Ghost in the Wireless, iwlwifi Edition

The presentation discusses vulnerabilities found in Wi-Fi chips and how they can be exploited to gain access to sensitive information.

• The configuration of the immuno can be modified to perform DMA attacks to read and write anywhere in the main physical memory
• The IUN menu is a way to protect against DMA attacks, but it is not available by default on Ubuntu
• A basic stat buffer overflow can be used to gain access to the Wi-Fi chip
• Debug mode can be enabled to gain full distribution access
• The loader used to load firmware onto the chip can be exploited to perform a time of chat to time of fuse attack

The presenter was frustrated that his trade was able to run code on his Wi-Fi chip but not on his own chip, which led him to explore the firmware loading process and discover vulnerabilities.

Wi-Fi replaced Ethernet and became the main network protocol on laptops for the last few years. Software implementations of the Wi-Fi protocol naturally became the targets of attackers, and vulnerabilities found in Wi-Fi drivers were exploited to gain control of the operating system, remotely and without any user interaction. However, not much research has been published on Wi-Fi chips and the firmware they run.Nowadays, Intel's Wi-Fi chips implement complex features in their firmware: Wake-on-WLAN, Tunnel Direct Link Setup (TDLS)... We investigated through reverse-engineering some internals of Intel Wi-Fi chips and exploited the way they load their firmware to gain arbitrary code execution. We also studied how the chip can securely store parts of its code in the system memory, through a mechanism we call "Paging Memory", and found how any read-anywhere vulnerability can be used to also gain code execution.