Forgot your password?
typodupeerror

Researchers Hack Wi-Fi driver to Breach Laptop 199

Posted by samzenpus
from the reach-out-and-hack-someone dept.
InfoWorldMike writes "Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver, reports Robert McMillan. The hack will be demonstrated at the upcoming Black Hat USA 2006 conference during a presentation by David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California. They used an open-source 802.11 hacking tool called LORCON (Lots of Radion Connectivity) to throw an extremely large number of wireless packets at different wireless cards and see if they fail. They declined to disclose the specific details of their attack before the August 2 presentation, but said it was potentially a huge hole because exploiters could simply sit in a public space and wait for the right type of machine to come into range to attack. "This would be the digital equivalent of a drive-by shooting," said Maynor. The victim would not even need to connect to a network for the attack to work, he said."
This discussion has been archived. No new comments can be posted.

Researchers Hack Wi-Fi driver to Breach Laptop

Comments Filter:
  • Great news (Score:4, Funny)

    by heinousjay (683506) on Thursday June 22, 2006 @01:10AM (#15580655) Journal
    I'm glad I still run DOS. No wireless support means I'm safe from these dirty hackers, and any sort of modern productivity.
  • Disclosure? (Score:5, Insightful)

    by MostAwesomeDude (980382) on Thursday June 22, 2006 @01:14AM (#15580668) Homepage
    I wonder why they haven't disclosed the details. Hopefully they contacted the card manufacturer in order to get a new driver prepared for the masses before they uncover the full exploit at the conference.
    • Greater problem (Score:5, Insightful)

      by Casandro (751346) on Thursday June 22, 2006 @01:26AM (#15580707)
      The problem is greater than that. It's probably not a single instance of wireless drivers that has such a bug, but in fact an extremely widespread problem.

      I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

      So, what will happen. The card-manufacturer might fix the bug, nobody updates, and 20 new bugs in other drivers are found, perhaps 10 of them beeing the same bug.

      What's really nice about it is that Intel recently claimed, that something like this was not probable.

      So, what's the solution?

      1. Educate your programmers about the programmers about the language they are using. Most people who write in C(++) don't know anything about how the language works. A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

      2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.

      3. Build compatible devices. Make one standard like the old soundblaster one, or the AC97 so all WLAN-cards of a certain class are buildt equal. Then you could even build WLAN functionality into the BIOS. The code would only have to be written once and therefore would be less buggy.
      • by cloricus (691063) on Thursday June 22, 2006 @01:33AM (#15580733)
        No one will update. And I'm serious; no one .

        I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

        This will be a huge problem no matter how you look at it full stop.

        While on one hand I can't wait to get my hands on the sploit I'm just thinking how painful this will be unless Windows (and this is the only OS I'm worried about as most Linux and Mac users will get a new driver in their regular updates if they are effected) works out some way to force an update for all wireless drivers out there.
        • by jawtheshark (198669) * <slashdot&jawtheshark,com> on Thursday June 22, 2006 @02:10AM (#15580837) Homepage Journal

          even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

          I know we are talking about exploits here and exploits should be fixed. I disagree, however, that you should upgrade your drivers continuously *without a good reason*.

          First it requires you to keep track about all driver releases of your system (if you're a network admin, it might even be many more configurations) Upgrading some point releases will probably not do much.

          Second is stability: if your system is stable with your current drivers and performs well, why would you upgrade? Upgrading drivers always jeopardizes your system. Windows might not like the driver or the combination of drivers you need. That's a good reason to standarize the drivers you put on your machines.

          Third, you need to realise that a "driver update" might not even concern your hardware device. Many drivers these days are unified. Is a point-release going to affect you at all. For example, if you have an older GeForce MX2, will the latest NVidia driver include *any* changes for you? I doubt it. It might even introduce new bugs because said driver has been optimized for a newer card and breaks compatibility with your older card. The last argument of course, brings us back to point two.

          Fourth: many third party drivers are bad as hell and the standard Windows drivers do a good enough job. For many devices, there is no need at all to install drivers in the first place. Do you really install the Logitec drivers for your standard 3-button/scrollwheel mouse? I most certainly do not.

          Essentially, it all boils down to: if it ain't broke, don't fix it.

          • Heartily agree with points 2 & 3, but I never have mod points when I need them.
        • by Anonymous Coward
          even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

          That's because laptop drivers are of notoriously shitty quality. IMHO the non-upgradeability of laptops favors a "whole system" approach over more modular designs. Somehow programmers of drivers for laptop hardware seem to think it's ok to write to one specified configuration, validate the whole system and be done with it. They take all sorts of shortcuts and ignore interoperability design guidel
        • by blowdart (31458)

          I've been working with end users enough at uni and work to realise the most even the slightly geeky user will only ever upgrade their graphics card on their laptop when they are forced too.

