Slashdot Mirror
Researchers Hack Wi-Fi driver to Breach Laptop
InfoWorldMike writes "Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver, reports Robert McMillan. The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California. They used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards and see if they fail. They declined to disclose the specific details of their attack before the August 2 presentation, but said it was potentially a huge hole because exploiters could simply sit in a public space and wait for the right type of machine to come into range to attack. "This would be the digital equivalent of a drive-by shooting," said Maynor. The victim would not even need to connect to a network for the attack to work, he said."
I'm glad I still run DOS. No wireless support means I'm safe from these dirty hackers, and any sort of modern productivity.
Slashdot - where whining about luck is the new way to make the world you want.
I wonder why they haven't disclosed the details. Hopefully they contacted the card manufacturer in order to get a new driver prepared for the masses before they uncover the full exploit at the conference.
~ C.
I wonder if this could be used to attack a wired network through a venerable basestation?
lemonade was a popular drink and it still is
The problem is greater than that. It's probably not a single instance of wireless drivers that has such a bug, but in fact an extremely widespread problem.
I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.
So, what will happen. The card-manufacturer might fix the bug, nobody updates, and 20 new bugs in other drivers are found, perhaps 10 of them beeing the same bug.
What's really nice about it is that Intel recently claimed, that something like this was not probable.
So, what's the solution?
1. Educate your programmers about the programmers about the language they are using. Most people who write in C(++) don't know anything about how the language works. A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.
2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.
3. Build compatible devices. Make one standard like the old soundblaster one, or the AC97 so all WLAN-cards of a certain class are buildt equal. Then you could even build WLAN functionality into the BIOS. The code would only have to be written once and therefore would be less buggy.
Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.
Ok, this might be a different bug; but FreeBSD fixed a remote kernel code execution bug which affected systems scanning for existing 802.11 wireless networks. The bug was discovered and reported to the FreeBSD Security Team by Karl Janmar.
Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver
Whether this is a new bug or not, it's certainly not a new type of bug.
Tarsnap: Online backups for the truly paranoid
No one will update. And I'm serious; no one .
I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.
This will be a huge problem no matter how you look at it full stop.
While on one hand I can't wait to get my hands on the sploit I'm just thinking how painful this will be unless Windows (and this is the only OS I'm worried about as most Linux and Mac users will get a new driver in their regular updates if they are effected) works out some way to force an update for all wireless drivers out there.
I ate your fish.
Security researchers have found a way to seize control of a laptop computer
...
They used an open-source 802.11 hacking tool
Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?
I'll probably be modded down for this...
A native code exploit in kernel space?! GASP! Nobody saw that coming!
Now I can't use Wifi until August. Thanks a lot.
I cried real tears when Li Mu Bai died.
Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?
When open source hacking tools are made criminal, only criminals have access to security.
I thought the purpose was to find security holes and close them?
I can only hope this is supposed to be sarcastic, but it was modded +4 interesting. With no tags or marks, over the medium it's impossible to tell.
http://www.debunkingskeptics.com/
You own a mine that produces WiFi chips?
Free as in mason.
Security is an intuitive thing. I'm not saying this could be avoided, but you can bet that I've always turned off my wireless card when I'm not using it. I never heard of anyone doing this before, but I've always figured it was possible.
;-)
Unfortunately, any bit of code that runs on your computer is a potential vulnerability. The best possible solution is to minimize what's running, and update quickly if possible... but even that isn't necessarily protection. I seriously believe that the bad guys will always be one step ahead. Makes my career in security a bitch, but at least guarantees a paycheck.
That's a bad joke, please? Bad because people might get ideas. Makers of crappy devices will soon say much the same. It makes me ill.
The real solution, of course, is to avoid crappy closed source drivers. Efforts such as ndis wrapper, while a nice, bring closed source fragility to free software. Free drivers, when broken will be fixed. Good luck getting a fix for that ancient POS you bought at the CompUSA taken care of.
Sticking your head in the sand won't fix your closed source driver. Free tools will help find the problem. Not having the tool won't make the problem disappear and the kinds of people who would bother with a "drive by" will keep doing it despite any silly laws.
Friends don't help friends install M$ junk.
What's the point of thiCan you satisfi your women? cheap meds!^D^Dexiy
Presumably you must still have WiFi turned on though. To save battery life, mine is usually off unless I'm connected.
A perfect example of why you should ALWAYS disable your WiFi adapter when you aren't using it.
So the researchers blew up the compromised laptop in a Japanese conference as proof-of-concept? Im confused.
And that's just cruel. I mean, you fried the guy's BALLS, man.
In related news, 50cent wants laptops for inner city kids.
Mr. Cent was quoted as saying: Now you can be a victim of a driveby without ever leaving the house, how gangsta is that? Mr. Cent refused to comment whether the laptop will be available with a 1000W sound system or gold plated mouse mouse options.
So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.
m p/~c105JANxzK:e11962:
Contrary to the FUD spread by DMCA opponents (I am not endorsing the DMCA, merely pointing out that all sides, "good" or "bad" engage in FUD), this is perfectly legal.
