WiFi Driver Attack

In this attack, you can seize control of someone's computer using his WiFi interface, even if he's not connected to a network.

The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.

Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).

The two researchers declined to disclose the specific details of their attack before the August 2 presentation, but they described it in dramatic terms.

"This would be the digital equivalent of a drive-by shooting," said Maynor. An attacker could exploit this flaw by simply sitting in a public space and waiting for the right type of machine to come into range.

The victim would not even need to connect to a network for the attack to work.

No details yet. The researchers are presenting their results at BlackHat on August 2.

Posted on July 6, 2006 at 1:52 PM • 21 Comments

Comments

SpacialJuly 6, 2006 2:33 PM

The old proprietary driver software....

if these drivers were open sourced....

Alice McGregorJuly 6, 2006 2:48 PM

"if these drivers were open sourced..."

Then the flaw would likely still be present. The only difference would be that it might be patched sooner.

Chase VentersJuly 6, 2006 2:51 PM

@Alice

No, not really. OSS developers intentionally subject their own code to more scrutiny because it's otherwise humiliating when you're asking a project leader (say Linus) to merge your buggy code.

And code _does_ receive community review before being merged into the kernel (at least in the case of Linux).

Alice McGregorJuly 6, 2006 3:02 PM

To elaborate: Open Source software (software written with the philosophy of sharing code and user contribution) is not inherantly more secure than any other software, in fact, as the code is available for public perusal it may be -less- secure. The rate of change in open source projects is also highly variable, so the flaw may never be patched (dead project) or might be patched within 45 minutes (several famous bugs in very active projects).

The theory that every individual brings his expertise to the table is good, if there are enough individuals. Many are single-person or small-team projects, which get rarely updated. In the case of ndiswrapper, a popular wifi driver compatability layer for Linux, it uses the Windows driver DLLs and thus exposes Linux to any security flaws inherant in that driver software - all written by commercial developers.

BrianJuly 6, 2006 3:07 PM

Linux wireless support has been and remains a bastard stepchild, for several reasons. The main reason is that wireless is mostly interesting for laptop computers, and linux is mostly interesting for server computers. Because desktop linux is still fairly immature, so is the wireless support.

Because few linux computers are running wireless, few security researchers have paid attention to the linux wireless code. They want to make the news, so they shoot for a big target.

So before you even look at the linux wireless codebase, it has two strikes against it:
- it isn't used as much as the windows code.
- fewer security researchers have studied it.

Once the details of these attacks are published, you'll see more people taking a close look at the linux wireless codebase. And I bet they'll find security issues in there.

AnonymousJuly 6, 2006 4:00 PM

@alice

"Then the flaw would likely still be present. "

Not true. Open source developers and respective projects are not all the same. Different coders have different coding style.

BLPJuly 6, 2006 4:05 PM

@Brian:

However, since the person patching the linux driver is also the person using it, as soon as you identify a security problem to them, they will likely fix it sooner rather than later.

If you tell someone they have a flat tire, they usually do something about it. The tire company usually doesn't.

BaptisteJuly 6, 2006 4:16 PM

"Because desktop linux is still fairly immature, so is the wireless support."

So do I use it for desktop for almost ... ten years, as I use Mac OS X, or Windows systems.

I do strongly disagree with you statement and from one person to another, this opinion varies.

The main reason not to have a complete wireless support in Linux (and other OSS UNIX kernels/systems) is that device vendors do not release specifications, and some hacks (not all clean) have to be made, such as reusing the Windows driver ( as a DLL) under Linux.

The problem is a device specifications not published, not a maturity problem of GNU/Linux or *BSD OSS for the Desktop. Whatever you or I might think about this maturity topic.

arlJuly 6, 2006 4:18 PM

For one thing Linux still makes use of Blobs in their drivers. Software provided in binary form by the vendor with no source code. Not a good thing if you need to patch a problem.

maxJuly 6, 2006 4:23 PM

""Then the flaw would likely still be present. "

Not true. Open source developers and respective projects are not all the same. Different coders have different coding style."

While there is some correlation between number of bugs and coding style, unfortunately, good style does not prevent all the bugs. Not even close. Tons of testing is still required. Do all OSS projects have dedicated QA? Probably not. So, the bugs would be in the Linux drivers as well. You can never be reasonably sure that there are no security flaws in something, unless this something was heavily pounded on with the specific goal of finding such flaws. Up until now nobody thought about breaking into machines through wifi drivers, so there was no research. Now that the idea was brought to light, there will be flaws found (and hopefully fixed) on all platforms.

