Ghost in the Wireless,

iwlwifi Edition
Nicolas Iooss, Gabriel Campana

#BHUSA @BlackHatEvents
 Context
- Up-to-date Ubuntu 18.04 LTS
- HTTP server

- Android smartphone

Information Classification: General 2 #BHUSA @BlackHatEvents

 Context
# dmesg
iwlwifi 0000:01:00.0: Start IWL Error Log Dump:
iwlwifi 0000:01:00.0: Status: 0x00000100, count: 6
iwlwifi 0000:01:00.0: Loaded firmware version: 34.0.1
...
iwlwifi 0000:01:00.0: Start IWL Error Log Dump:
iwlwifi 0000:01:00.0: Status: 0x00000100, count: 7
iwlwifi 0000:01:00.0: 0x00000070 | ADVANCED_SYSASSERT
...
iwlwifi 0000:01:00.0: 0x004F01A7 | last host cmd
ieee80211 phy0: Hardware restart was requested

Information Classification: General 3 #BHUSA @BlackHatEvents

 Why this research?
- This chip implements complex features
- Likely to have vulnerabilities

- No public research about the security of Intel’s Wi-Fi chips

- Prior art: Broadcom’s Wi-Fi cards and Intel’s NIC

- This sounds fun

- Yet another smart piece of hardware, widely used in laptops

- The chip has DMA (Direct Memory Access) by design, because network
- DMA attacks: FireWire attacks, PCIe screamer, Thunderspy, Thunderclap…

Information Classification: General 4 #BHUSA @BlackHatEvents

 Studied Wi-Fi chips

Intel Wireless-AC 8260

Intel Wireless-AC 9560
(Picture of a Companion RF Module)

Information Classification: General 5 #BHUSA @BlackHatEvents

 Agenda
- The firmware & talking to the chip
- Vulnerability research
- Dynamic analysis experiments
- DMA through the paging memory

Information Classification: General 6 #BHUSA @BlackHatEvents

 The Firmware
-X

7
Information Classification: General 7 #BHUSA @BlackHatEvents
 Intel WireLess (IWL) Wi-Fi on Linux

FW

Information Classification: General 8 #BHUSA @BlackHatEvents

 Firmware file (for Intel Wireless for Linux)
iwlwifi chooses a compatible firmware file using the API version
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
# dmesg
iwlwifi 0000:00:14.3: loaded firmware version 46.6f9f215c.0
9000-pu-b0-jf-b0-46.ucode op_mode iwlmvm

# ls /lib/firmware/iwlwifi-9000-pu-b0-jf-b0-*
/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-33.ucode
/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-34.ucode
/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-38.ucode
/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-41.ucode
/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-43.ucode
/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-46.ucode

Information Classification: General 9 #BHUSA @BlackHatEvents

 Firmware file format

00000000: 0000 0000 4957 4c0a 7265 6c65 6173 652f ....IWL.release/
Header: 00000010: 636f 7265 3433 3a3a 3666 3966 3231 3563 core43::6f9f215c
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
- API version 0x2e = 46
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
- build number 6f9f215c 00000040: 0000 0000 0000 0000 2e00 0000 5c21 9f6f ............\!.o
00000050: 0000 0000 0000 0000 1600 0000 0c00 0000 ................
Entries: 00000060: 0000 0000 db15 060f 8b95 020f 2400 0000 ............$...
Type, 00000070: 0c00 0000 2e00 0000 5c21 9f6f 0000 0000 ........\!.o....
Length, 00000080: 3700 0000 2000 0000 143c 8100 7c74 4600 7... ....<..|tF.
…
Value
000002e0: 0700 0000 0000 0000 1b00 0000 0400 0000 ................
000002f0: 0200 0000 1300 0000 bc02 0000 0040 4000 .............@@.
00000300: 0600 0000 a100 0000 0000 0100 0000 0000 ................
00000310: 8680 0000 2801 2120 cb1e 0200 4000 0000 ....(.! ....@...

