 So we're uh, like I said, I'm David Maynard and this is John Cash We're going to be talking about device driver security You may or may not have heard something about our presentation at Black Hat But we're basically we're basically doing the same presentation in the end We're going to have some specific questions We've gotten from the Mac community that we're going to be answering about the stuff we did So we're going to start off with Nifty, I'd like to point out this presentation is being done on a Mac Wireless is off So we're gonna be talking we're gonna be talking a little bit like I said about device driver security It's a it's a very great topic now So as I've told other people this week the way we feel about this is operating system vendors like Microsoft like Apple Link distributions free BSD OpenSD these operating system vendors are getting much better at actually Hardening their operating system and you're not seeing as many to fall the tax I mean, for instance the Zotab attack you saw last year wasn't nearly as bad as like my Or any of the other ones before it. They're actually getting better at hardening the operating system So as an attacker and I'm assuming there's no attackers in this room because no that'd be bad But as an attacker You have two choices. You can either go up to the application layer Which you know would be like sequel injection attacks PHP file include the tax or you just send somebody a file That's like this is a virus. Please open it You know that that's that would that would be going up now going down is something that We've been talking about for a little while But now it's only becoming more applicable You device drivers actually under the notes to a lot of people handle a lot of a lot of unchecked Remote data actually So if you actually go and look at the device drivers on your systems So you had device drivers for you know USB and fire wire you had device drivers for your networking stack You had device drivers for your networking cards and stuff You had device drivers for your wireless cars you had device drivers all over the place that will allow people to take Basically untrusted input So what are problems with some of this device drivers stuff speed to market is so important Has anybody does anybody in here have an 802 11n card yet? One guy. Oh, I have one too, but it's for a whole different reason. So, you know say in No, all right, never mind One of the things about 802 11 and you'll notice now you can buy things like 802 11 and draft cards So basically what that means is the specs not quite finalized So you're able now to buy something that you know Conforming to what the spec currently is and if they change the spec later You'll have to you know flash the firmware in your car to get you know new stuff And people are doing stuff like this because there's a there's a long-held belief in the computer industry First to market wins. So speed to market is very important So in your rush to get things out the door and be the market winner some things Some things just don't get tested properly and that's that's where we come in we were you know Most of the testing and what most of the stuff we found has been tested using fuzzing techniques and things like that and There's a lot of already good tools available for that for instance. Scapi is a great packet creation library It's got a fuzzer built in you can actually write a Scapi scripts will automatically fuzz stuff and you can do what a raw wireless pack injection with this. It's pretty cool And a new hardware and committee design protocols are especially susceptible. We're not big fans of things that are done by committee I mean could you imagine having to go to the bathroom and it'd be approved by a committee Do you really have to go are you sure you have to go? How are you gonna go? Please hold your hand, you know like this while you're going so you know the problem is that you know The community design stuff a lot of stuff gets left out like securities not very not a large part of most most committee stuff So although what we're talking about, you know primarily to me like 802 11 a b and g stuff The thought process and that's one of the most important things that kind of got drowned out and a lot of stuff We were doing this week the thought process and how you find these problems how you fix them Can be applied to a lot of different things like Bluetooth new 802 11 specs like a 2 11 in and new wireless data stuff Like a gvdo and hsdpa. I myself am a hsdpa user So have device drivers had problems in the past. Why yes they have There's a here's three good examples I used to be with a company called the internet security systems and a gentleman their name Neil Mada actually found a Off by one in TCP IP sys. That's that's a pretty heavily used Device driver. I don't know how anyone else feels about it But you know, I feel it's pretty heavily used and it's actually but also pretty heavily audited, you know, last 10 years So, you know for somebody, you know last year to find, you know new off by one in IP options That's just showing that the ground is pretty fertile You know just earlier in the over in a month of the Microsoft super Tuesday There was a server dot sys vulnerability that was a super Tuesday that came out And this was actually also in the vice driver and strange enough There's also the free VST Wi-Fi integer overflow. It's it's actually in Wi-Fi What's kind of makes it relevant to this talk, but you know that there have been Yay Awesome, can I shake your hand later that that's pretty cool Have you tested that on any other systems? Have you tested that on any other systems besides free VST, right? All right, so I Have Has the free VST Wi-Fi integer overflow been tested on any other systems was kind of a joke, but Apparently I was the only one that got it so Say again. Oh net VST was also vulnerable So if there's any free VST die-hards, don't don't feel like I'm exclusively point out a free VST problem It was it was a you know, it was a more widespread problem So yeah, okay, there have been device driver problems in the past If you if you think they haven't been you know do some research Google is your friend don't don't ever believe anything I say for you know go Google stuff so strangely enough Intel on you know this past weekend released a lot of a lot of Driver patches for just Work, okay 130 megs worth of patches. Is that a patch? I mean how big is a compiled Linux kernel? I remember when I download the Slackware for the first time it was smaller than that but You know that they fixed a lot of problems in Remote code execution it says it right there So, you know these kind of problems and wireless drivers, you know, they are real they happen So now this is where John starts talking. I'm gonna go back to text messaging people Okay, so So Dave here is the really brilliant kernel level ring zero payload ninja exploit guy And I'm the 802 11 guy. I if I hadn't met Dave the demo would have been Here's a Windows box. I blue screened it with EIP now now what the hell do I do? I no idea. So I'm gonna talk about Yeah, somebody call us a fantastically hacking duo in a blog that was great Anyway, so I'm gonna talk about 802 11 and why 802 11 in particular is susceptible to these things lately The biggest reason it's so susceptible is it's just so complicated so I'm gonna talk about why it's so complicated and maybe what we could do to fix it and The direct consequences of it being so complex is that a you can fingerprint it and then be you can exploit it So so why is it so complicated? My friend warlord? I think said this though Somebody else might correct me says fear leads to anger anger leads to hate and hate leads to particles designed by committee Maybe it's particles designed by committee lead to hate So It's just it's too complicated to get a bunch of guys in the room and have them do it right Maybe the guys could get together and elect the smartest guy, but you don't want more than like two people doing this I think so So why is 802 11 so complicated? Well, partly it's too ambitious partly It's attempting to deal with the generate problems things that wireless networks have to deal with that wired ones Don't are obviously hidden nodes unreliable links and other networks on the same channel. I mean those happen all the time It's just the nature of Wireless and so so that adds legitimate complexity of the problem They're trying to solve and so so that's you know, they have to put stuff in there for that, but uh There's a lot of extra fluff. So can we fix it? I say yes all it costs is standards compliant Basically, I feel like you should have the option at least to ignore management frames Management frames are the ones that everybody uses to kick you off a network and crack it So how here's a good question if it's your home network, you know, you got a little access point How often is your network gonna legitimately kick you off? When when is that a feature that it does do it? It doesn't when it reboots So every time you reboot your router like cleanly shut it down not just pull the power It'll probably de-auth you is that really a useful feature? So I think the number of management frames used to like break things versus actually accomplish stuff is it's not worth it You should be able to ignore them There's some control frames that can cause problems these are harder to ignore their more low level and they're related to keeping networks on the same channel from interfering with each other and Remove the extras and here comes the extras later So so why is all that interesting because complexity is a hacker's best friend If there's if it's not complex and somebody didn't mess up and if somebody didn't mess up We've got no bugs to exploit and 802 11 is not lacking in complexity So just for a quick comparison, I'm gonna compare 802 11 to ethernet ethernet has three fields source destination and type I'm willing to bet if I put 14 bytes up there and said it's an ethernet header. A lot of people in the room could parse it 802 11 has a version a type a subtype eight flags one two three or four addresses in different spots Fragment number a sequence number and that's in the header After that, we've got Stuff that's not in the header, but just as important you've got positive acknowledgement and 11 management frames six control frames lots of sub types for Each of them and then as soon as you turn on an encryption it adds more fields initialization vectors and mix etc and So there's still more stuff thrown into the standard. There's ad hoc How many people here have used an ad hoc network to do something useful raise your hand okay, so like That's more than black cat black cat. It was like, I don't know three people So this is like, I don't know five percent less than five percent Okay power savings is a as a feature in there that I actually feel is probably worth having it It lets cards essentially turn themselves off and say I'm gonna turn my card back on and you know ten seconds Well smaller time frame than that, but you got the idea so the card can tell access point I want to sleep. I'll be back in ten seconds store any packets for me and I'll pick them up later So that adds some some complexity, but it's at least accomplishing something useful saves your battery Two types of media access control PCF versus DCF PCF stands for point coordination function DCF is distributed Basically DCF is Ethernet and over wireless is the easiest way to think about it And if DCF is other than PCF is token ring You can bet people are really rushing out the door to push token ring over wireless, right? I Mean I mean this isn't part you don't have to actually implement that to get certified But it's still in the standard taking up a ton of pages and it actually takes up some management frames as to so those bits Are we forever used or something that I don't think anybody implemented ever? 11 e quality of service that's so you can do video conferencing over your access point now I got to ask you up so you've got quality of service on your access point so your your teleconference gets ahead of your FTP session or whatever but What happens when it hits the back end wired connection it goes out your Ethernet jack does IP or Ethernet care about those quality of service bits No, so if you're trying to video conference with somebody on the same access point You're probably doing well, but they're like a hundred feet from you so I And then I'm pretty sure that's going into the standard and that's that adds a lot of complexity right there And finally just to show you what these crazy standards guys are thinking of this isn't going to make it in I really hope and I'm not on the committee by the way. You could probably guess that But somebody told me they're at an 802 11 committee meeting. It's only proposed geo locating So this is the layer two of your network card Basically trying to tell the access point where you are or the access point have it figure out like your coordinates either GPS or some other coordinate system so you know where you are relative to other users in the network What does that have to do with getting packets from a to b absolutely nothing? But that's what these people are thinking So what do you get if you remove all the extras? I called this 802 11 minus minus Dave here came up with a much more marketing friendly term Wi-Fi light So let's call this Wi-Fi light If you remove all the extras you get an Nintendo DS It has no Wi-Fi certification It's nowhere near 802 11 compliant. It ignores the often disassociate frames and It looks like it ignores a lot of other control packets as well works great Yeah, and Nintendo doesn't pay me in fact my wife was annoyed that I had spent $120 on a DS for research. I Tried the same thing on an Xbox because they have wireless cards right and she was like no Anyway, so this works great, but it probably doesn't roam very well Who cares how many people roam on wireless networks? Let's have another hand-raising thing How many people have a network that they roam on? Okay Something like ten people in the room So a lot of the complexity in these protocols are there for the ten people in the room who want to roam and the five people in The room who have ad hoc networks, and I'm not saying that you shouldn't have the ability to do it But you should have the ability to turn it off Because that's where most of the bugs are and things that you don't do every day. I mean think about it Everybody here's on wireless networks and your boxes don't get crashed and owned right So your your boxes are capable of moving data packets and getting you online So if you could just take that bit of code that's doing that and strip out all the extra crap They threw in you wouldn't get you know your boxes would not get crashed or owned So if you could just turn those things off that'd be great. You can't do it though so anyway Onto finger printing 802 11 Why bother? Obviously if you've got a pocket full of wireless Ode you could target your exploits Wireless IDS's could use this to monitor Chipset and driver use so for example a good scenario is you refer a company to issue a laptop and they say Okay, you can only use our hardware not your home laptop because you've got all sorts of crap installed on it And then it's already owned. Okay I can't really enforce it at least most people can't so this will let you go Okay, fingerprint the box they give you keep track of it when you ever you associate and if it's changed Then they just don't let you on now. That's obviously not foolproof. Uh an attacker could just go Okay, they got an athero's car this driver. I'm gonna put it in my laptop and I'll get on the network But it's you know a start And finally you could use it to refine os fingerprints if you're having trouble So why is this cool? Well, uh, I think it's cool because I don't know of any other link layer protocol fingerprints uh Can't fingerprint ethernet, right? It's just three bytes or three fields. So So and why is this possible? Well, like I've been saying it's