Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Hack Wi-Fi driver to Breach Laptop

samzenpus posted about 8 years ago | from the reach-out-and-hack-someone dept.

199

InfoWorldMike writes "Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver, reports Robert McMillan. The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California. They used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards and see if they fail. They declined to disclose the specific details of their attack before the August 2 presentation, but said it was potentially a huge hole because exploiters could simply sit in a public space and wait for the right type of machine to come into range to attack. "This would be the digital equivalent of a drive-by shooting," said Maynor. The victim would not even need to connect to a network for the attack to work, he said."

cancel ×

199 comments

Great news (4, Funny)

heinousjay (683506) | about 8 years ago | (#15580655)

I'm glad I still run DOS. No wireless support means I'm safe from these dirty hackers, and any sort of modern productivity.

Re:Great news (5, Funny)

bitt3n (941736) | about 8 years ago | (#15580766)

actually thanks to rigorous backwards compatibility, you can be perfectly safe from productivity all the way through Vista.

Re:Great news (1)

Guy Harris (3803) | about 8 years ago | (#15580914)

actually thanks to rigorous backwards compatibility, you can be perfectly safe from productivity all the way through Vista.

"Backwards compatibility"? A lot of anti-productivity software [microsoft.com] is designed for Windows; it's not just a bunch of old DOS software.

Not that UN*X+X11 doesn't compete [kde.org] there [gnome.org] .

At least Apple doesn't bundle much in the way of anti-productivity software [apple.com] with OS X - no Solitaire, for example.

Re:Great news (1)

ralmin (459495) | about 8 years ago | (#15581064)

Well they've removed the ability to make your command window (DOS prompt) full screen in Windows Vista. It always says full screen mode is not available when I press Alt-Enter. That'll make a whole heap of DOS software incompatible.

Re:Great news (0, Troll)

csplinter (734017) | about 8 years ago | (#15580852)

Yes, but does it run Linux. Ok, you can mod me up now!

Disclosure? (5, Insightful)

MostAwesomeDude (980382) | about 8 years ago | (#15580668)

I wonder why they haven't disclosed the details. Hopefully they contacted the card manufacturer in order to get a new driver prepared for the masses before they uncover the full exploit at the conference.

Greater problem (5, Insightful)

Casandro (751346) | about 8 years ago | (#15580707)

The problem is greater than that. It's probably not a single instance of wireless drivers that has such a bug, but in fact an extremely widespread problem.

I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

So, what will happen. The card-manufacturer might fix the bug, nobody updates, and 20 new bugs in other drivers are found, perhaps 10 of them beeing the same bug.

What's really nice about it is that Intel recently claimed, that something like this was not probable.

So, what's the solution?

1. Educate your programmers about the programmers about the language they are using. Most people who write in C(++) don't know anything about how the language works. A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

3. Build compatible devices. Make one standard like the old soundblaster one, or the AC97 so all WLAN-cards of a certain class are buildt equal. Then you could even build WLAN functionality into the BIOS. The code would only have to be written once and therefore would be less buggy.

Even Greater Problem (5, Insightful)

cloricus (691063) | about 8 years ago | (#15580733)

No one will update. And I'm serious; no one .

I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

This will be a huge problem no matter how you look at it full stop.

While on one hand I can't wait to get my hands on the sploit I'm just thinking how painful this will be unless Windows (and this is the only OS I'm worried about as most Linux and Mac users will get a new driver in their regular updates if they are effected) works out some way to force an update for all wireless drivers out there.

Re:Even Greater Problem (5, Insightful)

jawtheshark (198669) | about 8 years ago | (#15580837)

even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

I know we are talking about exploits here and exploits should be fixed. I disagree, however, that you should upgrade your drivers continuously *without a good reason*.

First it requires you to keep track about all driver releases of your system (if you're a network admin, it might even be many more configurations) Upgrading some point releases will probably not do much.

Second is stability: if your system is stable with your current drivers and performs well, why would you upgrade? Upgrading drivers always jeopardizes your system. Windows might not like the driver or the combination of drivers you need. That's a good reason to standarize the drivers you put on your machines.

Third, you need to realise that a "driver update" might not even concern your hardware device. Many drivers these days are unified. Is a point-release going to affect you at all. For example, if you have an older GeForce MX2, will the latest NVidia driver include *any* changes for you? I doubt it. It might even introduce new bugs because said driver has been optimized for a newer card and breaks compatibility with your older card. The last argument of course, brings us back to point two.

Fourth: many third party drivers are bad as hell and the standard Windows drivers do a good enough job. For many devices, there is no need at all to install drivers in the first place. Do you really install the Logitec drivers for your standard 3-button/scrollwheel mouse? I most certainly do not.

Essentially, it all boils down to: if it ain't broke, don't fix it.

Re:Even Greater Problem (1)

Propaganda13 (312548) | about 8 years ago | (#15580909)

Heartily agree with points 2 & 3, but I never have mod points when I need them.

I agree...but I don't...but I do... (1)

cloricus (691063) | about 8 years ago | (#15580960)

To me if there is an upgrade that is vital/important (and not cosmetic) users should upgrade to it. Though to me upgrades for vital/important things should only exist if the conditions 'if it isn't borken don't fix it' are met. So while I agree with you I also think that users should follow important updates and when needed upgrade. Unfortunately I'm shot down as the market doesn't follow my thinking/logic as they release utter crap as an important update so users learn to ignore them.