No encryption
Information Classification: General 10 #BHUSA @BlackHatEvents
 Firmware file format
Linux: drivers/net/wireless/intel/iwlwifi/fw/file.h
00000000: 0000 0000 4957 4c0a 7265 6c65 6173 652f ....IWL.release/
00000010: 636f 7265 3433 3a3a 3666 3966 3231 3563 core43::6f9f215c
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040: 0000 0000 0000 0000 2e00 0000 5c21 9f6f ............\!.o
00000050: 0000 0000 0000 0000 1600 0000 0c00 0000 ................
00000060: 0000 0000 db15 060f 8b95 020f 2400 0000 ............$...
00000070: 0c00 0000 2e00 0000 5c21 9f6f 0000 0000 ........\!.o....
00000080: 3700 0000 2000 0000 143c 8100 7c74 4600 7... ....<..|tF.
…
000002e0: 0700 0000 0000 0000 1b00 0000 0400 0000 ................
000002f0: 0200 0000 1300 0000 bc02 0000 0040 4000 .............@@.
00000300: 0600 0000 a100 0000 0000 0100 0000 0000 ................
00000310: 8680 0000 2801 2120 cb1e 0200 4000 0000 ....(.! ....@...

No encryption
Information Classification: General 11 #BHUSA @BlackHatEvents
 $
-
Firmware decoder
parse_intel_wifi_fw.py iwlwifi-9000-pu-b0-jf-b0-46.ucode
DEF_CALIB (12 bytes): ucode_type=REGULAR flow_trigger=0x0F0615DB event_trigger=0x0F02958B
- FW_VERSION (12 bytes): 46.6f9f215c.0
- LMAC_DEBUG_ADDRS (32 bytes):
error_event_table_ptr = 0x00813C14
00000000: 0000 0000 4957 4c0a 7265 6c65 6173 652f ....IWL.release/
log_event_table_ptr = 0x0046747C
00000010: 636f 7265 3433 3a3a 3666 3966 3231 3563 core43::6f9f215c
…
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
- NUM_OF_CPU (4 bytes): 2
00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
- SEC_RT (700 bytes): runtime microcode at 00404000..004042b8 (ACM Header)
00000040: 0000 0000 0000 0000 2e00 0000 5c21 9f6f ............\!.o
00000050: 0000 0000 0000 0000 1600 0000 0c00 0000 ................
00000060: 0000 0000 db15 060f 8b95 020f 2400 0000 ............$...
00000070: 0c00 0000 2e00 0000 5c21 9f6f 0000 0000 ........\!.o....
00000080: 3700 0000 2000 0000 143c 8100 7c74 4600 7... ....<..|tF.
…
000002e0: 0700 0000 0000 0000 1b00 0000 0400 0000 ................
000002f0: 0200 0000 1300 0000 bc02 0000 0040 4000 .............@@.
00000300: 0600 0000 a100 0000 0000 0100 0000 0000 ................
00000310: 8680 0000 2801 2120 cb1e 0200 4000 0000 ....(.! ....@...

No encryption
Information Classification: General 12 #BHUSA @BlackHatEvents
 2 Processors?!?
PCIe Main System

Firmware loading

UMAC CPU
Upper Medium Access Controller
On-Chip Memory
Unknown bus
(SRAM, DCCM…)
LMAC CPU
Lower Medium Access Controller

Unknown bus

Physical Interface (Antennae)

Wi-Fi chip
Information Classification: General 13 #BHUSA @BlackHatEvents
 Firmware memory layout
Wi-Fi chip
Firmware File

- DEF_CALIB
Memory
- FW_VERSION
00000000..00037fff (229376 bytes)
- LMAC_DEBUG_ADDRS
cpu_rec: ARCompact
… c0080000..c008ffff (65536 bytes)
- NUM_OF_CPU 2
- SEC_RT 00404000 00404000..004042b7 (696 bytes) Authenticated Module
LMAC

- SEC_RT 00800000 Headers:

- SEC_RT 00000000 00405000..004052b7 (696 bytes)
- RSA-2048 public key
- SEC_RT 00456000
… 80448000..80455ad3 (56020 bytes) - Signature
- SEC_RT 00405000 00456000..0048d873 (227444 bytes)
- SEC_RT c0080000
UMAC

- SEC_RT c0880000 00800000..00817fff (98304 bytes)

- SEC_RT 80448000
… c0880000..c0887fff (32768 bytes)

#BHUSA @BlackHatEvents
Information Classification: General
14
 Reverse all the things!
Tools: objdump, IDA Pro, Ghidra (Pull Req #3006) and custom Python scripts

Information Classification: General 15 #BHUSA @BlackHatEvents

 Trying to modify the firmware
# dmesg
iwlwifi 0000:00:14.3: SecBoot CPU1 Status : 0x3030003, CPU2 Status: 0x0