because of the complexity of the protocol So when I first started to trying to fingerprint these it was like well, how how far down could you go? Could you the easiest thing to do is get the chipset or the chipset family? You know this is a theros broadcom centrino and uh And then after that there's a different chipsets, you know There's an athero's 52 12 versus a theros 52 11 and then there's distinct drivers for the chipsets You know, uh, this has a broadcom card in it. So do windows boxes sometimes So they got different drivers obviously and then finally Can you tell different versions of the same driver? Now if you could tell different versions of the same driver That is really what you want if you're going to be targeting exploits because your return address might change Or you're going to overwrite something else and you really need to know that So that would be ideal if you want to own something and finally maybe could fingerprint firmware I didn't really look into it because people are just not putting much in firmware anymore so I came up with three specific types of fingerprints two work one doesn't I talked about them at black yet I don't have time to do it here. Unfortunately. I'll show you the one that is cool and works and uh I gave a live demo at black cat. You can ask people it did work I'm very proud of that The reason it worked is because I had an hour and a half of lunch before my talk to come set up everything And debug the hell out of it and I didn't have that today and for short on time So I can't do a live one, but I'll show you how it works And basically the duration stuff. I'm going to show you let's you get down to the device driver version in some cases That's really cool So duration analysis totally passive very accurate and easy to automate. In fact, it's already automated and works so To understand this basically I've got to tell you what a duration is It's a 16 bit field and every every 802 11 data packet and lots of other packets if you don't have it Those are weird ones Anyway, the duration is a 16 bit field that says How long do I need the air after this packet because by the time you read this you've already seen the packet You've got this packet and the the intent is okay So I've obeyed the rules of the media access control I've won the random back off and I got the air now I'm going to send a buddy or send a pack to my buddy Dave over here right and uh It's probably a data packet and 802 11 data packets are acknowledged And you don't want dave to have to like win the battle for access control So I'm going to send a packet to dave you guys are not going to get on the air And he's going to acknowledge it back and then somebody else can try to get the media So that's the major motivation for this And so there's a couple of obvious values for this The time would be zero for packets that aren't acknowledged broadcast packets for example And it would be however long it takes dave to acknowledge me back That would be another likely one So there's really only a few discrete values for this that you would likely see 16 20 or so So what influence is this well? Obviously the rate that you transmit packets at is very important if uh dave talks faster than it doesn't take as long Also along the the long road of standards compliance, a few optimizations have been built in short slot time and short preamble It's not too important. It just affects the duration So if you want to fingerprint somebody on an access point, you've got to know the rate the slot time and uh the short preamble So uh I'm going to get into an example atheros fingerprint right here So atheros cards. I like them. They seem to follow the standard pretty well what this shows you is uh The association request bro for example says that an association request packet from the atheros card Says that it's going to use the duration value 3 14 100 of the time Poor requests are 0 97 percent of the time in 3 14 3 percent. Why? I have no idea that seems really strange to me You think they seem to be deterministic enough that it always uses the same value or maybe it alternates for some reason But 97 and 3 And uh, there's a couple of others. It's the same idea Here's a prism one, uh prism cards are older if you didn't know People are still struggling to implement the standard and it's really obvious here in the Authentication packets. You see the duration value of 5 3 3 8 9 That's a really long time. In fact, that's an illegally long time any duration value than 32 7 6 7 is supposed to be ignored So this card sends numbers that are absolutely wrong And so if you if I gave you a packet capture and I said oh It said it has this numbers of these numbers. Is it an atheros or is it a prism? You could probably tell Similarly, I wrote a program it does the same thing it can tell Here's an example. I can't stay on these slides for too long because it's short on time, but uh So here's a realistic example That's tried. I know it's kind of small, but I couldn't fit it. So I'll try to talk over it pretty well this is me telling uh Telling my program. I'm looking at a p-cap from addresses 000 a 95 I pass it the path to the p-cap and then I tell it the print database So I had to tell it. Okay. This came from an access point with this rate and this slot time and so on and so forth And you can see that the first card listed is a