Researchers Hack Wi-Fi driver to Breach Laptop

InfoWorldMike writes "Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver, reports Robert McMillan. The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California. They used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards and see if they fail. They declined to disclose the specific details of their attack before the August 2 presentation, but said it was potentially a huge hole because exploiters could simply sit in a public space and wait for the right type of machine to come into range to attack. "This would be the digital equivalent of a drive-by shooting," said Maynor. The victim would not even need to connect to a network for the attack to work, he said."

Great news

[heinousjay]

I'm glad I still run DOS. No wireless support means I'm safe from these dirty hackers, and any sort of modern productivity.

Re:Great news

[bitt3n]

actually thanks to rigorous backwards compatibility, you can be perfectly safe from productivity all the way through Vista.

Re:Great news

[tgd]

I'm glad I still run Linux. No wireless support means I'm safe from these dirty hackers, and any sort of modern productivity.

(this isn't going to be pretty.... *ducks*)

Disclosure?

[MostAwesomeDude]

I wonder why they haven't disclosed the details. Hopefully they contacted the card manufacturer in order to get a new driver prepared for the masses before they uncover the full exploit at the conference.

Re:Disclosure?

[arivanov]

Not necessarily.

In order for this hack to work it essential for the wireless driver to handle at least some MAC and encryption functions in software. In that case it is available for a hit simply by the fact of being active, regardless of the connection status. Most modern cards are like this (if not all). Atheros also definitely fits the bill. In fact it is more likely to fit the bill because more bits are implemented in software compared to Centrino. So do a few others.

As far as Centrino you are to some extent right that it is the most likely candidate. The reason for this is that it has "feature" called preassociation. It will search and connect to the strongest AP in the area even if you have set the connection inactive. It is enough to load the driver and not have the antenna off.

Greater problem

[Casandro]

The problem is greater than that. It's probably not a single instance of wireless drivers that has such a bug, but in fact an extremely widespread problem.

I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

So, what will happen. The card-manufacturer might fix the bug, nobody updates, and 20 new bugs in other drivers are found, perhaps 10 of them beeing the same bug.

What's really nice about it is that Intel recently claimed, that something like this was not probable.

So, what's the solution?

1. Educate your programmers about the programmers about the language they are using. Most people who write in C(++) don't know anything about how the language works. A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

3. Build compatible devices. Make one standard like the old soundblaster one, or the AC97 so all WLAN-cards of a certain class are buildt equal. Then you could even build WLAN functionality into the BIOS. The code would only have to be written once and therefore would be less buggy.

Re:Greater problem

[Penguin+Programmer]

2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

Anyone ever heard of writing a device driver in a language other than C/C++ (or straight assembly)? I sure haven't. I mean, I suppose theoretically it would be possible, but I really don't think it's practical.

Better to go with option number 1. Don't put up with shitty programmers, just get better ones. If shitty programmers stop getting paid, shitty programmers will stop occurring.

Re:Greater problem

[Casandro]

There are lots of device drivers in other languages.

Just think of the many DOS 3D-graphics libraries written in Pascal. Those directly accessed your hardware.

Or think of (real) Macintoshes (not those Intel thingies). Their whole firmware is written in Forth. In fact all firmware device drivers of Macs and IBM P-Series as well as Sun computers are written in Forth, it's the "Open Firmware" standard.
In fact, the first Forth system was a computer designed to controll a telescope. The Forth programm directly accessed the hardware, probably via an internal layer of sub-routines.

Then of course, if you have watched TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.

So, why does nobody use any other language than C for that?
Well first of all, Unix was written in C. In fact it was even the reason why C was invented, to have a platform-independant "assembler" with some very limited high-level functionality.
The same language was also chosen for Windows, as well as Linux.
Now the point is, if you write a device driver for those modern OSes, you will find template programms or tutorials you just fill in your code. Those templates typically are in the language of the OS, which is now typically C.
The problem goes even further. I have seen university students studying informatics, and they don't even know a single language outside the Algol block. (=C, Pascal, C++, Java, VB...) They don't even know Forth or Lisp, let along Prolog. Some of those people have never considered looking out of their boxes into what's beyond Algol.