FAIL

Information Classification: General 16 #BHUSA @BlackHatEvents

 Talking to the Chip

Beyond network packets

-X

17
Information Classification: General 17 #BHUSA @BlackHatEvents
 Linux Debug Filesystem
Maaaaaany files in the debugfs!
# ls /sys/kernel/debug/iwlwifi/0000:00:14.3/iwlmvm
bt_cmd fw_restart nvm_sw
bt_force_ant fw_rx_stats prph_reg
bt_notif fw_ver ps_disabled
bt_tx_prio he_sniffer_params rfi_freq_table
ctdp_budget indirection_tbl sar_geo_profile
d3_test inject_beacon_ie scan_ant_rxchain
d3_wake_sysassert inject_beacon_ie_restore send_echo_cmd
disable_power_off inject_packet send_hcmd
drop_bcn_ap_mode last_netdetect_scans set_nic_temperature
drv_rx_stats mem sram
enabled_severities netdev:p2p-dev-wlp0s20@ sta_drain
enable_scan_iteration_notif netdev:wlp0s20f3@ stations
force_ctkill nic_temp stop_ctdp
fw_dbg_collect nvm_calib timestamp_marker
fw_dbg_conf nvm_hw tx_flush
fw_dbg_domain nvm_phy_sku uapsd_noagg_bssids
fw_info nvm_prod
fw_nmi nvm_reg

Information Classification: General 18 #BHUSA @BlackHatEvents

 Linux Debug Filesystem
Memory read: almost anywhere :) (not 0048f000...0048ffff)

# DBGFS=/sys/kernel/debug/iwlwifi/0000:00:14.3
# dd if=$DBGFS/iwlmvm/mem bs=1 count=128 | xxd
00000000: 2020 800f 0000 4000 2020 800f 0300 e474 ....@. .....t
00000010: 2020 800f 0300 3837 2020 800f 0000 c819 ....87 ......
00000020: 6920 0000 6920 4000 6920 0000 6920 4000 i ..i @.i ..i @.
00000030: 2020 800f 4700 14b6 6920 0000 6920 4000 ..G...i ..i @.
00000040: 6920 0000 4a20 0000 4a21 0000 4a22 0000 i ..J ..J!..J"..
00000050: 4a23 0000 4a24 0000 4a25 0000 4a26 0000 J#..J$..J%..J&..
00000060: 4a27 0000 4a20 0010 4a21 0010 4a22 0010 J'..J ..J!..J"..
00000070: 4a23 0010 4a24 0010 4a25 0010 4a26 0010 J#..J$..J%..J&..

Information Classification: General 19 #BHUSA @BlackHatEvents

 Getting the PC (Program Counter)
// Linux: drivers/net/wireless/intel/iwlwifi/iwl-prph.h
#define UREG_UMAC_CURRENT_PC 0xa05c18
#define UREG_LMAC1_CURRENT_PC 0xa05c1c
#define UREG_LMAC2_CURRENT_PC 0xa05c20

# echo 0xa05c18 > $DBGFS/iwlmvm/prph_reg

# cat $DBGFS/iwlmvm/prph_reg UMAC pc
Reg 0xa05c18: (0xc0084f40)

# echo 0xa05c1c > $DBGFS/iwlmvm/prph_reg

# cat $DBGFS/iwlmvm/prph_reg LMAC pc HOW‽
Reg 0xa05c1c: (0xb552)

# echo 0xa05c20 > $DBGFS/iwlmvm/prph_reg

# cat $DBGFS/iwlmvm/prph_reg No second LMAC
Reg 0xa05c20: (0x0)

Information Classification: General 20 #BHUSA @BlackHatEvents

 The perspective from iwlwifi (Linux)

Information Classification: General 21 #BHUSA @BlackHatEvents

 Host commands
- Communication with the chip through PCIe
- Commands processed by UMAC CPU
- Undocumented commands