          Well considering upgrading the graphics card would take, at the least, a large amount of disassemly and soldering on 99.9% of laptops maybe it's a good thing end users don't try ....

          More seriously a lot of the problems with laptops is that vendors, nvidia, ati, intel, et al will not ship drivers for the parts used i

          • Nvidia's OEM drivers are universal. They run on everything.

            ATI's OEM drivers are universal for desktops. They will run on laptop if and only if the laptop manufacturer pays them a licensing fee. You can use a third party tool to "unlock" the driver, or you can go in and edit the hardware IDs by hand.

            Yet Another Reason to prefer Nvidia. I used to be a big ATI fan, but I've since then learned that Nvidia really has its driver handling down, in comparison. ATI's seen massive improvements, but given how far the
      • Re:Greater problem (Score:5, Insightful)

        by Penguin Programmer (241752) on Thursday June 22, 2006 @02:05AM (#15580819) Homepage
        2. If you cannot educate your programmers, switch your language. There are plenty of Alternatives avaliable. I mean people switched to Java for no appearent reasons. If you switch to, for example, Scheme you will get a clean object oriented language without any large speed penality.


        Anyone ever heard of writing a device driver in a language other than C/C++ (or straight assembly)? I sure haven't. I mean, I suppose theoretically it would be possible, but I really don't think it's practical.

        Better to go with option number 1. Don't put up with shitty programmers, just get better ones. If shitty programmers stop getting paid, shitty programmers will stop occurring.
        • Re:Greater problem (Score:5, Insightful)

          by Casandro (751346) on Thursday June 22, 2006 @02:43AM (#15580911)
          There are lots of device drivers in other languages.

          Just think of the many DOS 3D-graphics libraries written in Pascal. Those directly accessed your hardware.

          Or think of (real) Macintoshes (not those Intel thingies). Their whole firmware is written in Forth. In fact all firmware device drivers of Macs and IBM P-Series as well as Sun computers are written in Forth, it's the "Open Firmware" standard.
          In fact, the first Forth system was a computer designed to controll a telescope. The Forth programm directly accessed the hardware, probably via an internal layer of sub-routines.

          Then of course, if you have watched TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.

          So, why does nobody use any other language than C for that?
          Well first of all, Unix was written in C. In fact it was even the reason why C was invented, to have a platform-independant "assembler" with some very limited high-level functionality.
          The same language was also chosen for Windows, as well as Linux.
          Now the point is, if you write a device driver for those modern OSes, you will find template programms or tutorials you just fill in your code. Those templates typically are in the language of the OS, which is now typically C.
          The problem goes even further. I have seen university students studying informatics, and they don't even know a single language outside the Algol block. (=C, Pascal, C++, Java, VB...) They don't even know Forth or Lisp, let along Prolog. Some of those people have never considered looking out of their boxes into what's beyond Algol.

          I'm not saying C is bad per se. What I am saying is that C may be mathematically universal, you can do everything with it in theory, but for any given slightly more complex task it's just not suitable.
          If you are not convinced, write a little "derivation"-Programm in C where I can enter something like x^2 and out comes 2*x. Then look into the book "Programming in Prolog" and look at the examples, you will find one the deriving programm there has just a few lines. Maze-solving programms consist of about a handfull of lines plus a pine for every connections.
          Now look at C. C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

          C is good for number-crunching, but definitely not for anything touching strings.
          • C is good for number-crunching, but definitely not for anything touching strings.

            While I can't say anything for using C with strings, the real number crunchers of the world agree that God's language is the only appropriate one, fortran.
            • by eclectro (227083) on Thursday June 22, 2006 @04:19AM (#15581080)
              While I can't say anything for using C with strings, the real number crunchers of the world agree that God's language is the only appropriate one, fortran.

              No joke. Device drivers should be written in Fortran. Because if there was any bug in the program, the device driver would never ever work in the first place. Not even partially.

              I think we have solved the problem here folks. Just remember you saw it here first on slashdot.

              Another idea - need to open source you program, but really don't want to - use Cobol.
          • Re:Greater problem (Score:3, Insightful)

            by Anonymous Coward
            C seems to be so broken, that not even the compilation process itself is written in C. Look at makefiles. That's a non-algol language only designed to compile C Programms. Isn't that sick?

            I agreed with you up to this point. Makefiles are used to compile *anything*, not just C programs, so I see no reason why they should be written in C. Further, most C compilers are written in C. And BTW, what language was your Prolog interpreter written in?

            C is good for number-crunching, but definitely not for anything
            • Re:Greater problem (Score:3, Informative)

              by CaptnMArk (9003)
              > I would say that C's biggest strength is freedom of memory management.

              The real "freedom" in C is pointer arithmetic and unchecked type-casting.
              • yes which brings you the freedom to allocate a large block to storr multipef items of the same size rather than bothering the general purpose allocator with each one. Indeed its perfectly possible to write C code that doesn't use a general purpose allocator at all.

                it brings you the freedom to cast an appropriately sized integer to a pointer to access an absoloute memory location (not used much in modern desktop development but bloody important in embedded work).

                now C and C++ aren't the only languages that c
            • Re:Greater problem (Score:2, Informative)

              by Mikkeles (698461)
              'And BTW, what language was your Prolog interpreter written in?'

              Originally in Fortran [murdoch.edu.au]

          • Re:Greater problem (Score:3, Interesting)

            by Anonymous Coward
            Given the abysmal moderating around here that '+5 insightful' tag has taught me to expect rather the opposite.
            Why dont all you Lisp, Scheme, Haskell and Java OO-fanboys get together and do it right? Go ahead, start a project on sourceforge, grab some old mobo and implement an OS for it. And while you're at it throw out the BIOS too (Assembler, YUCK!). Given the vast superiority of OO languages that should be cake, isn't it? Just imagine all the productivity gains since you never have to debug all those buf
            • Re:Greater problem (Score:3, Informative)

              by pkhuong (686673)
              Apart from the now old-school Lisp OS:
              http://common-lisp.net/project/movitz/ [common-lisp.net]
              there is someone who's working on booting SBCL cores directly with the bootloader in Forth) [it boots, but the cross-compiler has some issues]
              there's a version of smalltalk (of squeak?) that runs without any underlying OS.
              There were several lisp or scheme *chips* in the 70s and 80s.

              Also, what exactly do you see in common between Java and Haskell?

              Finally, how in the world is that comment even slightly
            • Done. (Score:3, Informative)

              by LnxAddct (679316)
              http://jnode.org/ [jnode.org]
              Regards,
              Steve
          • by bgalehouse (182357) on Thursday June 22, 2006 @06:52AM (#15581312)
            The reason that forth is such a great choice for firmware and embedded systems is twofold. First of all, it is fairly fast. There can be a lot of indirection, but it is localized to a small amount of memmory.

            Second of all, and very importantly, you can fit an entire forth development environment into a few k. Might need 5-10 on these new fangled 32 bit machines. That is the whole thing, no separate compiler, runtime libraries, nothing like that. So, in the time it takes to study the gcc source enough to start porting it to a new architecture, you can write a complete forth interpreter in assembly, burn it to an eprom, and start talking to your new architecture over a serial line.

            And as you might expect, much like C, the bare metal is open to you. ! and @ are the commands to store and fetch variables. But they don't just work for variables, they work for any address you want to pass them.

          • Insightful!? (Score:3, Informative)

            by mzs (595629)
            > Just think of the many DOS 3D-graphics libraries written in Pascal.

            The Borland libraries were written in C and assembler. They had a bit of pascal glue so that you could do graphics from TP/BP.

            > Their whole firmware is written in Forth.

            Only little more than is needed to post, for example the analogue of a VGA BIOS. Later in boot drivers provided by the OS take over.

            > TV during the 80s you have probably seen 3D graphics going through a system entirely written in LISP, the LISP-machine.

            What!? Some
        • Re:Greater problem (Score:5, Insightful)

          by modeless (978411) on Thursday June 22, 2006 @04:56AM (#15581148) Journal
          Educating all the bad programmers in the world has always been a stupid idea. It's like saying we should stop spammers by teaching people not to click on their links, or eliminate viruses by teaching people not to open suspicious attachments, or bring about world peace by all holding hands and singing "Kumbaya". It might help just a little, but it won't solve the problem. It didn't before, it isn't now, and if you can't see the future trend, you must have some sort of learning disability.

          At some point, when an entire population of users spends years using a tool wrong, you have to stop blaming the users and start fixing the tools.
        • Anyone ever heard of writing a device driver in a language other than C/C++ (or straight assembly)? I sure haven't. I mean, I suppose theoretically it would be possible, but I really don't think it's practical.

          I remember a pair of devices we had that were specalized for automation control. the windows drivers were written in Visual Basic.