I'm not saying C is bad per se. What I am saying is that C may be mathematically universal, you can do everything with it in theory, but for any given slightly more complex task it's just not suitable.
If you are not convinced, write a little "derivation"-Programm in C where I can enter something like x^2 and out comes 2*x. Then look into the book "Programming in Prolog" and look at the examples, you will find one the deriving programm there has just a few lines. Maze-solving programms consist of about a handfull of lines plus a pine for every connections.
Now look at C. C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

C is good for number-crunching, but definitely not for anything touching strings.

Re:Greater problem

[maelstrom]

A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

I fail to see how this prevents someone from using libc functions in an unsafe way.

Re:Greater problem

[eclectro]

While I can't say anything for using C with strings, the real number crunchers of the world agree that God's language is the only appropriate one, fortran.

No joke. Device drivers should be written in Fortran. Because if there was any bug in the program, the device driver would never ever work in the first place. Not even partially.

I think we have solved the problem here folks. Just remember you saw it here first on slashdot.

Another idea - need to open source you program, but really don't want to - use Cobol.

Re:Greater problem

[modeless]

Educating all the bad programmers in the world has always been a stupid idea. It's like saying we should stop spammers by teaching people not to click on their links, or eliminate viruses by teaching people not to open suspicious attachments, or bring about world peace by all holding hands and singing "Kumbaya". It might help just a little, but it won't solve the problem. It didn't before, it isn't now, and if you can't see the future trend, you must have some sort of learning disability.

At some point, when an entire population of users spends years using a tool wrong, you have to stop blaming the users and start fixing the tools.

OpenBSD

[ivan+kk]

Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.

Re:OpenBSD

[peacefinder]

It sounds like this will be either the second remote hole in the default install for OpenBSD, or another example of them saying "Yeah, we fixed that a couple years ago."

I'd bet on the latter.

Re:OpenBSD

[SargeantLobes]

Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.

My thoughts exactly. Even if this exploit creeped in to the drivers, it'll be fixed byt tomorrow (or as soon as the ppl explain how the exploit works). Others will be waiting for weeks for a binary release from wifi vendors. And the vendors'll keep quiet about it, because they don't want to lose face.

People call Theo de Raadt a hardass for his stance on blobs. Torvalds calls him "difficult", but in the end he's right.

An OS that wants to be secure can't include code or grant rights to code, of whcih it doesn't know the source. How can you call something secure, if you've got a large piece of code with lots of rights and you don't know what the hell it does?

Fixed in FreeBSD five months ago.

[cperciva]

Ok, this might be a different bug; but FreeBSD fixed a remote kernel code execution bug which affected systems scanning for existing 802.11 wireless networks. The bug was discovered and reported to the FreeBSD Security Team by Karl Janmar.

Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver

Whether this is a new bug or not, it's certainly not a new type of bug.

Even Greater Problem

[cloricus]

No one will update. And I'm serious; no one .

I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

This will be a huge problem no matter how you look at it full stop.

While on one hand I can't wait to get my hands on the sploit I'm just thinking how painful this will be unless Windows (and this is the only OS I'm worried about as most Linux and Mac users will get a new driver in their regular updates if they are effected) works out some way to force an update for all wireless drivers out there.

Re:Even Greater Problem

[jawtheshark]

even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

I know we are talking about exploits here and exploits should be fixed. I disagree, however, that you should upgrade your drivers continuously *without a good reason*.

First it requires you to keep track about all driver releases of your system (if you're a network admin, it might even be many more configurations) Upgrading some point releases will probably not do much.

Second is stability: if your system is stable with your current drivers and performs well, why would you upgrade? Upgrading drivers always jeopardizes your system. Windows might not like the driver or the combination of drivers you need. That's a good reason to standarize the drivers you put on your machines.

Third, you need to realise that a "driver update" might not even concern your hardware device. Many drivers these days are unified. Is a point-release going to affect you at all. For example, if you have an older GeForce MX2, will the latest NVidia driver include *any* changes for you? I doubt it. It might even introduce new bugs because said driver has been optimized for a newer card and breaks compatibility with your older card. The last argument of course, brings us back to point two.

Fourth: many third party drivers are bad as hell and the standard Windows drivers do a good enough job. For many devices, there is no need at all to install drivers in the first place. Do you really install the Logitec drivers for your standard 3-button/scrollwheel mouse? I most certainly do not.

Essentially, it all boils down to: if it ain't broke, don't fix it.

Clearly the solution is...

