informa
/
News

That Air of Danger

Security researchers, attackers turn their attention to mobile and wireless vulnerabilities

1:20 PM -- If wireless technology is a key part of your IT strategy, you may have felt a bit picked on this week.

We're not sure if it's a trend or just coincidence, but security researchers around the globe have had mobile technology in their sights in recent days, and the result is a growing list of vulnerabilities that IT administrators should examine closely.

First, a researcher from France Telecom SA (NYSE: FTE) discovered the first remotely exploitable 802.11 WiFi bug on a Linux machine. The kernel stack-overflow bug, which is in the open-source MadWiFi Linux kernel device driver, lets an attacker run malicious code remotely on an infected machine -- and the infected machine doesn't even have to be on a WiFi network to get "owned." (See Critical WiFi Bug Found on Linux.) The vulnerability is far from the first to be found in 802.11 environments, which were supposed to make WiFi safer.

Then, in Germany, three researchers from the Darmstadt University of Technology demonstrated their ability to extract a WEP encryption key from an intercepted stream of data in about three seconds. The demonstration was the fastest-ever crack of the popular WEP technology, which was first shown to be flawed more than five years ago. (See Researchers Put Nail in WEP's Coffin.)

Elsewhere in Europe, researchers were demonstrating a new, low-cost prototype sniffer based on a $30 Bluetooth USB dongle. The dongle's developers say their finding opens the door for open-source freebie sniffing tools for Bluetooth researchers -- in fact, they were able to crack a commercial sniffer package and copy and load it onto a USB stick. (See Hacking Bluetooth With a USB Stick .)

Here in the U.S., two security firms reported that vulnerabilities in emerging mobile and cellular technologies -- combined with the increasing ubiquity of the devices across the globe -- are making the wireless phone a more attractive target than ever for hackers. McAfee Inc. (NYSE: MFE)'s Avert Labs predicted that the number of mobile malware attacks targeted at smartphones and wireless PDAs will double by the end of this year. Mobile security vendor Sipera Systems reported a number of vulnerabilities in dualmode cellular and WiFi phone systems. (See Mobile Phones: Hackers' Next Target.)

And in Amsterdam, independent researcher Adam Laurie demonstrated how he reprogrammed RFID tags and could duplicate a legitimate user's building cardkey at Black Hat Europe. Laurie said he developed the exploit simply by reading the RFID manufacturers' data sheets. (See RFID Under Attack Again.)

What's the lesson of this week of wireless bugs? That while wireless may be convenient -- and sometimes even more efficient than wired technology -- it should be approached slowly and carefully, with one eye on the vulnerabilities it may expose in your network. As with many emerging technologies, what's good for the end user may mean a lot of new headaches for security managers.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading: