on though. To save battery life, mine is usually off unless I'm connected.

Turn it off!

[soundscape]

A perfect example of why you should ALWAYS disable your WiFi adapter when you aren't using it.

Re:Turn it off!

That's not much help. Now you somehow have to know whether anyone in range and could attempt this exploit, without enabling your transceiver to check.

no need

I stopped using their blobs last year, the nv driver is plenty good enough. If you are concerned over your video game scores, you might consider..growing up as an alternative solution. Believe it or not, there is still a lot of "computing" you can do without blobs, and then there's meat space, where maybe you can learn to drive and work on a real car, or learn ballistics and shoot a real gun at the range, or actualy go outside and meet someone.

Videogames are being used as an excuse way way too much for continuing support binary blobs and things like MS career crooked company products.

in the 60s too much drugs and very little work

70's was too much disco and way too much really bad clothing

90's was way too much monetary greed and outright stupidity

The 2000s now are saturated with bread and circuses, despite all the real work that needs to be done and real world problems that need to be addressed-and also what happens to folks physically and psychologically (yes, admit it, it's true) when they spend the bulk of their free time sittin on their butt playing video games. Go outside once in awhile,get some exercise, stop rewarding the lard builders, humans have been kept amused for millenia without that sort of nonsense.

Re:OpenBSD

[peacefinder]

It sounds like this will be either the second remote hole in the default install for OpenBSD, or another example of them saying "Yeah, we fixed that a couple years ago."

I'd bet on the latter.

Re:I agree...but I don't...but I do...

[Bert64]

That's why you need to seperate the role of OS developers and distributors...

On unix OS's, you can get updates for all your apps and drivers from one place, and the distributor will make the newest versions available for you.
Windows however is very messy and disjointed, you can get updates for the core OS from windowsupdate, but even many microsoft products have to be updated seperately, and forget about any third party apps/drivers you might have installed.
You end up with an update service running for every program you have installed, or having to manually check for, download and install updates which becomes a HUGE pain in the ass when you have lots of apps installed.
MacOS isn't quite as bad, since the software update feature will update all your apple-branded apps as well as the OS, but your still screwed when it comes to third party apps.
Contrast this with a modern linux distro, where 99% of the apps your ever likely to need will come with the distro and be supported/updated by them... And for the remaining 1%, you can usually add additional package sources to your system package manager so you can still update everything in a central and consistent manner.

Re:OpenBSD

[SargeantLobes]

Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.

My thoughts exactly. Even if this exploit creeped in to the drivers, it'll be fixed byt tomorrow (or as soon as the ppl explain how the exploit works). Others will be waiting for weeks for a binary release from wifi vendors. And the vendors'll keep quiet about it, because they don't want to lose face.

People call Theo de Raadt a hardass for his stance on blobs. Torvalds calls him "difficult", but in the end he's right.

An OS that wants to be secure can't include code or grant rights to code, of whcih it doesn't know the source. How can you call something secure, if you've got a large piece of code with lots of rights and you don't know what the hell it does?

Forth and open firmware.

[bgalehouse]

The reason that forth is such a great choice for firmware and embedded systems is twofold. First of all, it is fairly fast. There can be a lot of indirection, but it is localized to a small amount of memmory.

Second of all, and very importantly, you can fit an entire forth development environment into a few k. Might need 5-10 on these new fangled 32 bit machines. That is the whole thing, no separate compiler, runtime libraries, nothing like that. So, in the time it takes to study the gcc source enough to start porting it to a new architecture, you can write a complete forth interpreter in assembly, burn it to an eprom, and start talking to your new architecture over a serial line.

And as you might expect, much like C, the bare metal is open to you. ! and @ are the commands to store and fetch variables. But they don't just work for variables, they work for any address you want to pass them.

OpenBSD's removal of vendors' binary drivers...

[QuietLagoon]

... is starting to look a lot better every day.

Legislation is the real risk in this scenario

[ScentCone]

It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product

I don't buy it. First, do you really trust the legislative process to meaningfully define (for actual, real-world use in an industry moving 5000mph) terms like "device" and "driver?" It's bad enough when a judge decides to get involved in discussing what is, and is not part of an operating system, as if such things weren't ever going to change.

I'd rather let demonstrably crappy manufacturers get the reputation they deserve, and let the market sort it out. Don't buy hardware from people whose practices your don't like.

Further: what possible guarantee is there that drivers, having been open-sourced, will go out the door without any vulnerabilities? The concern here isn't whether the bug(s) will be fixed (it/they will), but whether everyone will patch. That concern would still be there even if the same open-source world that has produced all sorts of other buggy/vulnerable releases/products had access to drivers for something produced and shipped in a very short design/marketing life cycle. None of those risks go away, but in your scenario, you now have congress-creatures (egads!) talking about which hunks of code are, or are not "drivers." Now that is a vulnerability I can do without.

Why was this announced NOW?

[davidwr]

Announcing this NOW but delaying the actual results until AUGUST will just mimic the "Patch Tuesday" effect only in spades.

The real black-hats who were working on other projects will read this, shift gears, and reproduce the attack within a week or so even without any more details.

A more responsible solution would be to either wait until a patch was released, or if the companies dragged their feet about it, give the companies a month or two's lead time then publicly announce the paper's release along with a list of cards affected, then a few days later release the full paper. This gives the companies some lead time to fix the problem and the customers a few day's lead time to replace or disable their wireless devices without giving the black-hats enough time to cause widespread damage.

Now, suppose these guys actually told the companies about this in May. Fine. But do we really have to give the black-hat community over a month to develop an exploit? No. Release the paper or at the very least the names of the affected cards later this week at the earliest.