Hackers Expose Critical Wi-Fi Driver Flaw

Black Hat Briefings: A pair of hackers show off a new technique for breaking into computers via flaws in wireless drivers shipped on Windows and Mac systems.

LAS VEGAS—Wi-Fi-enabled computers are sitting ducks for code execution attacks because of gaping flaws in wireless drivers shipped on both Mac and Windows systems, security researchers warned at the Black Hat Briefings security conference here.

A pair of hackers—David Maynor and Jon Ellch—demonstrated such a break-in on an Apple MacBook laptop fitted with a wireless card that was broadcasting its presence to another computer set up as an access point.

During the demonstration, the researchers were able to take complete control of the MacBook via a specific vulnerability in the device driver code that sits between the operating system and the wireless card.

Maynor and Ellch did not release details or exploit code for the flaw, which affects a wide range of Wi-Fi card manufacturers. The researchers have notified the affected companies and are working closely to identify the vulnerable code.

"This is not a big problem today. But, it should be something to take seriously now before it becomes a big, big problem a year or two from now," said Maynor, who works as a senior researcher at Atlanta-based SecureWorks.

"The OS vendors have been hardening the operating system a lot, so now attackers have two choices. They can go up to the application level, or they can go lower to the device driver level," Maynor said, warning that Wi-Fi drivers present an easy-to-exploit target.

"Youve got to keep in mind that [malicious] people with an unlimited amount of time can spend a lot of time looking at these things," he added.

Ellch, a well-known security expert who uses the hacker moniker "Johnny Cache," made it clear that the issue is not specific to Apples Mac computers. "This isnt an Apple problem or a Microsoft problem. This is something thats problematic across the industry," he said.

/zimages/2/28571.gifMicrosoft plans to showcase Vista as its "most secure operating system ever" at Black Hat. Click here to read more.

However, Maynor said the MacBook was used in the demo as a retort to the latest Apple commercials. "We dont want to bash Mac. Im a big fan of Mac. But those commercials are just [annoying]," he said.

Ellch, a creator of wireless hacking tools, also used the Black Hat stage to discuss design flaws in the 802.11 link-layer wireless protocol. He described 802.11 as an "overly complicated" protocol that has not been implemented securely by many vendors.

He also showcased a new Wi-Fi fingerprinting technique that can be used by attackers to spy on target systems.

The presentation comes just days after chip giant Intel released a trio of security patches for critical vulnerabilities affecting its Centrino product line.

Maynor said the Intel patches, which cover code execution holes in Centrino drivers and Intel Pro/Wireless network connections, were not related to the Black Hat speech. "Its pretty interesting, the timing of the [Intel] patches, but its not something that we were responsible for," he said.

Intel said in an alert that the most serious flaw in the Centrino wireless driver line can be exploited to launch remote code execution attacks. "[These flaws] could potentially be exploited by attackers within range of the Wi-Fi station to execute arbitrary code on the target system with kernel-level privileges. These flaws are due to a memory corruption while parsing certain frames," Intel said.

The bugs could also lead to information disclosure and privilege escalation attacks.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.