Wireless network card drivers have been under attack since the Black Hat USA 2006 conference, and nearly every super-popular driver now appears vulnerable. Security researchers David Maynor and Jon Ellch started things off by targeting an Apple MacBook’s wireless driver at the August show, and hackers' interest in the new attack vector was quickly piqued.
Intel Centrino wireless drivers were among the first to fall, tumbling in July of this year. On November 11, hacker Johnny Cache reported a stacked based buffer overflow in the widely used Broadcom wireless driver. Broadcom drivers are used in Cisco, Linksys, and Dell wireless NICs.
Netgear wireless devices were found vulnerable just last week, and D-link wireless drivers are also exploitable. We're talking tens of millions of exploitable desktop computers, laptops, and other wireless devices.
Proof-of-concept exploit code abounds. Metasploit released at least two exploit code modules (for Netgear and Broadcom), and others are cropping up all around the Internet. Most exploit code currently works against Microsoft Windows or Mac OS X, but exploit code writers note that Linux and FreeBSD systems are just as likely to be exploitable.
Even though I have no specific information to back up my postulations, I’m speculating that many more wireless drivers will fall in the coming months. If I was a network system administrator, I would assume that unless my wireless vendor told me different, my wireless driver is not safe.
And because wireless drivers usually run in the system or root security contexts, a malicious attacker may remotely execute arbitrary code on a vulnerable computer. That’s right! You can be walking around with your laptop in a hotel lobby or airport and get completely owned.
Initially, I thought it would be hard to worm this type of exploit, but upon further reflection, a remote wireless attack is ripe for automated exploitation. The first attacker could manually infect the first wireless victim, and let the worm search for new victims from there.
It gets worse: Most laptops come with their wireless cards enabled, even if they aren’t used. Unbeknownst to you, your laptop could be sending out its wireless broadcast signal. A hacker scans the airwaves to find victims: In most cases, even without special antennas or other signal boosters, they need only be within 120 feet of your laptop’s physical location to compromise it.
I was recently on an U.S. Air Force base scanning for unauthorized wireless access points. Every laptop I saw had a broadcasting Centrino chipset, even though the base’s policy disallowed wireless connections. If you don’t need wireless connectivity with an embedded chipset, make sure you disable it in the BIOS.
It's true that affected wireless card vendors responded relatively quickly to the exploits and introduced updated drivers without the previous buffer overflows. Most vendors, however, haven’t made the drivers overly easy to find, although that is changing. Click these links to find the new drivers for Dell, Intel, and Linksys.
My gut feeling tells me that this round of wireless exploits won’t be the next Slammer or Code Red, but who wants to be exploited by some jerk or professional criminal while computing in an airport or using a laptop in your own building? It’s better to get patched.
Take an inventory of all your wireless devices: wireless access points, wireless PCMCIA cards, built-in wireless chipsets, etc. Find out the driver version numbers or dates, and then search the related vendor’s Web site to make sure every device has the most up to date patch available.
It’s a lot of new work, I know. Patching your wireless drivers probably isn’t your number one security priority, but don’t let it slip off the radar. Git 'er done!