[MarkByers]

Security researchers have found a way to seize control of a laptop computer

They used an open-source 802.11 hacking tool ...

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

Re:Clearly the solution is...

[dilvish_the_damned]

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

They are illegal. Not in words on paper, but in practice. Prosecutors like smoking guns, and thats how they use trivial shit. Just get yourself suspected of a related crime, and then have said tools on your laptop."Was there any evidence that the defendant used such tools?" "Yes ma'am, we found something called 'cracklib' on his laptop which is used with other tools to cracking passwords, there is no other reason for it your honor".

I also learned one other thing that day; judges have zero sense of humor. I think its a requirement for the job or something.

Re:Base Station?

Why would you want to attack a venerable basestation? I thought we liked those. A lot.

Is this supposed to be sarcastic?

[Steeltoe]

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

When open source hacking tools are made criminal, only criminals have access to security.

I thought the purpose was to find security holes and close them?

I can only hope this is supposed to be sarcastic, but it was modded +4 interesting. With no tags or marks, over the medium it's impossible to tell.

Once again....

[Corbets]

Security is an intuitive thing. I'm not saying this could be avoided, but you can bet that I've always turned off my wireless card when I'm not using it. I never heard of anyone doing this before, but I've always figured it was possible.

Unfortunately, any bit of code that runs on your computer is a potential vulnerability. The best possible solution is to minimize what's running, and update quickly if possible... but even that isn't necessarily protection. I seriously believe that the bad guys will always be one step ahead. Makes my career in security a bitch, but at least guarantees a paycheck. ;-)

ugh. Head in Sand Defense.

[twitter]

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal.

That's a bad joke, please? Bad because people might get ideas. Makers of crappy devices will soon say much the same. It makes me ill.

The real solution, of course, is to avoid crappy closed source drivers. Efforts such as ndis wrapper, while a nice, bring closed source fragility to free software. Free drivers, when broken will be fixed. Good luck getting a fix for that ancient POS you bought at the CompUSA taken care of.

Sticking your head in the sand won't fix your closed source driver. Free tools will help find the problem. Not having the tool won't make the problem disappear and the kinds of people who would bother with a "drive by" will keep doing it despite any silly laws.

So what?

What's the point of thiCan you satisfi your women? cheap meds!^D^Dexiy

Save battery = save DoS

[xav_jones]

"The victim would not even need to connect to a network for the attack to work", he said.

Presumably you must still have WiFi turned on though. To save battery life, mine is usually off unless I'm connected.

Turn it off!

[soundscape]

A perfect example of why you should ALWAYS disable your WiFi adapter when you aren't using it.

Wait a minute..

[Frightening]

So the researchers blew up the compromised laptop in a Japanese conference as proof-of-concept? Im confused.

And that's just cruel. I mean, you fried the guy's BALLS, man.

Drive by shooting?

[lxs]

"This would be the digital equivalent of a drive-by shooting," said Maynor.

In related news, 50cent wants laptops for inner city kids.

Mr. Cent was quoted as saying: Now you can be a victim of a driveby without ever leaving the house, how gangsta is that? Mr. Cent refused to comment whether the laptop will be available with a 1000W sound system or gold plated mouse mouse options.

Contrary to anti-DMCA FUD, the DMCA *allows* this

[AHumbleOpinion]

So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.

Contrary to the FUD spread by DMCA opponents (I am not endorsing the DMCA, merely pointing out that all sides, "good" or "bad" engage in FUD), this is perfectly legal.

Quotes are from http://thomas.loc.gov/cgi-bin/query/F?c105:6:./tem p/~c105JANxzK:e11962:

First we have the government exception:

"David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California."

(e) LAW ENFORCEMENT, INTELLIGENCE, AND OTHER GOVERNMENT ACTIVITIES- This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term `information security' means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.

Then we also have a security research exemption:

`(j) SECURITY TESTING-

`(1) DEFINITION- For purposes of this subsection, the term `security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network.

`(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--

`(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and

`(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.

`(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2).

I'd cut and paste more but I think readers will get the point.

Re:I agree...but I don't...but I do...

[jawtheshark]

Of course, users should apply critical updates. Even in a perfect world, where drivers are only changed for critical stuff, the problem is: how are they going to know? You might say "Windows Update", but that only works for Windows drivers and you know as well as I do that most, if not all, drivers are third-party drivers.