Broadcom mini PCI Well, this actually came from my power book. So the Broadcom mini PCI is not the right card But you'll notice that the top three cards I'll have Broadcom ship sets. So it's on the right path And in fact the score for the Broadcom mini PCI was 79 and the score for the airport was 78 So they were very very close So if you're to To repeat this and note that the the airport extreme card is one deep in the list Across all the cards I have On a database with three different samples from each one you would get numbers that look like this S1 s2 and s3 correspond to three unique p-cap samples from a given card And what a zero in that column means is the card was on top of one means that the the card was one deep in the list So the the row with a five in the left is that is actually the the p-cap I just showed you the The airport extreme one and it was one deep and basically That's getting it right an awful lot of time Which is good So how's it work? I have five algorithms. I'll briefly go over one The kind of warring I suspect to most people basically you look at the duration values You see treat them as a set take the intersection Subtract the probability of seeing them from each other and return one minus that this basically says Card a uses duration value say the legal one was at five two two six nine or whatever like a lot of the time Actually a hundred percent of the time in authentication packets and southern one uses it like never Okay, so those don't even make it in this but if they use them A hundred percent of the time and one percent of the time just still would be close to zero And if you do that you do 10 times better than random If you take into account the packet types for the same ratios It's a 21 times better than random at this point. You're well past chipset level resolution and you're probably getting device drivers And finally at this level You get to do 23 times better than time This is if you combine the two techniques and that's good That's you're getting the right chipset and device driver and probably the version so oh just the quick real-time demo of this is a So here's a program. I'm going to try to to match a p-cap I captured previously of a vulnerable intel chip driver, you know the one they patched three days ago with 130 megs So yeah, that's a patch Anyway, so here's the p-cap from an intel vulnerable driver And you can see or maybe you can't because I can't make the font big enough But I tried is that up on top it's the driver from intel that's vulnerable now if I was to run this program again On a patch version of the driver The patch driver comes out on top So this is an example of the program actually being able to distinguish different same chipset Same device driver different version and that's exactly what you want if you're going to exploit something So with that out of the way, I'm going to hand it over to Dave and he can talk all about his ring zero I just not going to be that much but We're going to be talking about uh ways to find bugs just a little bit I mean, this is all standard stuff static auditing your binary analysis and your source code analysis The problem is most people don't have access to source code So when I've gotten stuck in the past on one reverse engineering, uh, particular device drivers You know, it's always grabbed a good to grab an open source version of the driver and take a look at it It gives you some clues to what's going on and of course fuzzing fuzzing is how we found most of the site Like I like I said, we were looking at, uh, you know built-in wireless cards already part of the cards Embed devices and access points The things to think about fuzzing can be frustrating and bug can be triggered by something at eight packet chains ago And you know, uh, it's really hard to track down stuff in kernel space. I mean if you've ever had to track down why something crashed Um into kernel it it's not all that easy sometimes I mean, you'll you'll you'll find like an exception handler or something like that Uh, that's been tripped. But you know sometimes finding it, especially if you do an overwrite You uh, you destroy most of your stack information. So, um, that's somewhat hard to track down So this is actually john's uh, uh, john and I each wrote a fuzzer and this is john's fuzzer Yeah, mine is not nearly as smart as his but i'll talk about it very briefly. Um, basically the fuzzing laptop has three interfaces And it's got an ethernet interface and two wireless one wireless interfaces out there fuzzing obviously and the other one Is sitting there just monitoring the air Basically the way it works is that um, it pings Uh, a host that you're trying to fuzz on the wired side says this is up. Great. I'm going to fuzz the hell out of it Hopefully and then okay fuzz fuzz fuzz ping the wired side. Is it still up? Yeah, damn, okay I'm going to go fuzz something else and eventually it'll ping something fuzz it Ping again and it's down like great. I just crashed it So then it's going to take all the packets that it logged on the passive monitoring interface All right. I'm out to a pkap file and put an entry in a log file And the packets it's sending are not Smart at all. In fact, the fuzzing program has very little grasp of the 802 11 protocol Basically, it's putting on a header that knows where it's going and that's it There's