So I agree with you in reality though in thoery I disagree. :P

Though while reading my, badly spelt and lacking grammar wise, post please assume I'm talking in the case of a critical update like the one in question - Which I think my logic should apply to without fail. And again, sorry grammar nazi's...I already know I've done wrong!

Re:I agree...but I don't...but I do... (4, Interesting)

jawtheshark (198669) | about 8 years ago | (#15580973)

Of course, users should apply critical updates. Even in a perfect world, where drivers are only changed for critical stuff, the problem is: how are they going to know? You might say "Windows Update", but that only works for Windows drivers and you know as well as I do that most, if not all, drivers are third-party drivers.

My example for Logitec mice stands: I am pretty much the only one that buys a mouse, plugs it in and it works. Other people *think* they need to install *everything* that is on the included CD. It is not the responsibility of Microsoft to push third-party driver updates over Windows Update. It is not their responsibility nor their role.

The only other solution to the problem is: every single driver needs to check the "mothership" for updates every other time. Just like antivirus programs do, just like Windows Update works. I do not even want to imagine what kind of resources that would use, and even less what kind of havoc it might cause because a "bad driver" got released that borks about every second computer in the world. Oh, and I'm ignoring all privacy issue that such a system would bring with it.

Re:I agree...but I don't...but I do... (3, Insightful)

Bert64 (520050) | about 8 years ago | (#15581155)

That's why you need to seperate the role of OS developers and distributors...

On unix OS's, you can get updates for all your apps and drivers from one place, and the distributor will make the newest versions available for you.
Windows however is very messy and disjointed, you can get updates for the core OS from windowsupdate, but even many microsoft products have to be updated seperately, and forget about any third party apps/drivers you might have installed.
You end up with an update service running for every program you have installed, or having to manually check for, download and install updates which becomes a HUGE pain in the ass when you have lots of apps installed.
MacOS isn't quite as bad, since the software update feature will update all your apple-branded apps as well as the OS, but your still screwed when it comes to third party apps.
Contrast this with a modern linux distro, where 99% of the apps your ever likely to need will come with the distro and be supported/updated by them... And for the remaining 1%, you can usually add additional package sources to your system package manager so you can still update everything in a central and consistent manner.

Re:Even Greater Problem (2, Insightful)

Anonymous Coward | about 8 years ago | (#15581252)

even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

That's because laptop drivers are of notoriously shitty quality. IMHO the non-upgradeability of laptops favors a "whole system" approach over more modular designs. Somehow programmers of drivers for laptop hardware seem to think it's ok to write to one specified configuration, validate the whole system and be done with it. They take all sorts of shortcuts and ignore interoperability design guidelines. It's just this one configuration anyway, you know, and as long as that works, they've done their job. But whenever one of the other hardware makers changes a thing, either in the hardware or the software, things begin to break. Thus, even the slightly geeky users learn that, especially with laptops, it's best to "never change a running system".

Re:Greater problem (4, Insightful)

Penguin Programmer (241752) | about 8 years ago | (#15580819)

2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.


Anyone ever heard of writing a device driver in a language other than C/C++ (or straight assembly)? I sure haven't. I mean, I suppose theoretically it would be possible, but I really don't think it's practical.

Better to go with option number 1. Don't put up with shitty programmers, just get better ones. If shitty programmers stop getting paid, shitty programmers will stop occurring.

Re:Greater problem (5, Insightful)

Casandro (751346) | about 8 years ago | (#15580911)

There are lots of device drivers in other languages.

Just think of the many DOS 3D-graphics libraries written in Pascal. Those directly accessed your hardware.

Or think of (real) Macintoshes (not those Intel thingies). Their whole firmware is written in Forth. In fact all firmware device drivers of Macs and IBM P-Series as well as Sun computers are written in Forth, it's the "Open Firmware" standard.
In fact, the first Forth system was a computer designed to controll a telescope. The Forth programm directly accessed the hardware, probably via an internal layer of sub-routines.

Then of course, if you have watched TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.

So, why does nobody use any other language than C for that?
Well first of all, Unix was written in C. In fact it was even the reason why C was invented, to have a platform-independant "assembler" with some very limited high-level functionality.
The same language was also chosen for Windows, as well as Linux.
Now the point is, if you write a device driver for those modern OSes, you will find template programms or tutorials you just fill in your code. Those templates typically are in the language of the OS, which is now typically C.
The problem goes even further. I have seen university students studying informatics, and they don't even know a single language outside the Algol block. (=C, Pascal, C++, Java, VB...) They don't even know Forth or Lisp, let along Prolog. Some of those people have never considered looking out of their boxes into what's beyond Algol.

I'm not saying C is bad per se. What I am saying is that C may be mathematically universal, you can do everything with it in theory, but for any given slightly more complex task it's just not suitable.
If you are not convinced, write a little "derivation"-Programm in C where I can enter something like x^2 and out comes 2*x. Then look into the book "Programming in Prolog" and look at the examples, you will find one the deriving programm there has just a few lines. Maze-solving programms consist of about a handfull of lines plus a pine for every connections.
Now look at C. C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

C is good for number-crunching, but definitely not for anything touching strings.

Re:Greater problem (4, Funny)

Bob_Geldof (887321) | about 8 years ago | (#15580987)

C is good for number-crunching, but definitely not for anything touching strings.