My example for Logitec mice stands: I am pretty much the only one that buys a mouse, plugs it in and it works. Other people *think* they need to install *everything* that is on the included CD. It is not the responsibility of Microsoft to push third-party driver updates over Windows Update. It is not their responsibility nor their role.

The only other solution to the problem is: every single driver needs to check the "mothership" for updates every other time. Just like antivirus programs do, just like Windows Update works. I do not even want to imagine what kind of resources that would use, and even less what kind of havoc it might cause because a "bad driver" got released that borks about every second computer in the world. Oh, and I'm ignoring all privacy issue that such a system would bring with it.

Diebold's voting machines

[Timo_UK]

Don't they have Wifi too? And I bet this is old news for NSA, Mossad and the like.

mod parent down

[John+Nowak]

Since when was Scheme object-oriented? Also, as a Schemer, I can say that in most cases there *is* a large speed penalty involved, often on the order of a magnitude (or worse). It's much more of an issue if the speed hit matters than pretending it doesn't exist.

For the record, it is also perfectly possible to write safe C code with a good deal of rigor and some basic knowledge of the platform. You certainly don't need to know how to write at a lower level as long as you understand the concepts involved and the particular features of the hardware. People do it all the time and plenty of libraries exist to enable this.

And finally, people hardly switched to Java for "no apparent reason". It's not in the least my language of choice, but for some groups it has a distinct number of advantages over C or C++. In summary, I'm convinced you have no idea what you're talking about.

again we hear of it

[ajs318]

Again we hear of a vulnerability and again it is one which need never have existed in the first place. We know a song about that!

It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product. It has to be demanded from above, because of the {false, and patently so} perception that releasing driver source code or specifications might benefit competitors: if everyone has to do it then no-one will benefit unfairly.

Now, in the case of wireless devices, there is a definite possibility that the device could be reprogrammed to operate in a different way to that for which type-approval was granted. So it should be made clear that the approval covers the hardware and software as a combination, and altering the software may cause the device to operate in a non-approved manner. Just by the general principle of "innocent until proven guilty", anyone using a modified version of a device driver would only be liable for prosecution if they actually caused undesirable interference. Anyway, this is how it works in industry: type-approval procedures are published, you can certify your own products, but if at a later date they are discovered not to meet the requirements, then it's your responsibility to deal with it.

Webster to the rescue

[Propaganda13]

Hacking: to make chopping strokes or blows
Tool: a handheld device that aids in accomplishing a task

An example of a hacking tool is an ax or hatchet. Almost all laptops seem vulnerable to this hacking tool. One previously unknown exploit is that this hacking tool can make a wired network into a wireless network.

Thank you and good night.

Download link + mirror

[qcs-rf.com]

lorcon info: http://www.802.11mercenary.net/lorcon/
lorcon d/l: http://802.11ninja.net/code/lorcon-current.tgz
airbase info: http://www.802.11mercenary.net/
airbase d/l: http://www.802.11mercenary.net/code/airbase-stable .tar.gz

code mirror: http://www.qcs-rf.com/slashdot

Forth and open firmware.

[bgalehouse]

The reason that forth is such a great choice for firmware and embedded systems is twofold. First of all, it is fairly fast. There can be a lot of indirection, but it is localized to a small amount of memmory.

Second of all, and very importantly, you can fit an entire forth development environment into a few k. Might need 5-10 on these new fangled 32 bit machines. That is the whole thing, no separate compiler, runtime libraries, nothing like that. So, in the time it takes to study the gcc source enough to start porting it to a new architecture, you can write a complete forth interpreter in assembly, burn it to an eprom, and start talking to your new architecture over a serial line.

And as you might expect, much like C, the bare metal is open to you. ! and @ are the commands to store and fetch variables. But they don't just work for variables, they work for any address you want to pass them.

Re:Contrary to anti-DMCA FUD, the DMCA *allows* th

[A+beautiful+mind]

Actually, you're wrong.

Lawrence Lessig in his book called Free Culture (freely downloadable in pdf, google it) details how is this broken.

The researchers are able to research, but they are not able to publish their findings. So they can't share what they've learned legally. This is the difference between theory and practice.

OpenBSD's removal of vendors' binary drivers...

[QuietLagoon]

... is starting to look a lot better every day.