          I did not know any of this until we rebult the machine by hand and after installing the drivers I kept getting an error on loadup. Calling the Vendor they said I needed to
      • mod parent down (Score:5, Interesting)

        by John Nowak (872479) on Thursday June 22, 2006 @03:26AM (#15580993)
        Since when was Scheme object-oriented? Also, as a Schemer, I can say that in most cases there *is* a large speed penalty involved, often on the order of a magnitude (or worse). It's much more of an issue if the speed hit matters than pretending it doesn't exist.

        For the record, it is also perfectly possible to write safe C code with a good deal of rigor and some basic knowledge of the platform. You certainly don't need to know how to write at a lower level as long as you understand the concepts involved and the particular features of the hardware. People do it all the time and plenty of libraries exist to enable this.

        And finally, people hardly switched to Java for "no apparent reason". It's not in the least my language of choice, but for some groups it has a distinct number of advantages over C or C++. In summary, I'm convinced you have no idea what you're talking about.
        • For the record, it is also perfectly possible to write safe C code with a good deal of rigor and some basic knowledge of the platform.

          Yes, it is.

          But neither of those are present in a good chunk of "professional" "programmers"
      • Re:Greater problem (Score:5, Insightful)

        by maelstrom (638) on Thursday June 22, 2006 @03:27AM (#15580996) Homepage Journal
        A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

        I fail to see how this prevents someone from using libc functions in an unsafe way.

      • Re:Greater problem (Score:3, Insightful)

        by Viol8 (599362)
        >I am slowly convinced, that any larger piece of C(++)-Code which handles strings, has in fact at least one Buffer overflow.

        Well in that case that would include all your high level language interpreters and
        compilers too and possibly the code they generate. After all , at some point someone
        has to code to the metal.

        >A C(++) Programmer without firm knownledge of assember on that plattform should never be allowed to write production-grade C(++)-Code.

        Why? If they're writing device drivers I'd agree , but f
      • Hey, this is a great flamewar. My language RULES! Yours SUCKS!

        Anyway, there is another way to lessen the impact of crappy drivers...

        Get drivers out of the kernel! Yes, folks. Microkernel OS! Treat every process as a principle and grant only the required privileges for operation of the device/application.

        I'll wait while you folks code one up for me in your elite programming language. Done yet? C'mon, I don't have all day to wait!
    • So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.
      • by AHumbleOpinion (546848) on Thursday June 22, 2006 @02:33AM (#15580889) Homepage
        So, when do the researchers get formally indicted under the DMCA? It's a legitimate question.

        Contrary to the FUD spread by DMCA opponents (I am not endorsing the DMCA, merely pointing out that all sides, "good" or "bad" engage in FUD), this is perfectly legal.

        Quotes are from http://thomas.loc.gov/cgi-bin/query/F?c105:6:./tem p/~c105JANxzK:e11962 [loc.gov]:

        First we have the government exception:

        "David Maynor, a research engineer with Internet Security Systems and Jon Ellch, a student at the U.S. Naval postgraduate school in Monterey, California."

        (e) LAW ENFORCEMENT, INTELLIGENCE, AND OTHER GOVERNMENT ACTIVITIES- This section does not prohibit any lawfully authorized investigative, protective, information security, or intelligence activity of an officer, agent, or employee of the United States, a State, or a political subdivision of a State, or a person acting pursuant to a contract with the United States, a State, or a political subdivision of a State. For purposes of this subsection, the term `information security' means activities carried out in order to identify and address the vulnerabilities of a government computer, computer system, or computer network.

        Then we also have a security research exemption:

        `(j) SECURITY TESTING-

        `(1) DEFINITION- For purposes of this subsection, the term `security testing' means accessing a computer, computer system, or computer network, solely for the purpose of good faith testing, investigating, or correcting, a security flaw or vulnerability, with the authorization of the owner or operator of such computer, computer system, or computer network.

        `(2) PERMISSIBLE ACTS OF SECURITY TESTING- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to engage in an act of security testing, if such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

        `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--

        `(A) whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network, or shared directly with the developer of such computer, computer system, or computer network; and

        `(B) whether the information derived from the security testing was used or maintained in a manner that does not facilitate infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security.

        `(4) USE OF TECHNOLOGICAL MEANS FOR SECURITY TESTING- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to develop, produce, distribute or employ technological means for the sole purpose of performing the acts of security testing described in subsection (2), provided such technological means does not otherwise violate section (a)(2).

        I'd cut and paste more but I think readers will get the point.
        • 3(A) pretty much excludes full disclosure, or even any kind of public disclosure, doesn't it? Specifically "the information derived ... used solely to promote the security of the owner ... or shared directly with the developer".
          • 3(A) pretty much excludes full disclosure, or even any kind of public disclosure, doesn't it? Specifically "the information derived ... used solely to promote the security of the owner ... or shared directly with the developer".