just random bytes after it over random length So it's not very smart. This is not something you run You go get a coffee and you come back and you blue screen This is something you run before you go to bed you wake up and you have a room full of crashed laptops, hopefully So that's how this one works. It's not as smart as day is Oh, yeah, and here's a myriad of command line options, which I don't even remember This is actually notes for myself. So I want to go back to run it later So I wrote white buzz whereas, uh, john worked specifically on trying to manipulate, uh, like just like, you know, individual packets and things like that The fuzzer I wrote, uh, not only will manipulate the individual packets We'll actually chain bad packets together or send things in an out of order or an unusual request cycle I was trying to find, you know, it's not just a single packet that's going to cause some of these These crashes. It's actually what what we call a packet chain or a long chain of events that will lead up to it Uh, so that leaves us a shell code shell codes most so Most times when you write shell codes, you're looking for, you know, what we call like the connect back shell return You know the return shell or something like that So actually a lot of these things is you're attacking, uh, something that's not necessarily on the network with you or something like that One of the things that, uh, people are looking at One of the things that's hard to do is actually get the connect back shell because you don't have an ip address and You gotta need an ip address to do bi-directional communications So most most of the useful show code for a ring zero buttons like this are going to drop off a a bot or something like that And let that run, uh, and then in the next convenient time phone home um Shell code executed to the kernel level most generic overflow protection tools like you know, uh Checking to see if the shell code page is readable writeable You know these third-party tools from companies like sysco In intercepting things like that most of these don't cover kernel space that well because they take a huge performance hit And so you know that that that leads to uh being able to execute things pretty well Although you have to be careful of a lot of things especially like nx protection when you try to execute things in in user land So that leads us to a demo and our demo is actually a video has anyone seen this video yet? one person Two people Oh, one of us my boss, so Um, it's my mommy likes it So I have to hold the uh the microphone up to the uh, oh we have audio never mind I don't have to illustrate this one. Uh, uh comment over this one No, I don't mind there, right John has apple food It's a very wet sound. Hi. My name is david manor. I'm a member of the research team here at secure works And on behalf of myself and my co-presenter johnny cash Uh, I'd like to Take a minute and show you a demo Of something that we wish we could be doing live in vegas but due to security reasons we can't really Uh, so what I'm going to be doing is I'm going to be using this machine as an attacker and I'm going to be bringing in another machine Boom that we will be using as the victim and um Don't think however just because we're we're attacking an apple the flaw itself is in an apple We're actually using a third-party wireless card That's a usb wire card So normally for this attack to work, um You do not have to have the victim associated to an access point or authenticated in any way But for the ease of this demo this machine, uh, this del will be acting as a Wireless access point with the address of 192.168.1.1 And this machine will have a address of 192.168.1.50 The attack will be launched from here It will affect it will manipulate buggy code and device driver on this apple This apple will connect back to the uh to the to the attacker With the shell at which time I'll have complete interactive access So there's a couple steps required in setting this up the first point A part is turning this on a laptop into an access point. I do that with a That's actually not my portion by the way about setup.sh. This will actually create a um an access point called sw apple demo And we'll make this a wireless access point and then we will connect the apple to it So let's run that script and connect to sw apple demo We have an ip address of 192.168.1.50 um Now what we do is we run the exploit called bad seed This is actually what it looks like. This is the help screen for it um And now we will run it against the target machine It takes a minute or two to run it's preparing the show code for return It's getting the connection information for this laptop It's now sending the attack waiting for a response It got a shell now I am Interactively logged into this machine This place for reactions is awesome. I'm looking at the files in that home directory Uh, so what I'm going to do first is create A file on the desktop code owned o w n e d dot text As you can see it was created right there and now I want you to read it Further proof it's gone. We can open the shell under shell And we can onto the desktop We can create a file called password And in the file i'm putting this is a secret Password exclamation point. I like to use exclamation points as it's actually a secret. There it is created on the desktop I'll come back over here