While I can't say anything for using C with strings, the real number crunchers of the world agree that God's language is the only appropriate one, fortran.

Re:Greater problem (0)

Anonymous Coward | about 8 years ago | (#15581078)

While I can't say anything for using C with strings, the real number crunchers of the world agree that God's language is the only appropriate one, fortran.

Fortran isn't God's only language. He uses ML to write compilers :)

Re:Greater problem (4, Funny)

eclectro (227083) | about 8 years ago | (#15581080)

While I can't say anything for using C with strings, the real number crunchers of the world agree that God's language is the only appropriate one, fortran.

No joke. Device drivers should be written in Fortran. Because if there was any bug in the program, the device driver would never ever work in the first place. Not even partially.

I think we have solved the problem here folks. Just remember you saw it here first on slashdot.

Another idea - need to open source you program, but really don't want to - use Cobol.

Re:Greater problem (3, Insightful)

Anonymous Coward | about 8 years ago | (#15581063)

C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

I agreed with you up to this point. Makefiles are used to compile *anything*, not just C programs, so I see no reason why they should be written in C. Further, most C compilers are written in C. And BTW, what language was your Prolog interpreter written in?

C is good for number-crunching, but definitely not for anything touching strings.

I would say that C's biggest strength is freedom of memory management. As a previous poster mentioned, much of the scientific community is still using Fortran for heavy-duty number crunching.

Re:Greater problem (2, Informative)

CaptnMArk (9003) | about 8 years ago | (#15581362)

> I would say that C's biggest strength is freedom of memory management.

The real "freedom" in C is pointer arithmetic and unchecked type-casting.

Re:Greater problem (3, Interesting)

Anonymous Coward | about 8 years ago | (#15581186)

Given the abysmal moderating around here that '+5 insightful' tag has taught me to expect rather the opposite.
Why dont all you Lisp, Scheme, Haskell and Java OO-fanboys get together and do it right? Go ahead, start a project on sourceforge, grab some old mobo and implement an OS for it. And while you're at it throw out the BIOS too (Assembler, YUCK!). Given the vast superiority of OO languages that should be cake, isn't it? Just imagine all the productivity gains since you never have to debug all those buffer overflows. You could be finished by years end...

Sheesh.

Forth and open firmware. (5, Insightful)

bgalehouse (182357) | about 8 years ago | (#15581312)

The reason that forth is such a great choice for firmware and embedded systems is twofold. First of all, it is fairly fast. There can be a lot of indirection, but it is localized to a small amount of memmory.

Second of all, and very importantly, you can fit an entire forth development environment into a few k. Might need 5-10 on these new fangled 32 bit machines. That is the whole thing, no separate compiler, runtime libraries, nothing like that. So, in the time it takes to study the gcc source enough to start porting it to a new architecture, you can write a complete forth interpreter in assembly, burn it to an eprom, and start talking to your new architecture over a serial line.

And as you might expect, much like C, the bare metal is open to you. ! and @ are the commands to store and fetch variables. But they don't just work for variables, they work for any address you want to pass them.

Re:Greater problem (0)

Anonymous Coward | about 8 years ago | (#15580915)

I wrote a device driver in C# once, for the Singularity operating system at MSR. It was remarkably pleasant, truth be told.

http://research.microsoft.com/os/singularity/ [microsoft.com]

Re:Greater problem (5, Insightful)

modeless (978411) | about 8 years ago | (#15581148)

Educating all the bad programmers in the world has always been a stupid idea. It's like saying we should stop spammers by teaching people not to click on their links, or eliminate viruses by teaching people not to open suspicious attachments, or bring about world peace by all holding hands and singing "Kumbaya". It might help just a little, but it won't solve the problem. It didn't before, it isn't now, and if you can't see the future trend, you must have some sort of learning disability.

At some point, when an entire population of users spends years using a tool wrong, you have to stop blaming the users and start fixing the tools.

Re:Greater problem (1, Insightful)

Anonymous Coward | about 8 years ago | (#15581281)

A tool does whatever its user wants. If what users want can't work, the tool can never be fixed to accomodate them. They need a walkthrough document or a wizard or something because they're not ready to use any tool unaided.

Re:Greater problem (0)

Anonymous Coward | about 8 years ago | (#15581279)

If shitty programmers stop getting paid, shitty programmers will stop occurring.

Wrong. They will just start working for free.

I'd rather the fecally-enhanced programmers keep getting paid to work enhancing Redmond's productivity tools, than come to give their efforts to open source

mod parent down (5, Interesting)

John Nowak (872479) | about 8 years ago | (#15580993)

Since when was Scheme object-oriented? Also, as a Schemer, I can say that in most cases there *is* a large speed penalty involved, often on the order of a magnitude (or worse). It's much more of an issue if the speed hit matters than pretending it doesn't exist.

For the record, it is also perfectly possible to write safe C code with a good deal of rigor and some basic knowledge of the platform. You certainly don't need to know how to write at a lower level as long as you understand the concepts involved and the particular features of the hardware. People do it all the time and plenty of libraries exist to enable this.

And finally, people hardly switched to Java for "no apparent reason". It's not in the least my language of choice, but for some groups it has a distinct number of advantages over C or C++. In summary, I'm convinced you have no idea what you're talking about.

Re:Greater problem (4, Insightful)

maelstrom (638) | about 8 years ago | (#15580996)

A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

I fail to see how this prevents someone from using libc functions in an unsafe way.

Re:Greater problem (2, Insightful)

Viol8 (599362) | about 8 years ago | (#15581144)

>I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

Well in that case that would include all your high level language interpreters and
compilers too and possibly the code they generate. After all , at some point someone
has to code to the metal.

>A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

Why? If they're writing device drivers I'd agree , but for other types of program
then you have to ask what knowing the I/O timings or interrupt levels on a CPU has to
do with whether a coder can use malloc() (for example) properly or not.

>If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

Why in gods name would someone whos got to deal with all the low level issues with
device drivers want to write in some fluffy high level language that presents a
completely different programming paradigm to the hardware he's trying to code to?
Don't be an ass.

Re:Greater problem (1)

cg0def (845906) | about 8 years ago | (#15581247)

Scheme ??? rolf dude how is it that there is always someone like you to turn a discussion on driver quality to a this vs. that programming language? [quote]I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.[/quote] PROVE IT!!! Oh and genius a code that was written once can have just as many bugs as maintained code if not even more. Also there is no such code in the industry that was written once was never maintained and is in wide usage. Plus if a company has to educate it's programmers on how to write safe code then those people shoudln't have been hired for the job in the first place. C++ is a major language and if you've graduated with a CS degree you are still expected to know it ( even if not in great details ). Also while Assembler does help to understand some concepts in C++ it is by no means a requirement for writing great safe code. Understang computer architecture though is. Plus every good C++ book would tell you what the limitations of most datatypes and functions are. Like using cin for reading an unknown input and such ...

Re:Greater problem (1)

FudRucker (866063) | about 8 years ago | (#15581255)

RE:"So, what will happen. The card-manufacturer might fix the bug, nobody updates"

There are millions of wifi hardware in all the Staples, OfficeDepot, CompUSA, Walmart, etc... all with a CDrom with the vulerable driver and joe & jane sixpack are going to buy it and never bother to find an updated driver...

Re:Disclosure? (1)

SageMusings (463344) | about 8 years ago | (#15580748)

So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.

Contrary to anti-DMCA FUD, the DMCA *allows* this (4, Informative)

AHumbleOpinion (546848) | about 8 years ago | (#15580889)

So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.

Contrary to the FUD spread by DMCA opponents (I am not endorsing the DMCA, merely pointing out that all sides, "good" or "bad" engage in FUD), this is perfectly legal.

Quotes are from http://thomas.loc.gov/cgi-bin/query/F?c105:6:./tem p/~c105JANxzK:e11962 [loc.gov] :

First we have the government exception:

"David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California."

(e) LAW ENFORCEMENT, INTELLIGENCE, AND OTHER GOVERNMENT ACTIVITIES- This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term `information security' means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.

Then we also have a security research exemption:

`(j) SECURITY TESTING-

`(1) DEFINITION- For purposes of this subsection, the term `security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network.

`(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--

`(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and

`(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.

`(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2).

I'd cut and paste more but I think readers will get the point.

Re:Contrary to anti-DMCA FUD, the DMCA *allows* th (1)

Schraegstrichpunkt (931443) | about 8 years ago | (#15580977)

3(A) pretty much excludes full disclosure, or even any kind of public disclosure, doesn't it? Specifically "the information derived ... used solely to promote the security of the owner ... or shared directly with the developer".

Re:Contrary to anti-DMCA FUD, the DMCA *allows* th (1)

AHumbleOpinion (546848) | about 8 years ago | (#15581032)

3(A) pretty much excludes full disclosure, or even any kind of public disclosure, doesn't it? Specifically "the information derived ... used solely to promote the security of the owner ... or shared directly with the developer".

No, I think you have greatly distored things with your snipping. Let's see it in context again. Note "the factors to be considered shall include", other factors are not ruled out. Regarding "promote the security of the owner or operator of such computer ...", this does not prevent public disclosure, fixes or workarounds developed by the FOSS community promote the security of the owner or operator.

`(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--

`(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and

`(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.

Re:Contrary to anti-DMCA FUD, the DMCA *allows* th (4, Informative)

A beautiful mind (821714) | about 8 years ago | (#15581328)

Actually, you're wrong.

Lawrence Lessig in his book called Free Culture (freely downloadable in pdf, google it) details how is this broken.

The researchers are able to research, but they are not able to publish their findings. So they can't share what they've learned legally. This is the difference between theory and practice.

Dunno about others experiences (1)

Chuck Chunder (21021) | about 8 years ago | (#15580772)

But attempting to update the wireless driver on my XP laptop was the one thing that invariably made it flakey necessitating painful uninstalls and reinstalls to make it happy again. If an updated driver were released I might skip it just based on the fact.

Of course I have other problems as the power socket on my laptop is now dodgy so a unit that cost ~$4000 AUD is now useless unless I want to spend ~$1500 AUD to replace its main board all for the sake of a 5 cent socket. Time for some amateur soldering!

Re:Dunno about others experiences (1)

phaggood (690955) | about 8 years ago | (#15581272)

the power socket on my laptop is now dodgy so a unit that cost ~$4000 AUD is now useless unless I want to spend ~$1500 AUD to replace its main board all for the sake of a 5 cent socket. Time for some amateur soldering!