            No, I think you have greatly distored things with your snipping. Let's see it in context again. Note "the factors to be considered shall include", other factors are not ruled out. Regarding "promote the security of the owner or operator of such computer ...", this does not preven
            • I still think the security research exemption is pretty narrow. Note the use of the word "solely" before the phrase "promote the security of the owner or operator of such computer...". It would seem to me that if you disclosed the exploit at a 'Black Hat' conference, you would pretty much blow the 'solely promoting security' exemption out of the water.

              My reading of the exemption -- and which I believe is the safest reading, in the absence of good guidance by the courts on this matter (that I am aware of) --
        • by A beautiful mind (821714) on Thursday June 22, 2006 @07:04AM (#15581328)
          Actually, you're wrong.

          Lawrence Lessig in his book called Free Culture (freely downloadable in pdf, google it) details how is this broken.

          The researchers are able to research, but they are not able to publish their findings. So they can't share what they've learned legally. This is the difference between theory and practice.
          • The researchers are able to research, but they are not able to publish their findings. So they can't share what they've learned legally. This is the difference between theory and practice.

            "whether the information derived from the security testing was used solely to promote the security of the owner or operator of such computer, computer system or computer network"

            It does sound as if, at a minimum, you can disclose the problem to people who have that system. In an odd way it's similar to the GPL, you
        • Better to use a persistent link: H.R. 2281 [loc.gov].

          Note that you didn't post reference links, so let's examine that restricting (a)(2) section.

          (2) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that--

          (A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;

          (B) has only limited commercially signifi
          • Clearly, publishing this research would violate this clause as it is a service that is primarily designed to circumvent a technological measure, AND has limited commerical value---violating both (a)(2)(A) and (a)(2)(B).

            `(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--
            `(A) whether the information derived from the security testing was used solely to promote the security of the owner or oper
    • But attempting to update the wireless driver on my XP laptop was the one thing that invariably made it flakey necessitating painful uninstalls and reinstalls to make it happy again. If an updated driver were released I might skip it just based on the fact.

      Of course I have other problems as the power socket on my laptop is now dodgy so a unit that cost ~$4000 AUD is now useless unless I want to spend ~$1500 AUD to replace its main board all for the sake of a 5 cent socket. Time for some amateur soldering!
    • I'm guessing this is the Centrino based laptop we are talking about here. They are saying a type of laptop, not a type of card. If this is true, the fix will come, but havoc will spread. I think of my poor sister who loves her wireless laptop that only requires a push of a button to connect.

      What fun.
      • Re:Disclosure? (Score:5, Informative)

        by arivanov (12034) on Thursday June 22, 2006 @02:30AM (#15580881) Homepage
        Not necessarily.

        In order for this hack to work it essential for the wireless driver to handle at least some MAC and encryption functions in software. In that case it is available for a hit simply by the fact of being active, regardless of the connection status. Most modern cards are like this (if not all). Atheros also definitely fits the bill. In fact it is more likely to fit the bill because more bits are implemented in software compared to Centrino. So do a few others.

        As far as Centrino you are to some extent right that it is the most likely candidate. The reason for this is that it has "feature" called preassociation. It will search and connect to the strongest AP in the area even if you have set the connection inactive. It is enough to load the driver and not have the antenna off.
    • What I noticed is that they don't even mention the system(s) that they managed to penetrate. Are my linux and Mac laptops vulnerable?

      Of course, experience says that when a media article on such problems just says "computers", they are almost always talking about Microsoft software. But we shouldn't assume this, since non-MS systems have occasionally had vulnerabilities. And lately, we've read of a number of problems with "smart phones", including some not running MS software.

      Driver problems have often be
  • Base Station? (Score:3, Interesting)

    by wish bot (265150) on Thursday June 22, 2006 @01:15AM (#15580673)
    I wonder if this could be used to attack a wired network through a venerable basestation?
  • by spune (715782)
    I'm willing to put $50 down to say that affected manufacturers include my mine.
  • OpenBSD (Score:5, Interesting)

    by ivan kk (917820) on Thursday June 22, 2006 @01:32AM (#15580726)
    Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.
    • Re:OpenBSD (Score:5, Insightful)

      by peacefinder (469349) <alan@dewitt.gmail@com> on Thursday June 22, 2006 @02:50AM (#15580925) Journal
      It sounds like this will be either the second remote hole in the default install for OpenBSD, or another example of them saying "Yeah, we fixed that a couple years ago."

      I'd bet on the latter.
      • Am I missing something or did you just say this bug effects OpenBSD? How the hell is that possible? The flaw was found in proprietary wireless drivers.

        • No, no, nononono. I was trying to say that it'd be a big surprise if the problem affects OpenBSD, even if every other OS on the planet is affected. Sorry if I was unclear.

          Most likely (now that I think about it more) is that the vulnerable wireless hardware is unsupported under OpenBSD, or is supporetd by a not-vulnerable blob-free driver. (Even if the OpenBSD driver is vulnerable, I'd be very surprised indeed if the problem turns out to be exploitable enough to qualify as a remote hole.)
    • Re:OpenBSD (Score:5, Insightful)

      by SargeantLobes (895906) on Thursday June 22, 2006 @05:36AM (#15581207)
      Helps explain OpenBSD's stance on not having blobs, they'd have been able to audit the driver code, and fix it quicker to boot.

      My thoughts exactly. Even if this exploit creeped in to the drivers, it'll be fixed byt tomorrow (or as soon as the ppl explain how the exploit works). Others will be waiting for weeks for a binary release from wifi vendors. And the vendors'll keep quiet about it, because they don't want to lose face.

      People call Theo de Raadt a hardass for his stance on blobs. Torvalds calls him "difficult", but in the end he's right.

      An OS that wants to be secure can't include code or grant rights to code, of whcih it doesn't know the source. How can you call something secure, if you've got a large piece of code with lots of rights and you don't know what the hell it does?

  • by cperciva (102828) on Thursday June 22, 2006 @01:32AM (#15580728) Homepage
    Ok, this might be a different bug; but FreeBSD fixed [freebsd.org] a remote kernel code execution bug which affected systems scanning for existing 802.11 wireless networks. The bug was discovered and reported to the FreeBSD Security Team by Karl Janmar.

    Security researchers have found a way to seize control of a laptop computer by manipulating buggy code in the system's wireless device driver

    Whether this is a new bug or not, it's certainly not a new type of bug.
    • http://www.802.11mercenary.net/lorcon/ [11mercenary.net] (found ala-Google)
      The stuff they have there, has files with dates going back to 2003 inside the files.
    • Whether this is a new bug or not, it's certainly not a new type of bug.

      No.. it's not, but in the article says it very clear:

      From The Article:

      Device driver hacking is technically challenging, but the field has become more appealing in recent years, thanks in part to new software tools that make it easier for less technically savvy hackers, known as script kiddies, to attack wireless cards, Maynor said in an interview.

      This vuln is for an specific driver, we still don't know what is the flaw either

  • by MarkByers (770551) on Thursday June 22, 2006 @01:35AM (#15580739) Homepage Journal
    Security researchers have found a way to seize control of a laptop computer

    They used an open-source 802.11 hacking tool ...

    Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?
    • Then you would have the problem of defining what a hacking tool actualy is. A definition inclusive enough to actualy be usefull would likely include tools that were not intended to be used for hacking and have legitamate uses.
      • by Propaganda13 (312548) on Thursday June 22, 2006 @05:20AM (#15581188)
        Hacking: to make chopping strokes or blows
        Tool: a handheld device that aids in accomplishing a task

        An example of a hacking tool is an ax or hatchet. Almost all laptops seem vulnerable to this hacking tool. One previously unknown exploit is that this hacking tool can make a wired network into a wireless network.

        Thank you and good night.
    • by Steeltoe (98226) on Thursday June 22, 2006 @01:48AM (#15580776) Homepage
      Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

      When open source hacking tools are made criminal, only criminals have access to security.

      I thought the purpose was to find security holes and close them?

      I can only hope this is supposed to be sarcastic, but it was modded +4 interesting. With no tags or marks, over the medium it's impossible to tell.
      • I can only hope this is supposed to be sarcastic, but...

        Unfortunately, the sarcasm is that it likely isn't sarcasm.
        There is some assumption that if nobody goes looking for the security flaws, the security flaws will cease to exist.

        [sarcasm]If you don't go looking for bugs, the bugs won't exist.[/sarcasm]

        If you have a bug, the best you can hope for is for the bug to be demonstrated in a spectatular but essentially harmless fashion.
        What normally happens is that people get bit without even realizing it.
      • "When open source hacking tools are made criminal, only criminals have access to security."

        Exactly what I just said, in more words, in a letter to my local MP, about a recently passed act. Except I was talking about hacking tools in general, not open source ones.
    • by twitter (104583) on Thursday June 22, 2006 @01:56AM (#15580797) Homepage Journal
      Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal.

      That's a bad joke, please? Bad because people might get ideas. Makers of crappy devices will soon say much the same. It makes me ill.

      The real solution, of course, is to avoid crappy closed source drivers. Efforts such as ndis wrapper, while a nice, bring closed source fragility to free software. Free drivers, when broken will be fixed. Good luck getting a fix for that ancient POS you bought at the CompUSA taken care of.