There it is cat This is a secret password and now We will delete it And it's gone Where did this go? This includes our presentation, but if you're still not convinced Geez, I'm fat, you know after this I I should take a couple laps around the table just to make sure There are no wires attaching the two devices And just create a file on the desktop called I walked around dot text Then I walked around more And I just deleted it The thing to keep in mind here is although we we attacked an apple The flaw is not specifically in the apple operating system as we use third-party hardware This type of a flaw will be systemic across all operating systems and hardware and the only way to prevent it is proper testing Although this flaw is And can lead to a remotely exploitable condition It's not as trivial as a generic buffer overflow On behalf of johnny cash myself david manor and skewish research team. Thank you for watching So So I don't know if you guys know this or not, but mac users love their max So I'm a mac user. This is my power book and I love it In fact, anybody who knows me knows that all my code gets written here and if you're lucky ported to linux So As soon as that that demo got run on the washington post block. We got some hate mail I mean did we ever we got some serious hate mail and we got We got asked a whole lot of questions by people that were like, oh, this is completely fake and this is why it's fake So now we have a couple of slides that will Answer some of the most popular questions and before I answer these I'd like to give people the audience a chance to Respond to why is this a bad question? The most commonly given Question is did you get root? Does anybody here know why that's a bad question? exactly So you're running in a kernel and from a kernel we get root and by root we mean super user access Roots a generic term Actually, I hear people talking about getting root on windows machines all the time It's actually an administrator account But if you compromise something that's running in the kernel You have the ability to do whatever you want on the machine So that was the first that was actually the most common question we got Second most oh wait never mind. Okay. Somebody wanted to hear me talk about fingerprinting anymore. All right so So here's a bastardization of the osi network layer model one on one because a lot of people didn't seem to get this The 802 11 device driver has an arrow next rate. We are here Your firewall is a little bit further down the stack It doesn't get these packets until we've already dealt with them So, I mean think about it a packet comes in off the air into your card on its antenna You can think of it as needing to get from the card to the rest of your computer The device driver gets it there your firewall cannot see this packet until we've already given it to it So if the bugs in the driver your firewall can't help And finally some people seem to think the antivirus will help your antivirus is like light years away So I don't even know what to say about that except it doesn't The second question was what services are running? Given the uh, the the awesome, uh charts were made by mr. Johnny cash and nominograph Just a few minutes ago. Would anybody like to tell me why this is not a good question There you go The hack attack this this attack happens at the network network link layer No ip of packets were required for this attack Question three I'll pay you 10 100 even $1,000 for a live demo and I gotta tell you okay. Well, first of all, why is this a bad uh a bad question All right for the grammar Nazis. This actually isn't a question So aside from that. Why is this a bad statement then? Well, actually that that is funny hd morrigan's offered 40,000 to 120 thousand dollars For unreleased bugs and we're getting offered a thousand Wow Come on guys. This is insulting. You should know it. Never. I won't knock. I defense. I'm sorry So this is actually a bad idea because by doing a live demo for you and something Wanted to package up a demo and ship it to them What why would I start distributing copies of something that hasn't been passed yet? That just doesn't seem like a good idea to me And that's uh, that's actually the answer to this question Question four Why was it a video? Does anyone know why? How many sniffers are there in this room right now? Because we asked this question to black hat and one guy rates his hand and I really want to give him a copy of the exploit Just because he was being honest But if if if you do this demo live on stage now, we're not the only people doing it You all are doing it too and that just doesn't seem to be a good idea right now And that's the answer Anyone with a sniffer will have a copy of the exploit and the fifth question How did you use a third party card as there are no pcmci or express card slots on your uh, your macbook This is actually my favorite one. Does it does it doesn't anyone want to know the answer to this? Does anyone know? usb usb So in addition to that I actually have to make a dynamic a gigantic apology to the mac user base as I was quoted saying I would I would like to stick mac users in the iothelete cigarette Although this was an accurate quote. I actually did say that I would like to say that I don't mean all mac users. I just mean the people that sent me email that say fuck you I'm gonna