Information Classification: General 22 #BHUSA @BlackHatEvents

 Arbitrary Code Execution

Abusing undocumented host commands from Linux

-X

23
Information Classification: General 23 #BHUSA @BlackHatEvents
 Vulnerability

Information Classification: General 24 #BHUSA @BlackHatEvents

 Exploitation

Information Classification: General 25 #BHUSA @BlackHatEvents

 Send arbitrary commands to the chip
- Linux ftrace framework
- No need to build a custom iwlmvm.ko
- Hijack a single function: iwl_mvm_send_cmd()
- Custom requests from userland
- Communicate through /sys/kernel/debug/iwlwifi/*/iwlmvm
$ make
make -C /lib/modules/4.15.0-177-generic/build M=/home/user/hook-driver
modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-177-generic'
CC [M] /home/user/hook-driver/exploit.o
CC [M] /home/user/hook-driver/ftrace_hook.o
LD [M] /home/user/hook-driver/pwn.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/user/hook-driver/pwn.mod.o
LD [M] /home/user/hook-driver/pwn.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-177-generic'

Information Classification: General 26 #BHUSA @BlackHatEvents

 Exploit
- rwx region, no mitigations
- Put the shellcode in a global buffer thanks to a specific command
- Optional: read memory to ensure that the shellcode was successfully
written
- Trigger the vulnerability

Information Classification: General 27 #BHUSA @BlackHatEvents

 Payload – enable debug mode
$ sudo ./iwldebug.py read 0xc0887ff4 16
c0887ff4: efbe adde efbe adde efbe adde efbe adde

$ sudo ./iwldebug.py write 0xc0887ff4 61626364

Failed to write 4 bytes to 0xc0887ff4 (61626364)

$ sudo ./exploit_enable_debug.py
[*] loading module pwn
[*] putting shellcode in memory (24 bytes)
[*] ensuring shellcode is there
[*] triggering overflow
[*] ensuring debug flag is set
SUCCESS (read at 0xc0a03088: 0x400)!
[*] unloading module pwn

$ sudo ./iwldebug.py write 0xc0887ff4 61626364

$ sudo ./iwldebug.py read 0xc0887ff4 16
c0887ff4: 6162 6364 efbe adde efbe adde efbe adde

Information Classification: General 28 #BHUSA @BlackHatEvents

 Old vulnerability

Intel Wireless-AC 8260 Intel Wireless-AC 9560

Old firmware vulnerable ⛔ The vulnerability does not seem to be present

🎉 Enable debug mode

Information Classification: General 29 #BHUSA @BlackHatEvents

 Loading patched firmware
-X

30
Information Classification: General 30 #BHUSA @BlackHatEvents
 Discovering the Loader

Linux Wi-Fi chip

Memory
00060000-00061eff: loader
Transmit FW 00401000-0040243b: data
00402e80-00402fff: stack
iwlwifi

Registers
Get pc value LMAC pc = 0x0006107e

Information Classification: General 31 #BHUSA @BlackHatEvents

 Discovering the Loader
TOCTOU attack? (Transmit FW, Verify FW, Transmit patched FW)
CU RE
SE

Linux Wi-Fi chip

Memory
00060000-00061eff: loader
Transmit FW 00401000-0040243b: data
00402e80-00402fff: stack
iwlwifi

Registers
Get pc value LMAC pc = 0x0006107e

Information Classification: General 32 #BHUSA @BlackHatEvents

 Discovering the Loader
TOCTOU attack? (Transmit FW, Verify FW, Transmit patched FW)
CU RE
Can Linux modify the data or the stack? SE
N
VUL
Linux Wi-Fi chip
Memory
00060000-00061eff: loader
Transmit FW 00401000-0040243b: data
00402e80-00402fff: stack
iwlwifi

Registers
Get pc value LMAC pc = 0x0006107e

Information Classification: General 33 #BHUSA @BlackHatEvents

 Bypassing the signature verification
Wi-Fi chip INTEL-SA-00621
CVE-2022-21181
Memory published on 2022-08-09
1. Load a modified firmware 00000000-...: firmware

2. Change a return address 00402e80-...: loader stack

3. Wait

Intel Wireless-AC 8260 Intel Wireless-AC 9560

🎉 SUCCESS ⛔ FAIL

Information Classification: General 34 #BHUSA @BlackHatEvents

 Bypassing the signature verification
Wi-Fi chip INTEL-SA-00621
CVE-2022-21181
Memory published on 2022-08-09
1. Load a modified firmware 00000000-...: firmware

2. Change a return address 00402e80-...: loader stack

3. Wait

Make the chip commit

Intel Wireless-AC 8260 Intel Wireless-AC 9560
its Data Cache
🎉 SUCCESS 🎉⛔ FAIL
SUCCESS (196 fake FW sections)

Information Classification: General 35 #BHUSA @BlackHatEvents

 Dynamic analysis

We have arbitrary code execution on the chip. Now what?

