InfoconDB

Presented at Black Hat USA 2022, Aug. 11, 2022, 10:20 a.m. (40 minutes)

Wi-Fi replaced Ethernet and became the main network protocol on laptops for the last few years. Software implementations of the Wi-Fi protocol naturally became the targets of attackers, and vulnerabilities found in Wi-Fi drivers were exploited to gain control of the operating system, remotely and without any user interaction. However, not much research has been published on Wi-Fi chips and the firmware they run.

Nowadays, Intel's Wi-Fi chips implement complex features in their firmware: Wake-on-WLAN, Tunnel Direct Link Setup (TDLS)... We investigated through reverse-engineering some internals of Intel Wi-Fi chips and exploited the way they load their firmware to gain arbitrary code execution. We also studied how the chip can securely store parts of its code in the system memory, through a mechanism we call "Paging Memory", and found how any read-anywhere vulnerability can be used to also gain code execution.

Presenters:

Gabriel Campana - Security Researcher, Ledger
Gabriel Campana is a senior security researcher with over 10 years of experience in the IT security field. His interests are mainly focused on vulnerability research, exploitation methods and Linux kernel security. Lately, he has been working on building hypervisors and breaking hardware wallets.
Nicolas Iooss - Security Researcher, Ledger
Nicolas Iooss is a security engineer who likes to explore many low-level parts of various systems. After studying some Baseboard Management Controllers (finding CVE-2018-7105 in HPE's iLO for example) and some Trusted Platform Modules, he got interested in Wi-Fi chipsets. He has also been part of SELinux developers team for many years.

Ghost in the Wireless, iwlwifi Edition

Presenters:

Links:

Similar Presentations: