informa
5 min read
article

Wave of WiFi Bugs Won't Bite

At least not right away, as the Month of Kernel Bugs (MOKB) is pumping out more wireless device driver bugs

A little wary of getting hacked over that free WiFi at your local coffee shop these days? The risk may be slightly higher, given the cornucopia of wireless vulnerabilities and exploits released by the Month of Kernel Bugs (MOKB) this month.

MOKB has unleashed flaws in several different wireless card device drivers, Apple's Airport 802.11, Broadcom's BCMWL5.SYS, D-Link's DWL-G132, and NetGear's WG111v2, and another NetGear bug was expected to be today's feature bug. These aren't the first high-profile wireless bugs to emerge: a vulnerability was found in Intel's Centrino, for instance, prior to MoKB and has since been patched, and there have been others as well.

Researchers who found the MOKB wireless bugs, which each allow an attacker to execute code on the victim's machine, say there are more to come. (See Broadcom's Buffer Problem.)

But unless you're a potential victim of a targeted attack -- a CEO or CFO working on your laptop at Starbucks, for example -- the researchers who found the bugs say you're probably safe. For now, anyway.

Business travelers and home users on the road or in coffee shops should be aware that their laptop could get hacked. "If someone knows the president of a bank uses his laptop with a certain driver and is at Starbucks each day before work," then that exec would be at risk, says David Maynor, CTO of Errata Security, who found the Apple bug. All it would take is using researcher Jon Ellch's well-known fingerprinting tool that detects wireless device driver versions, he says. (See New Tool Dusts for Fingerprints and Device Drivers at Risk.).

The Apple and Broadcom bugs, for instance, are "probe response" bugs, where you have to target a specific user, notes HD Moore, who has deployed all four MOKB bugs in the popular Metasploit hacking tool. Moore is director of security research for BreakingPoint Systems.

Another potential danger lies in public WiFi hotspots. "Someone builds a small, single-board PC with Metasploit and can load up four or five exploits and launch an attack on any laptop that comes in its proximity" and make it a bot, Maynor says.

Home WLAN users aren't really at risk of attack, unless you have a tech-savvy neighbor with a vendetta against you. And even if your techie neighbor is a bot-herder, no worries, researchers say.

"The average home user probably has nothing to worry about. Launching these kinds of attacks takes some level of effort -- at the very least you need to get within a few hundred feet of the victim -- and an average home user's Windows box isn't worth the effort," says researcher Jon Ellch, a.k.a. johnnycache, who found the Intel and Broadcom bugs.

Ellch says he doesn't think attackers would bother trying to grab in bulk any laptops in an airport. "There are simply more cost-efficient means to break into Windows boxes," he says.

The catch, however, is that most of the wireless attacks don't require the user to be actually connected to the WiFi network. A laptop card that's activated and searching for available wireless LANs is susceptible to these types of attacks. The only way to prevent it is to disable your wireless card altogether (not realistic for most users), or hope the vendor will patch the driver bug, and as of presstime, only D-Link and Intel had done so thus far.

Still, this is no job for script-kiddie attackers. They have to be familiar with the Windows operating system kernel, and an attack on the MOKB bugs requires a wireless card, Linux, and the latest version of Metasploit, notes Moore. "I doubt this will be a common attack for at least a couple of months," he says. "Besides, it's wireless -- the attacker has to be relatively close. Look for the laughing geek," Moore says.

The D-Link and Netgear bugs use what's called "beacon frames," which typically advertise the existence of a wireless LAN, Moore says. "Wireless clients listen for these and show the list of possible networks based on what beacons they saw," he says. "In terms of exploitability, beacons and probe responses are both trivial."

But beacons don't have to be targeted attacks. "You could go into a tall building with a high-power transmitter and exploit vulnerable cards for miles around," he says.

So why aren't all of the wireless card vendors patching these bugs, anyway?

"It's largely that most of these vendors aren't software companies and they haven't had a security history, so they've never had deal with this before," Ellch says. "It's not on their list of things to do."

And some are typically on tight shipment schedules, so they are more inclined to spend time and investment on their new wireless cards under development rather than the ones already in circulation, Maynor says.

Meanwhile, Ellch says he'll be digging for more of these vulnerabilities soon.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • BreakingPoint Systems