      Sticking your head in the sand won't fix your closed source driver. Free tools will help find the problem. Not having the tool won't make the problem disappear and the kinds of people who would bother with a "drive by" will keep doing it despite any silly laws.

      • Sticking your head in the sand won't fix your closed source driver.

        No, but sticking your laptop in the sand might protect you from this remote exploit.
         
    • by dilvish_the_damned (167205) on Thursday June 22, 2006 @02:34AM (#15580895) Journal
      Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal. Isn't this already covered by the DMCA or do we need a new law?

      They are illegal. Not in words on paper, but in practice. Prosecutors like smoking guns, and thats how they use trivial shit. Just get yourself suspected of a related crime, and then have said tools on your laptop."Was there any evidence that the defendant used such tools?" "Yes ma'am, we found something called 'cracklib' on his laptop which is used with other tools to cracking passwords, there is no other reason for it your honor".

      I also learned one other thing that day; judges have zero sense of humor. I think its a requirement for the job or something.
    • Don't worry, our govt. is going for it, I'm sure they'll let you know how it works out :

      http://www.publications.parliament.uk/pa/cm200506/ cmbills/119/06119.27-33.html#j383A [parliament.uk]
    • Clearly the solution for stopping people finding security holes is to make distributing open source hacking tools illegal.

      I think gcc, gdb and vim all constitute open source hacking tools... Oh sorry, did you mean cracking tools? :)
  • by orospakr (715849) on Thursday June 22, 2006 @01:36AM (#15580743) Homepage
    A native code exploit in kernel space?! GASP! Nobody saw that coming!
  • Great! (Score:4, Funny)

    by Descalzo (898339) on Thursday June 22, 2006 @01:44AM (#15580767) Journal
    Now I can't use Wifi until August. Thanks a lot.
  • Once again.... (Score:5, Insightful)

    by Corbets (169101) on Thursday June 22, 2006 @01:52AM (#15580789) Homepage
    Security is an intuitive thing. I'm not saying this could be avoided, but you can bet that I've always turned off my wireless card when I'm not using it. I never heard of anyone doing this before, but I've always figured it was possible.

    Unfortunately, any bit of code that runs on your computer is a potential vulnerability. The best possible solution is to minimize what's running, and update quickly if possible... but even that isn't necessarily protection. I seriously believe that the bad guys will always be one step ahead. Makes my career in security a bitch, but at least guarantees a paycheck. ;-)
    • Re:Once again.... (Score:2, Interesting)

      by Frightening (976489)
      Have you ever tried to compromise a FC5 box with basic server-hardening and all the latest tech enabled? The implementation of comprehensive buffer-overflow protection schemes(stack,GOT protection..etc) has made it almost impossible to root certain boxes.

  • So what? (Score:4, Funny)

    by Anonymous Coward on Thursday June 22, 2006 @01:57AM (#15580801)
    What's the point of thiCan you satisfi your women? cheap meds!^D^Dexiy
  • by xav_jones (612754) on Thursday June 22, 2006 @02:07AM (#15580827)
    "The victim would not even need to connect to a network for the attack to work", he said.

    Presumably you must still have WiFi turned on though. To save battery life, mine is usually off unless I'm connected.

  • Turn it off! (Score:5, Insightful)

    by soundscape (962537) on Thursday June 22, 2006 @02:08AM (#15580832)
    A perfect example of why you should ALWAYS disable your WiFi adapter when you aren't using it.
  • by Frightening (976489) on Thursday June 22, 2006 @02:15AM (#15580845) Homepage
    So the researchers blew up the compromised laptop in a Japanese conference as proof-of-concept? Im confused.

    And that's just cruel. I mean, you fried the guy's BALLS, man.
  • by lxs (131946) on Thursday June 22, 2006 @02:27AM (#15580874)
    "This would be the digital equivalent of a drive-by shooting," said Maynor.


    In related news, 50cent wants laptops for inner city kids. [cbsnews.com]

    Mr. Cent was quoted as saying: Now you can be a victim of a driveby without ever leaving the house, how gangsta is that? Mr. Cent refused to comment whether the laptop will be available with a 1000W sound system or gold plated mouse mouse options.
  • by Timo_UK (762705) on Thursday June 22, 2006 @03:17AM (#15580974) Homepage
    Don't they have Wifi too? And I bet this is old news for NSA, Mossad and the like.
  • all things survival (Score:3, Interesting)

    by proudhawk (124895) <eric.oyen@g m a i l.com> on Thursday June 22, 2006 @03:18AM (#15580978) Journal
    seems to me like this is right out of Darwin's Law.