-X

36
Information Classification: General 36 #BHUSA @BlackHatEvents
 Tracing
- Tell which functions are executed
- Replace the first instruction (push_s blink) of every functions with:
- LMAC: trap_s 0
- UMAC: invalid instruction
- Hook the exception vector in the exception handler
- Log the address to a unused buffer (0xc004ad00 - 0xc0050000)
- Emulate push_s blink and return after the patched instruction
- Write hooks thanks to debug mode
- Read the shared buffer from the host in a loop

Information Classification: General 37 #BHUSA @BlackHatEvents

 On-Chip Debugger
Goals: retrieve memory and register values to ease reverse engineering

Information Classification: General 38 #BHUSA @BlackHatEvents

 On-Chip Debugger
- A debugger stub (PIC) is written to a fixed address
- 4 commands:
- Read register
- Write to memory (1 / 2 / 4 bytes)
- Read from memory (1 / 2 / 4 bytes)
- Resume execution
- Communication with the host through unused registers
- Targeted function pointers are replaced with the debugger address
- Allows to instrument a set of UMAC/LMAC functions
- Less powerful than a GDB stub

Information Classification: General 39 #BHUSA @BlackHatEvents

 InVitroDbg
- Idea from Guillaume Delugré
- Closer to metal: Reverse engineering the Broadcom NetExtreme's firmware
Hack.lu 2010
- Emulate firmware
- Firmware execution on the host
- Forward some memory accesses to the on-chip debugger
- QEMU user with custom TCG plugin
- GDB server

Information Classification: General 40 #BHUSA @BlackHatEvents

 Firmware emulation with IO memory accesses

Information Classification: General 41 #BHUSA @BlackHatEvents

 DMA (Direct Memory Access)
and the Paging Memory

Experiment: can the chip do DMA Attacks?

-X

42
Information Classification: General 42 #BHUSA @BlackHatEvents
 The Additional Code in the File
Wi-Fi chip
Firmware File

- NUM_OF_CPU 2
Memory
- SEC_RT 00404000
00000000..00037fff (229376 bytes)
LMAC

- SEC_RT 00800000
- SEC_RT 00000000 c0080000..c008ffff (65536 bytes)
- SEC_RT 00456000
… 00404000..004042b7 (696 bytes)
- SEC_RT 00405000
- SEC_RT c0080000 00405000..004052b7 (696 bytes)
UMAC

- SEC_RT c0880000
- SEC_RT 80448000 80448000..80455ad3 (56020 bytes)
… 00456000..0048d873 (227444 bytes)

00800000..00817fff (98304 bytes)

c0880000..c0887fff (32768 bytes)

Information Classification: General 43 #BHUSA @BlackHatEvents

 The Additional Code in the File
Wi-Fi chip
Firmware File

- NUM_OF_CPU 2
Memory
- SEC_RT 00404000
00000000..00037fff (229376 bytes)
LMAC

- SEC_RT 00800000
- SEC_RT 00000000 c0080000..c008ffff (65536 bytes)
- SEC_RT 00456000
… 00404000..004042b7 (696 bytes)
- SEC_RT 00405000
- SEC_RT c0080000 00405000..004052b7 (696 bytes)
UMAC

- SEC_RT c0880000
- SEC_RT 80448000 80448000..80455ad3 (56020 bytes)
… 00456000..0048d873 (227444 bytes)
aaaabbbb: separator (4 bytes)
- SEC_RT aaaabbbb
- SEC_RT 00000000 00800000..00817fff (98304 bytes)
00000000..00000297 (664 bytes)
- SEC_RT 01000000
c0880000..c0887fff (32768 bytes)
01000000..0103afff (241664 bytes)

Information Classification: General 44 #BHUSA @BlackHatEvents

 Memory Management Unit (MMU)
Main physical memory
The Paging MemoryMMU
is like Linux’s swap mechanism
Configuration (managed by Linux)
01000xxx is not present DMA request
01001xxx is not present if needed “Paging Memory”
01002xxx is not present Data stored by iwlwifi
… (236 KiB, 59 pages)