Why not locate some "professional" soldering? I'm sure a local electronics repair place (cell phone, radios, maybe stereo or TV) would have someone with the skills and equipment to make short work (that's WAY less than $1,500AUD) of fixing that 5 cent socket.

Re:Disclosure? (1)

ImaLamer (260199) | about 8 years ago | (#15580804)

I'm guessing this is the Centrino based laptop we are talking about here. They are saying a type of laptop, not a type of card. If this is true, the fix will come, but havoc will spread. I think of my poor sister who loves her wireless laptop that only requires a push of a button to connect.

What fun.

Re:Disclosure? (4, Informative)

arivanov (12034) | about 8 years ago | (#15580881)

Not necessarily.

In order for this hack to work it essential for the wireless driver to handle at least some MAC and encryption functions in software. In that case it is available for a hit simply by the fact of being active, regardless of the connection status. Most modern cards are like this (if not all). Atheros also definitely fits the bill. In fact it is more likely to fit the bill because more bits are implemented in software compared to Centrino. So do a few others.

As far as Centrino you are to some extent right that it is the most likely candidate. The reason for this is that it has "feature" called preassociation. It will search and connect to the strongest AP in the area even if you have set the connection inactive. It is enough to load the driver and not have the antenna off.

Re:Disclosure? (1)

overlordmead (879368) | about 8 years ago | (#15580913)

Why give anyone the details? Just sell the exploit to a chinese military developer, or at least the highest bidder in that blackhatted underground.

Disk sure? (1)

roguegramma (982660) | about 8 years ago | (#15581007)

Hopefully you contacted the card manufacturer in order to get a new driver prepared for yourself before the full exploit is disclosed.

Base Station? (3, Interesting)

wish bot (265150) | about 8 years ago | (#15580673)

I wonder if this could be used to attack a wired network through a venerable basestation?

Re:Base Station? (4, Funny)

Anonymous Coward | about 8 years ago | (#15580773)

Why would you want to attack a venerable basestation? I thought we liked those. A lot.

Re:Base Station? (2, Funny)

Zhe Mappel (607548) | about 8 years ago | (#15581091)

I wonder if this could be used to attack a wired network through a venerable basestation?

You are welcome to come to our dojo and try through the Exalted Master of Shin-Fu base station. But beware, warrior.

Re:Base Station? (1)

wish bot (265150) | about 8 years ago | (#15581331)

Ok ok. I deserve that for leaving proof reading to the spell checker. Meh!

It's a serious thought though. Many base stations use pretty much a standard laptop card (Lucent, etc). If the hack is making use of an overflow buffer bug - well I would guess it would depend on what what driving the kit - some routers run linux...which may allow for attacks directly on a wired network (against a lot more interesting machines than random laptops).

I'll wager... (1, Funny)

spune (715782) | about 8 years ago | (#15580675)

I'm willing to put $50 down to say that affected manufacturers include my mine.

Re:I'll wager... (1)

dilvish_the_damned (167205) | about 8 years ago | (#15580781)

Your running a D-Link wl-650 on win98?
I'm not saying thats the affected configuration, I'm just saying...

Re:I'll wager... (2, Funny)

LittleBigLui (304739) | about 8 years ago | (#15580788)

You own a mine that produces WiFi chips?

Re:I'll wager... (1)

apflwr3 (974301) | about 8 years ago | (#15581167)

I'm willing to put $50 down to say that affected manufacturers include my mine./i

So either way, you lose?

Your problem might not be that you're unlucky as much as that you don't know how to gamble.

If anything, it'll appear at Defcon (0)

sethstorm (512897) | about 8 years ago | (#15580711)

Given how the exorbitant price for Blackhat includes that for free, it's not like it wont appear over on the Riviera hours if not a day after.

To clarify the above (1)

sethstorm (512897) | about 8 years ago | (#15580719)

Er,

"Given how the exhorbitant price for Blackhat includes Defcon admission for free..." is how it should have read.

OpenBSD (5, Interesting)

ivan kk (917820) | about 8 years ago | (#15580726)

Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.

Re:OpenBSD (0)

Anonymous Coward | about 8 years ago | (#15580865)

In fact, this helps to demand nothing *but* OSS-drivers, if you remember e.g. the imho shortsighted cries for a stable driver API or even ABI for Linux - and indeed the "sloppy" blob-policy there.

Re:OpenBSD (4, Insightful)

peacefinder (469349) | about 8 years ago | (#15580925)

It sounds like this will be either the second remote hole in the default install for OpenBSD, or another example of them saying "Yeah, we fixed that a couple years ago."

I'd bet on the latter.

Re:OpenBSD (1)

QuantumG (50515) | about 8 years ago | (#15581008)

Am I missing something or did you just say this bug effects OpenBSD? How the hell is that possible? The flaw was found in proprietary wireless drivers.

Re:OpenBSD (1)

peacefinder (469349) | about 8 years ago | (#15581029)

No, no, nononono. I was trying to say that it'd be a big surprise if the problem affects OpenBSD, even if every other OS on the planet is affected. Sorry if I was unclear.

Most likely (now that I think about it more) is that the vulnerable wireless hardware is unsupported under OpenBSD, or is supporetd by a not-vulnerable blob-free driver. (Even if the OpenBSD driver is vulnerable, I'd be very surprised indeed if the problem turns out to be exploitable enough to qualify as a remote hole.)