Quotes are from http://thomas.loc.gov/cgi-bin/query/F?c105:6:./te
First we have the government exception:
"David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California."
(e) LAW ENFORCEMENT, INTELLIGENCE, AND OTHER GOVERNMENT ACTIVITIES- This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term `information security' means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.
Then we also have a security research exemption:
`(j) SECURITY TESTING-
`(1) DEFINITION- For purposes of this subsection, the term `security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network.
`(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.
`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--
`(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and
`(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.
`(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2).
I'd cut and paste more but I think readers will get the point.
I stopped using their blobs last year, the nv driver is plenty good enough. If you are concerned over your video game scores, you might consider..growing up as an alternative solution. Believe it or not, there is still a lot of "computing" you can do without blobs, and then there's meat space, where maybe you can learn to drive and work on a real car, or learn ballistics and shoot a real gun at the range, or actualy go outside and meet someone.
Videogames are being used as an excuse way way too much for continuing support binary blobs and things like MS career crooked company products.
in the 60s too much drugs and very little work
70's was too much disco and way too much really bad clothing
90's was way too much monetary greed and outright stupidity
The 2000s now are saturated with bread and circuses, despite all the real work that needs to be done and real world problems that need to be addressed-and also what happens to folks physically and psychologically (yes, admit it, it's true) when they spend the bulk of their free time sittin on their butt playing video games. Go outside once in awhile,get some exercise, stop rewarding the lard builders, humans have been kept amused for millenia without that sort of nonsense.
Of course, users should apply critical updates. Even in a perfect world, where drivers are only changed for critical stuff, the problem is: how are they going to know? You might say "Windows Update", but that only works for Windows drivers and you know as well as I do that most, if not all, drivers are third-party drivers.
My example for Logitec mice stands: I am pretty much the only one that buys a mouse, plugs it in and it works. Other people *think* they need to install *everything* that is on the included CD. It is not the responsibility of Microsoft to push third-party driver updates over Windows Update. It is not their responsibility nor their role.
The only other solution to the problem is: every single driver needs to check the "mothership" for updates every other time. Just like antivirus programs do, just like Windows Update works. I do not even want to imagine what kind of resources that would use, and even less what kind of havoc it might cause because a "bad driver" got released that borks about every second computer in the world. Oh, and I'm ignoring all privacy issue that such a system would bring with it.
Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
Don't they have Wifi too? And I bet this is old news for NSA, Mossad and the like.
Timo's Audio Software http://www.esseraudio.com
seems to me like this is right out of Darwin's Law.
In essense, prey evolves defenses to reduce predation.
thus predators must evolve to overcome the defenses
of the prey. same thing here.
with the hardware manufacturers (and their coders):
they've done the "get it working" and the "make it fast" steps.
Now they have to do the "get it right" step.
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
Since when was Scheme object-oriented? Also, as a Schemer, I can say that in most cases there *is* a large speed penalty involved, often on the order of a magnitude (or worse). It's much more of an issue if the speed hit matters than pretending it doesn't exist.
For the record, it is also perfectly possible to write safe C code with a good deal of rigor and some basic knowledge of the platform. You certainly don't need to know how to write at a lower level as long as you understand the concepts involved and the particular features of the hardware. People do it all the time and plenty of libraries exist to enable this.
And finally, people hardly switched to Java for "no apparent reason". It's not in the least my language of choice, but for some groups it has a distinct number of advantages over C or C++. In summary, I'm convinced you have no idea what you're talking about.
That's why you need to seperate the role of OS developers and distributors...
On unix OS's, you can get updates for all your apps and drivers from one place, and the distributor will make the newest versions available for you.
Windows however is very messy and disjointed, you can get updates for the core OS from windowsupdate, but even many microsoft products have to be updated seperately, and forget about any third party apps/drivers you might have installed.
You end up with an update service running for every program you have installed, or having to manually check for, download and install updates which becomes a HUGE pain in the ass when you have lots of apps installed.
MacOS isn't quite as bad, since the software update feature will update all your apple-branded apps as well as the OS, but your still screwed when it comes to third party apps.
Contrast this with a modern linux distro, where 99% of the apps your ever likely to need will come with the distro and be supported/updated by them... And for the remaining 1%, you can usually add additional package sources to your system package manager so you can still update everything in a central and consistent manner.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Again we hear of a vulnerability and again it is one which need never have existed in the first place. We know a song about that!
It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product. It has to be demanded from above, because of the {false, and patently so} perception that releasing driver source code or specifications might benefit competitors: if everyone has to do it then no-one will benefit unfairly.
Now, in the case of wireless devices, there is a definite possibility that the device could be reprogrammed to operate in a different way to that for which type-approval was granted. So it should be made clear that the approval covers the hardware and software as a combination, and altering the software may cause the device to operate in a non-approved manner. Just by the general principle of "innocent until proven guilty", anyone using a modified version of a device driver would only be liable for prosecution if they actually caused undesirable interference. Anyway, this is how it works in industry: type-approval procedures are published, you can certify your own products, but if at a later date they are discovered not to meet the requirements, then it's your responsibility to deal with it.
Je fume. Tu fumes. Nous fûmes!