    In essense, prey evolves defenses to reduce predation.
    thus predators must evolve to overcome the defenses
    of the prey. same thing here.

    with the hardware manufacturers (and their coders):
    they've done the "get it working" and the "make it fast" steps.
    Now they have to do the "get it right" step.

     
  • again we hear of it (Score:5, Interesting)

    by ajs318 (655362) <sd_resp2.earthshod@co@uk> on Thursday June 22, 2006 @05:16AM (#15581183)
    Again we hear of a vulnerability and again it is one which need never have existed in the first place. We know a song about that [openbsd.org]!

    It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product. It has to be demanded from above, because of the {false, and patently so} perception that releasing driver source code or specifications might benefit competitors: if everyone has to do it then no-one will benefit unfairly.

    Now, in the case of wireless devices, there is a definite possibility that the device could be reprogrammed to operate in a different way to that for which type-approval was granted. So it should be made clear that the approval covers the hardware and software as a combination, and altering the software may cause the device to operate in a non-approved manner. Just by the general principle of "innocent until proven guilty", anyone using a modified version of a device driver would only be liable for prosecution if they actually caused undesirable interference. Anyway, this is how it works in industry: type-approval procedures are published, you can certify your own products, but if at a later date they are discovered not to meet the requirements, then it's your responsibility to deal with it.
    • It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product

      I don't buy it. First, do you really trust the legislative process to meaningfully define (for actual, real-world use in an industry moving 5000mph) terms like "device" and "driver?" It's bad enough when a judge decides to get involved in discussing what is, and is not part of an operating system
      • Source must be provided for inspection. (if we're going to have patents, there's got to be some way to spot violations, right?)

        Then we give customers certain rights in the event of an emergency (security hole in the firewall software, data corrupting bug in the business-critical database, etc.) and in the event that the supplier becomes unable to sell more licenses (bankrupcy, etc.).
        • Source must be provided for inspection

          This is already true when all of the parties involved want it to be true. Plenty of large customers (corporate, government, etc) insist on just that sort of thing, depending on the size and nature of their purchases. Contracts for that sort of access are completely routine.

          if we're going to have patents, there's got to be some way to spot violations, right?

          The patent holder is just fine scoping around for obvious violations of their patents. Do you really want
          • First of all, I don't mean escrow. I don't mean Open Source either. I mean the source is publicly available, but only the copyright holder has the right to modify it or produce derived works (such as binaries) from it. It's read-only source code.

            While this is common in software written by contract, it is unheard of for retail software. Normal consumers don't even get to negotiate the terms of the EULA. Because there is no negotiation and because the balance of power is so slanted, there is a need for the la
      • First, do you really trust the legislative process to meaningfully define (for actual, real-world use in an industry moving 5000mph) terms like "device" and "driver?" It's bad enough when a judge decides to get involved in discussing what is, and is not part of an operating system, as if such things weren't ever going to change.

        You appear to be mixing Parliament with the Courts. Beside which, it would be easy enough to provide a catch-all "if in doubt, supply the source". I think the test is something li

  • by qcs-rf.com (952717) on Thursday June 22, 2006 @06:22AM (#15581277) Homepage
    lorcon info: http://www.802.11mercenary.net/lorcon/ [11mercenary.net]
    lorcon d/l: http://802.11ninja.net/code/lorcon-current.tgz [11ninja.net]
    airbase info: http://www.802.11mercenary.net/ [11mercenary.net]
    airbase d/l: http://www.802.11mercenary.net/code/airbase-stable .tar.gz [11mercenary.net]

    code mirror: http://www.qcs-rf.com/slashdot [qcs-rf.com]
  • This is why I hang out on slashdot. If you'll recall, I commented about this [slashdot.org] a while ago. Frankly, I can't wait to see the presentation and the ensuing fallout.
  • ...about those RDMA-enabled ethernet cards?
  • by QuietLagoon (813062) on Thursday June 22, 2006 @07:56AM (#15581437)
    ... is starting to look a lot better [kerneltrap.org] every day.
  • Announcing this NOW but delaying the actual results until AUGUST will just mimic the "Patch Tuesday" effect only in spades.

    The real black-hats who were working on other projects will read this, shift gears, and reproduce the attack within a week or so even without any more details.

    A more responsible solution would be to either wait until a patch was released, or if the companies dragged their feet about it, give the companies a month or two's lead time then publicly announce the paper's release along with a
  • And I thought the remote hacking in "Splinter Cell: Chaos Theory" was far-fetched...

My idea of roughing it turning the air conditioner too low.

Working...