Re:OpenBSD (5, Insightful)

SargeantLobes (895906) | about 8 years ago | (#15581207)

Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.

My thoughts exactly. Even if this exploit creeped in to the drivers, it'll be fixed byt tomorrow (or as soon as the ppl explain how the exploit works). Others will be waiting for weeks for a binary release from wifi vendors. And the vendors'll keep quiet about it, because they don't want to lose face.

People call Theo de Raadt a hardass for his stance on blobs. Torvalds calls him "difficult", but in the end he's right.

An OS that wants to be secure can't include code or grant rights to code, of whcih it doesn't know the source. How can you call something secure, if you've got a large piece of code with lots of rights and you don't know what the hell it does?

Fixed in FreeBSD five months ago. (5, Informative)

cperciva (102828) | about 8 years ago | (#15580728)

Ok, this might be a different bug; but FreeBSD fixed [freebsd.org] a remote kernel code execution bug which affected systems scanning for existing 802.11 wireless networks. The bug was discovered and reported to the FreeBSD Security Team by Karl Janmar.

Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver

Whether this is a new bug or not, it's certainly not a new type of bug.

Re:Fixed in FreeBSD five months ago. (0)

Anonymous Coward | about 8 years ago | (#15580746)

New or not... its something to have a look at. As all vulns are. Just wait and see what they have discoverd. The good news is that it will be made public, thus giving the oportunity to fix it. Progress happens.

Re:Fixed in FreeBSD five months ago. (3, Informative)

Joebert (946227) | about 8 years ago | (#15580775)

http://www.802.11mercenary.net/lorcon/ [11mercenary.net] (found ala-Google)
The stuff they have there, has files with dates going back to 2003 inside the files.

Re:Fixed in FreeBSD five months ago. (2, Informative)

KarMax (720996) | about 8 years ago | (#15580947)

Whether this is a new bug or not, it's certainly not a new type of bug.
No.. it's not, but in the article says it very clear:

From The Article:

Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview.

This vuln is for an specific driver, we still don't know what is the flaw either the wireless device... but the important thing here is that they are pointing out the insecurity of drivers development:

From The Article:

Part of the problem is that the engineers who write device drivers often do not have security in mind, he said.

A second problem is that vendors also make devices do more than they really need to in order to be certified as compliant with a particular wireless standard. That piling on of features can open security holes as well, he said.


BTW I like the "mystery" but IMO if they will wait till August 2nd, somebody will discover it too.

Clearly the solution is... (4, Funny)

MarkByers (770551) | about 8 years ago | (#15580739)

Security researchers have found a way to seize control of a laptop computer

They used an open-source 802.11 hacking tool ...

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

Re:Clearly the solution is... (2, Insightful)

WatchTheTramCarPleas (970756) | about 8 years ago | (#15580761)

Then you would have the problem of defining what a hacking tool actualy is. A definition inclusive enough to actualy be usefull would likely include tools that were not intended to be used for hacking and have legitamate uses.

Webster to the rescue (5, Funny)

Propaganda13 (312548) | about 8 years ago | (#15581188)

Hacking: to make chopping strokes or blows
Tool: a handheld device that aids in accomplishing a task

An example of a hacking tool is an ax or hatchet. Almost all laptops seem vulnerable to this hacking tool. One previously unknown exploit is that this hacking tool can make a wired network into a wireless network.

Thank you and good night.

Is this supposed to be sarcastic? (5, Insightful)

Steeltoe (98226) | about 8 years ago | (#15580776)

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

When open source hacking tools are made criminal, only criminals have access to security.

I thought the purpose was to find security holes and close them?

I can only hope this is supposed to be sarcastic, but it was modded +4 interesting. With no tags or marks, over the medium it's impossible to tell.

Re:Is this supposed to be sarcastic? (1)

Tony-A (29931) | about 8 years ago | (#15581170)

I can only hope this is supposed to be sarcastic, but...

Unfortunately, the sarcasm is that it likely isn't sarcasm.
There is some assumption that if nobody goes looking for the security flaws, the security flaws will cease to exist.

[sarcasm]If you don't go looking for bugs, the bugs won't exist.[/sarcasm]

If you have a bug, the best you can hope for is for the bug to be demonstrated in a spectatular but essentially harmless fashion.
What normally happens is that people get bit without even realizing it.

Re:Is this supposed to be sarcastic? (2, Interesting)

MooUK (905450) | about 8 years ago | (#15581219)

"When open source hacking tools are made criminal, only criminals have access to security."

Exactly what I just said, in more words, in a letter to my local MP, about a recently passed act. Except I was talking about hacking tools in general, not open source ones.

ugh. Head in Sand Defense. (5, Insightful)

twitter (104583) | about 8 years ago | (#15580797)

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal.

That's a bad joke, please? Bad because people might get ideas. Makers of crappy devices will soon say much the same. It makes me ill.

The real solution, of course, is to avoid crappy closed source drivers. Efforts such as ndis wrapper, while a nice, bring closed source fragility to free software. Free drivers, when broken will be fixed. Good luck getting a fix for that ancient POS you bought at the CompUSA taken care of.

Sticking your head in the sand won't fix your closed source driver. Free tools will help find the problem. Not having the tool won't make the problem disappear and the kinds of people who would bother with a "drive by" will keep doing it despite any silly laws.