Hacking: to make chopping strokes or blows
Tool: a handheld device that aids in accomplishing a task
An example of a hacking tool is an ax or hatchet. Almost all laptops seem vulnerable to this hacking tool. One previously unknown exploit is that this hacking tool can make a wired network into a wireless network.
Thank you and good night.
lorcon info: http://www.802.11mercenary.net/lorcon/e .tar.gz
lorcon d/l: http://802.11ninja.net/code/lorcon-current.tgz
airbase info: http://www.802.11mercenary.net/
airbase d/l: http://www.802.11mercenary.net/code/airbase-stabl
code mirror: http://www.qcs-rf.com/slashdot
There are only 10 types of people in the world: Those who understand binary, and those who don't.
The reason that forth is such a great choice for firmware and embedded systems is twofold. First of all, it is fairly fast. There can be a lot of indirection, but it is localized to a small amount of memmory.
Second of all, and very importantly, you can fit an entire forth development environment into a few k. Might need 5-10 on these new fangled 32 bit machines. That is the whole thing, no separate compiler, runtime libraries, nothing like that. So, in the time it takes to study the gcc source enough to start porting it to a new architecture, you can write a complete forth interpreter in assembly, burn it to an eprom, and start talking to your new architecture over a serial line.
And as you might expect, much like C, the bare metal is open to you. ! and @ are the commands to store and fetch variables. But they don't just work for variables, they work for any address you want to pass them.
Actually, you're wrong.
Lawrence Lessig in his book called Free Culture (freely downloadable in pdf, google it) details how is this broken.
The researchers are able to research, but they are not able to publish their findings. So they can't share what they've learned legally. This is the difference between theory and practice.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.
Well considering upgrading the graphics card would take, at the least, a large amount of disassemly and soldering on 99.9% of laptops maybe it's a good thing end users don't try ....
More seriously a lot of the problems with laptops is that vendors, nvidia, ati, intel, et al will not ship drivers for the parts used in laptops, instead they provide them to the laptop vendors. Who, after a year, stop bothering. Trying to find an up to date video driver for my Toshiba is next to impossible, because Toshiba never released any, so I'm stuck with a driver that's well over a year old and has problems in some games. But their viewpoint is, of course, only support the latest and greatest, make people update the hardware. The only hope you have are the people out there who hack the standard driver packages to work with laptop vendor specific device IDs.
If MS had followed through on the idea of including cerified drivers in windowsupdate it would have solved a lot of problems, but very few vendors support it.
... is starting to look a lot better every day.
> Just think of the many DOS 3D-graphics libraries written in Pascal.
The Borland libraries were written in C and assembler. They had a bit of pascal glue so that you could do graphics from TP/BP.
> Their whole firmware is written in Forth.
Only little more than is needed to post, for example the analogue of a VGA BIOS. Later in boot drivers provided by the OS take over.
> TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.
What!? Some of the Symbolics Lisp Machines were used for animation, but the vast majority (of the small number made) were used for AI research, but that is tangental.
Further is your serial port driver going to be solving mazes or replacing mathmatica anytime soon? Also I use make for much more than compiling C programs. Funny how that that is, make has the single good idea from prolog and is useful outside toy experiments in computational logic.
Basically the reason drivers are written in C is that it is much like using assembler but with the benefit of being massively more portable.
It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product
I don't buy it. First, do you really trust the legislative process to meaningfully define (for actual, real-world use in an industry moving 5000mph) terms like "device" and "driver?" It's bad enough when a judge decides to get involved in discussing what is, and is not part of an operating system, as if such things weren't ever going to change.
I'd rather let demonstrably crappy manufacturers get the reputation they deserve, and let the market sort it out. Don't buy hardware from people whose practices your don't like.
Further: what possible guarantee is there that drivers, having been open-sourced, will go out the door without any vulnerabilities? The concern here isn't whether the bug(s) will be fixed (it/they will), but whether everyone will patch. That concern would still be there even if the same open-source world that has produced all sorts of other buggy/vulnerable releases/products had access to drivers for something produced and shipped in a very short design/marketing life cycle. None of those risks go away, but in your scenario, you now have congress-creatures (egads!) talking about which hunks of code are, or are not "drivers." Now that is a vulnerability I can do without.
Don't disappoint your bird dog. Go to the range.
Announcing this NOW but delaying the actual results until AUGUST will just mimic the "Patch Tuesday" effect only in spades.
The real black-hats who were working on other projects will read this, shift gears, and reproduce the attack within a week or so even without any more details.
A more responsible solution would be to either wait until a patch was released, or if the companies dragged their feet about it, give the companies a month or two's lead time then publicly announce the paper's release along with a list of cards affected, then a few days later release the full paper. This gives the companies some lead time to fix the problem and the customers a few day's lead time to replace or disable their wireless devices without giving the black-hats enough time to cause widespread damage.
Now, suppose these guys actually told the companies about this in May. Fine. But do we really have to give the black-hat community over a month to develop an exploit? No. Release the paper or at the very least the names of the affected cards later this week at the earliest.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
http://jnode.org/
Regards,
Steve