Also, I think that in this day and age, when most hackers are taking computers over by the tens of thousands, this attack vector would be not that dangerous for the "average joe" (the attack does not seem to scale well -- you can't build a decent botnet by driving around and trying to find victims with specific versions of chipset and drivers).

Johnathon TiemanJuly 6, 2006 4:24 PM

I think everyone has missed the point about open source software. It is not written better (or worse) than commercial software, nor is it more or less secure. Open source software is about choice. With proprietary drivers, the only way to get something fixed is through the good graces of the company. With open source drivers, you can fix the problem. Or, if your not particularly computer literate, you can ask (or pay) someone who IS computer literate to fix the problem.

hggdhJuly 6, 2006 4:49 PM

We got sidetracked. The news -- not at all surprising -- is that successful attacks have been performed against wireless drivers, not that Linux is better/worse that this or that OS, or that OSS is better/worse than this or that closed-source.

The only good thing in this is that different drivers may have different (or no) failure points, so we may survive a bit longer (for example, I am writing this on my Linux laptop, connected via Ev-DO).

Yes indeed. Previously we have similar attacks against cable-based network interfaces.

Took some time for someone to think of crossing over to wireless, did it not?

WooJuly 6, 2006 7:09 PM

@hggdh: When was the last attack that someone did against a certain network card or modem driver?! The only attacks on cable-based networks were targetting the IP stack or other OS implements, unrelated to any network card driver. Attacking the hardware drivers itself really is a new direction.
If you know any examples about attacks on network card drivers, please post.. I don't seem to recall any.

TomJuly 6, 2006 9:56 PM

@Woo -- yes, but remember, the attacks were against more technologies than just Linux (or open source) wireless card drivers. While the debate could rage on for quite some time whether a proprietary or open-source model leads to better code or quicker patches, I think the point we shouldn't forget is that they new attack vectors exist.

In general, love it or hate it, enough people are now using Linux on their laptops (me included) that it warrants more thorough testing of the wireless drivers (all technologies) to remove these possible attack vectors. I'd say the same thing about proprietary drivers, but I can't control that. It can be debated whether Linux is ready for the desktop, but that's the beauty of open source code ... if it doesn't meet your needs, don't use it. There is no reason why the open source drivers can't be better and more secure than the proprietary counterparts.

AnonAgainJuly 6, 2006 10:18 PM

@Woo: The reason attacks generally haven't been performed against network drivers in the past is that an attacker has little control over the input to the driver. Furthermore, the network card and driver, in tandem, essentially just pass frames through without introspection.

Wireless drivers are different - a wireless driver has to massage the packets pretty heavily before it passes them on to the network stack. Take WEP/WPA for example - that's mostly handled within the wireless driver, if I'm not mistaken. There's a lot more room for error there. Hence, wireless drivers are a lot more vulnerable to attack, simply because they *do more*.

Pat SutlawJuly 7, 2006 5:48 AM

"Linux wireless support has been and remains a bastard stepchild"
"Because desktop linux is still fairly immature, so is the wireless support."
One of the reasons that Wireless Linux is less mature than Windows is that some WiFi chipsets manufacturers do not release information about how they work. Also WiFi chipsets seem (to me) to be updated relatively frequently. If your are buying WiFi hardware for Linux, it really pays to check support and compatibility before parting with your cash.

"Take WEP/WPA for example - that's mostly handled within the wireless driver, if I'm not mistaken. There's a lot more room for error there. Hence, wireless drivers are a lot more vulnerable to attack, simply because they *do more*."
I use an old D-Link WiFi router. According to the web, my model is prone to lockups etc. Mine is rock solid. It's maybe no coincidence that I disconnected the antennna and just used CAT5 connections. Not a very scientific theory I know but it fits the "they do more" theory.

DejaVuAgainJuly 7, 2006 8:16 AM

If I recall correctly, last time this came up somewhere I suggested it might be worth trying to find security holes in the device firmware itself (particularly on some of the older devices which have a lot more of the functionality in firmware).

If it has direct access to host memory, that'd be enough; if it's a USB device, would-be hackers would then need to find some sort of driver security hole as well (possibly something not remotely exploitable that'd otherwise require them to connect a custom USB device).

Charles C. HockerJuly 7, 2006 10:25 AM

And this exactly why OpenBSD refuses to support vendor's blobs.

bpAugust 7, 2006 4:17 PM

@Alice

"Then the flaw would likely still be present. "

True. At least in this case. The exploit here deals with how people impliment a part of the standard. And most chose the quickest and a simple way of writing that portion. It just so happens to be exploitable.

Just because you have 1000 people looking over OSS code, does not make it more or less secure. Granted, in most cases it should.

This driver hack can be used in all OS's, because all of them used similar logic in following the standard.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..