UMAC virtual memory UMAC physical memory

01000000-01ffffff 00422000-00447fff
(152 KiB, 38 pages)
80000000-bfffffff
c0000000-ffffffff 00000000-3fffffff

Information Classification: General 45 #BHUSA @BlackHatEvents

 Memory Management Unit (MMU)
Main physical memory
The Paging MemoryMMU
is like Linux’s swap mechanism
Configuration (managed by Linux)
01000xxx is not present DMA request
01001xxx is not present if needed “Paging Memory”
01002xxx is at 00432xxx Data stored by iwlwifi
… (236 KiB, 59 pages)

UMAC virtual memory UMAC physical memory

01000000-01ffffff 00422000-00447fff
(152 KiB, 38 pages)
80000000-bfffffff
c0000000-ffffffff 00000000-3fffffff

Information Classification: General 46 #BHUSA @BlackHatEvents

 The Paging Memory
How is the integrity ensured?
- RSA signature on the 59 pages together
- Each page is sent separately
- Each page can be modified by the firmware, but not by Linux

Solution: each page is protected by a 32-bit checksum

- Universal Message Authentication Code (https://en.wikipedia.org/wiki/UMAC)
- Random per-boot 4096-byte secret key
- Integrity is broken if an attacker can read the checksums
- They are located at 0x0048f400, not readable from Linux

Information Classification: General 47 #BHUSA @BlackHatEvents

 Memory Management Unit (MMU)
Main physical memory
The Paging MemoryMMU
is like Linux’s swap mechanism
Configuration (managed by Linux)
01000xxx is not present DMA request
01001xxx is not present if needed “Paging Memory”
01002xxx is at 00432xxx Data stored by iwlwifi
… (236 KiB, 59 pages)

DMA Attack
Other memory

UMAC virtual memory UMAC physical memory

01000000-01ffffff 00422000-00447fff
(152 KiB, 38 pages)
80000000-bfffffff
c0000000-ffffffff 00000000-3fffffff

Information Classification: General 48 #BHUSA @BlackHatEvents

 Demo!
https://asciinema.org/a/CWD6HMr4iaw0Rj3S95p9J3vII

Information Classification: General 49 #BHUSA @BlackHatEvents

 (Ab)using The Paging Memory
The host physical addresses are used/managed by the chip. Can it do arbitrary
DMA requests?
- YES! Demo!
What about the IOMMU?
- By default on Ubuntu, the IOMMU is not enabled
- Protection: add intel_iommu=on to the kernel command line
[ 259.578089] DMAR: DRHD: handling fault status reg 3
[ 259.578094] DMAR: [DMA Read] Request device [00:14.3] PASID ffffffff fault
addr 406a00000 [fault reason 06] PTE Read access is not set
[ 261.600645] iwlwifi 0000:00:14.3: Error sending UNKNOWN: time out after
2000ms.
…
[ 261.601783] iwlwifi 0000:00:14.3: 0x00000084 | NMI_INTERRUPT_UNKNOWN

Information Classification: General 50 #BHUSA @BlackHatEvents

 Conclusion
-X

51
Information Classification: General 51 #BHUSA @BlackHatEvents
 Context
- Up-to-date Ubuntu 18.04 LTS
- HTTP server

- Android smartphone

Information Classification: General 52 #BHUSA @BlackHatEvents

 TDLS crash analysis
- Tunneled Direct Link Setup (TDLS): incompatible implementations
- Not exploitable
- Update not available on some Linux distros (eg. Ubuntu 18.04 LTS)
- Remote firmware crash with a single Wi-Fi packet

Information Classification: General 53 #BHUSA @BlackHatEvents

 Conclusion
Takeaways:
- Analyzing Intel Wi-Fi chips firmware
https://github.com/Ledger-Donjon/intel-wifi-research-tools
- Finding vulnerabilities to achieve code execution on the chip
- Verifying security protections (IOMMU against DMA attack)
What’s more?
- Wi-Fi frame parsing: more vulnerabilities to be found?
- Bluetooth interface on the same chip: more complexity!
- WoWLAN (Wake-on-Wireless Local Area Network): Low-Power mode!
Groundwork for other security researchers
Information Classification: General 54 #BHUSA @BlackHatEvents
 Questions?

https://github.com/Ledger-Donjon/intel-wifi-research-tools

@IooNag
-X

55
Information Classification: General 55 #BHUSA @BlackHatEvents