Re:ugh. Head in Sand Defense. (0)

Anonymous Coward | about 8 years ago | (#15580851)

crappy closed source drivers

Like... nVidia "crappy" drivers, for example?

no need (2, Insightful)

Anonymous Coward | about 8 years ago | (#15580923)

I stopped using their blobs last year, the nv driver is plenty good enough. If you are concerned over your video game scores, you might consider..growing up as an alternative solution. Believe it or not, there is still a lot of "computing" you can do without blobs, and then there's meat space, where maybe you can learn to drive and work on a real car, or learn ballistics and shoot a real gun at the range, or actualy go outside and meet someone.

Videogames are being used as an excuse way way too much for continuing support binary blobs and things like MS career crooked company products.

in the 60s too much drugs and very little work

70's was too much disco and way too much really bad clothing

90's was way too much monetary greed and outright stupidity

The 2000s now are saturated with bread and circuses, despite all the real work that needs to be done and real world problems that need to be addressed-and also what happens to folks physically and psychologically (yes, admit it, it's true) when they spend the bulk of their free time sittin on their butt playing video games. Go outside once in awhile,get some exercise, stop rewarding the lard builders, humans have been kept amused for millenia without that sort of nonsense.

Re:ugh. Head in Sand Defense. (-1)

Anonymous Coward | about 8 years ago | (#15581124)

Are you done trolling [slashdot.org] for the day?

Nice one! (-1)

Anonymous Coward | about 8 years ago | (#15580868)

Three of 'em in 20 minutes with one cast!

Re:Clearly the solution is... (5, Interesting)

dilvish_the_damned (167205) | about 8 years ago | (#15580895)

Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

They are illegal. Not in words on paper, but in practice. Prosecutors like smoking guns, and thats how they use trivial shit. Just get yourself suspected of a related crime, and then have said tools on your laptop."Was there any evidence that the defendant used such tools?" "Yes ma'am, we found something called 'cracklib' on his laptop which is used with other tools to cracking passwords, there is no other reason for it your honor".

I also learned one other thing that day; judges have zero sense of humor. I think its a requirement for the job or something.

Re:Clearly the solution is... (0)

Nicaboker (978150) | about 8 years ago | (#15580929)

Christ I hope that was a Joke.. If not, you make me sick. Making open sourced anything illegal should be a crime in and of itself. Odds are if it wasn't for open sourced software many security holes that have been found wouldn't have been found. I don't know if that is completely true or not, but to me it makes sense. I mean how can you justify your thought process there?

Re:Clearly the solution is... (1)

Ethan Allison (904983) | about 8 years ago | (#15581079)

It was a joke. Do you need to have it say "(Score: $score, Funny)" in order to laugh now?

Duh.

Buffer or Integer overflow? (3, Insightful)

orospakr (715849) | about 8 years ago | (#15580743)

A native code exploit in kernel space?! GASP! Nobody saw that coming!

Great! (3, Funny)

Descalzo (898339) | about 8 years ago | (#15580767)

Now I can't use Wifi until August. Thanks a lot.

Once again.... (5, Insightful)

Corbets (169101) | about 8 years ago | (#15580789)

Security is an intuitive thing. I'm not saying this could be avoided, but you can bet that I've always turned off my wireless card when I'm not using it. I never heard of anyone doing this before, but I've always figured it was possible.

Unfortunately, any bit of code that runs on your computer is a potential vulnerability. The best possible solution is to minimize what's running, and update quickly if possible... but even that isn't necessarily protection. I seriously believe that the bad guys will always be one step ahead. Makes my career in security a bitch, but at least guarantees a paycheck. ;-)

Re:Once again.... (2, Interesting)

Frightening (976489) | about 8 years ago | (#15580945)

Have you ever tried to compromise a FC5 box with basic server-hardening and all the latest tech enabled? The implementation of comprehensive buffer-overflow protection schemes(stack,GOT protection..etc) has made it almost impossible to root certain boxes.

So what? (4, Funny)

Anonymous Coward | about 8 years ago | (#15580801)

What's the point of thiCan you satisfi your women? cheap meds!^D^Dexiy

Black Hat likes pissing people off? (1, Interesting)

theitaliangunman (857554) | about 8 years ago | (#15580810)

I guess it's not necessarily a bad thing that they do something so controversial every year, such as releasing vulnerabilities before they're fixed, but I'm beginning to wonder if they do it just for the attention. Something like this should be addressed before it's released, IMHO.

I seem to recall something similar happening at Blackhat last year, although I can't remember exactly what. All I remember is it was the talk of Defcon for the first night I was there.

Save battery = save DoS (5, Insightful)

xav_jones (612754) | about 8 years ago | (#15580827)

"The victim would not even need to connect to a network for the attack to work", he said.

Presumably you must still have WiFi turned on though. To save battery life, mine is usually off unless I'm connected.

Turn it off! (5, Insightful)

soundscape (962537) | about 8 years ago | (#15580832)

A perfect example of why you should ALWAYS disable your WiFi adapter when you aren't using it.

Re:Turn it off! (1, Insightful)

Anonymous Coward | about 8 years ago | (#15581193)

That's not much help. Now you somehow have to know whether anyone in range and could attempt this exploit, without enabling your transceiver to check.

Re:Turn it off! (1)

soundscape (962537) | about 8 years ago | (#15581364)

Well yes it is, since, like I said, you should have it disabled by default, and only enable it when you wish to use it.