kill you and your dog too Yeah, I don't even have a dog so Um in general though, you know wrapping up You know people kind of lost sight of what we were talking about here because there was a mac involved And what we were talking about here wasn't that you know, we can break into a mac and we're you know We're bad asses and whatnot The thing we were talking about was that these kind of problems are systemic across all operating systems You know, you'll find problems like this in windows. You'll find problems like this in linux You found problems like this in free psd problems like this exists everywhere The fact we were using a mac actually is somewhat complimentary to max because we figured if we could break into a mac Then everybody would just assume everybody else could be broken into two so You know that that's that's our you know that that's the message that kind of got lost in a lot of the Drama that happened this week is we're not focusing on max specifically We did show a demo on a mac, but specifically this is something that happens systemically You know all throughout people who write device drivers. It's not just wi-fi device drivers There's bluetooth device. I mean has anyone like ever run a bluetooth fuzzer here and seen stuff crash No one Dude go google stuff. Oh wait one gentleman in front So you can actually go get uh, you know off the shelf when off the shelf, you know downloadable bluetooth fuzzers now Run them against your phone run me against your computer run me against your friend's computer. That's even fun here So, you know the thing we we want people to take away from this is these problems have got to be fixed Before you know, you're measuring the range of wi-fi in kilometers and not meters I guess you only have a few minutes for questions, but there's something we haven't covered already Feel free Yeah, other than what card was it next? I'm sorry. We hear the question step up to the mic Uh-oh someone just jacked your mic privileges Hey, uh, could you briefly go through the methodology for finding this exploit? Like was it did you start with a fuzzer and then move on from there or what? No, I'm actually not the biggest fan of the world of fuzzing actually It has a great place and because there's a lot of things that happen sometimes Like you can find bad code paths and whatnot, but it's actually hard to exercise them So the way I prefer to audit things is you open your binary and you start looking for specific You know bad code patterns and things like that And then once you have them those marked then you develop your fuzzer to try to exercise those specific code paths And once you're exercising those specific code paths then modify your fuzzer to start doing like fault injection or like bad data injection So it's actually a kind of a hybrid approach Yes, sir In the washington post article you said that the reason you used the third party card was because you were pressured by apple Not to do the exploit on the native airport card But then in the follow-up article the journalist said that you freely admitted that it was just as effective on the internal card So the question then becomes why not just do the video demo Without a third party card. Well, one of the things we're doing now is I've been in communication with apple this week And actually apple has a bit of a hold up with fixing this problem As I've been incredibly busy and haven't had the chance to get them all of the the data they need But after this talk, I'll be working on that exclusively One of the things that I'm waiting on now is you know confirmation from apple for effective platforms I realize this isn't a real solution, but are we familiar with tannin bounce work on isolating device drivers? I'm sorry. Your question is about isolating device drivers. Yeah. Um, I know tannin bound worked on it I'm probably not saying his name right No, you're talking about andrew tannin bomb Yeah, yeah Would this have helped at all? Well, so, you know one of the things that seemed to confuse people a lot is that's of course why the we we got the uh, You got root questions You don't quite understand that device drivers running the kernel once you compromise the kernel you can do whatever you want So awful out of any things like those kind of device drivers of user land although they would fix the problem You know, I'm not I'm not an os architect So I don't know what kind of performance that you would take on something like that although Actually trying to push this code away from the kernel is very difficult because there are a lot of very real time Time constraints in the 802 11 standard. It is actually It's been you know Originally the first cards that came out like prism did everything in hardware because it was too hard Or I think it was too hard just to do it in software in the kernel the real time constraints are just too high So to actually take it from kernel to user land I mean, I suspect it's probably impractical for 802 11 other things. So yeah, it's possible So maybe do more of it in the firmware of the card I'm sorry. What was that? So maybe you should be doing more of in the firmware of the card and update Yeah, you know what if they put these bugs in hardware, I don't know what happened, but I seriously doubt we'd be popping a shell All right, well, uh, we're out of time. Thanks for all the questions