Re:Turn it off! (1)

CaptainDefragged (939505) | about 8 years ago | (#15581330)

Exactly!!! I cannot, for the life of me, understand why people leave their wireless on all the time. There aren't many APs on the f*cking train for godness sake! Then they have the audacity to complain about battery life. You only need to enable wireless _when_ you want to use it! Easy if you are running XP Pro - Open network connections, drag wireless icon to desktop. Say yes when it asks to create a shortcut. Now you can right click and enable/disable you wireless in an instant. Almost as easy in Fedora Core. I can post a short shell script if anyone wants it. Great for the IBM laptops without a physical button.

Wait a minute.. (4, Funny)

Frightening (976489) | about 8 years ago | (#15580845)

So the researchers blew up the compromised laptop in a Japanese conference as proof-of-concept? Im confused.

And that's just cruel. I mean, you fried the guy's BALLS, man.

Drive by shooting? (4, Funny)

lxs (131946) | about 8 years ago | (#15580874)

"This would be the digital equivalent of a drive-by shooting," said Maynor.


In related news, 50cent wants laptops for inner city kids. [cbsnews.com]

Mr. Cent was quoted as saying: Now you can be a victim of a driveby without ever leaving the house, how gangsta is that? Mr. Cent refused to comment whether the laptop will be available with a 1000W sound system or gold plated mouse mouse options.

Re:Drive by shooting? (-1, Offtopic)

slashdotmsiriv (922939) | about 8 years ago | (#15580941)

sweet! gangsta wardriving! from the article u pointed to, but unrelated to the topic: "I'm creating a foundation that will be around for a long time, because fame can come and go or get lost in the lifestyle and the splurging," the rapper says in the Forbes interview. "I never got into it for the music. I got into it for the business." U don't hear that very often from musicians, at least the guy is honest.

Re:Drive by shooting? (0, Offtopic)

ReluctantBadger (550830) | about 8 years ago | (#15581190)

(From the article) 50 Cent: "I never got into it for the music. I got into it for the business."

Ahhh, so now you're admitting to being a fucking hypocritical douchebag? God damn it I hate gangsta rappers. Putting out hideously mangled "remixes" of old favourites, layered with angry words about their hard life growing up in the ghetto, whores/bitches, drugs, brutal white cops and bling-bling. Then when these convicted former drug dealers are famous and have made a fortune from blinkered and angst-ridden teens, we find out that not a penny they've earnt has gone back into helping the impoverished communities from which they claim to have originated, giving rise to yet another generation of ignored and downtrodden youth with little hope of climbing out of the gutter. "Fiddy" can shove his Bentley Continental, 24 carat back scratcher and poolside table of money right up his arse. With any luck the tenth bullet will do the job.

Diebold's voting machines (5, Interesting)

Timo_UK (762705) | about 8 years ago | (#15580974)

Don't they have Wifi too? And I bet this is old news for NSA, Mossad and the like.

all things survival (3, Interesting)

proudhawk (124895) | about 8 years ago | (#15580978)

seems to me like this is right out of Darwin's Law.

In essense, prey evolves defenses to reduce predation.
thus predators must evolve to overcome the defenses
of the prey. same thing here.

with the hardware manufacturers (and their coders):
they've done the "get it working" and the "make it fast" steps.
Now they have to do the "get it right" step.

 

trollko8e (-1, Offtopic)

Anonymous Coward | about 8 years ago | (#15581104)

BSD machines As To which *BSD

again we hear of it (4, Interesting)

ajs318 (655362) | about 8 years ago | (#15581183)

Again we hear of a vulnerability and again it is one which need never have existed in the first place. We know a song about that [openbsd.org] !

It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product. It has to be demanded from above, because of the {false, and patently so} perception that releasing driver source code or specifications might benefit competitors: if everyone has to do it then no-one will benefit unfairly.

Now, in the case of wireless devices, there is a definite possibility that the device could be reprogrammed to operate in a different way to that for which type-approval was granted. So it should be made clear that the approval covers the hardware and software as a combination, and altering the software may cause the device to operate in a non-approved manner. Just by the general principle of "innocent until proven guilty", anyone using a modified version of a device driver would only be liable for prosecution if they actually caused undesirable interference. Anyway, this is how it works in industry: type-approval procedures are published, you can certify your own products, but if at a later date they are discovered not to meet the requirements, then it's your responsibility to deal with it.

Radio , not Radion (1)

skyh0rse (974469) | about 8 years ago | (#15581276)

Just a typo: Lots of Radion Connectivity should read Lots of Radio Connectivity

Download link + mirror (5, Informative)

qcs-rf.com (952717) | about 8 years ago | (#15581277)

lorcon info: http://www.802.11mercenary.net/lorcon/ [11mercenary.net]
lorcon d/l: http://802.11ninja.net/code/lorcon-current.tgz [11ninja.net]
airbase info: http://www.802.11mercenary.net/ [11mercenary.net]
airbase d/l: http://www.802.11mercenary.net/code/airbase-stable .tar.gz [11mercenary.net]

code mirror: http://www.qcs-rf.com/slashdot [qcs-rf.com]

Great stuff (1)

farker haiku (883529) | about 8 years ago | (#15581357)

This is why I hang out on slashdot. If you'll recall, I commented about this [slashdot.org] a while ago. Frankly, I can't wait to see the presentation and the ensuing fallout.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...