Wireless cards make notebooks easy targets

Experts say flawed wireless cards are an industry-wide notebook security problem, thanks to weak device drivers and vendors who ship products without proper testing.

Security experts have spent the last couple years warning laptop users to take care when accessing wireless Internet hotspots in cafes, airports and elsewhere. At Black Hat USA 2006 y, two researchers demonstrated just how easy it is for malicious attackers to compromise the wireless cards within those laptops.

More on wireless security

WLAN security tools: SMB Buying Decisions

Wireless e-mail a primary security concern  

David Maynor, a senior researcher with Atlanta-based managed security services provider (MSSP) SecureWorks Inc., and vulnerability researcher Jon "Johnny Cache" Ellch, showed attendees a video in which Maynor used a Dell Inc. laptop to compromise a MacBook in about 60 seconds, just by targeting its wireless card and wireless device driver.

"Vendors like Microsoft and Apple have been hardening their operating systems, so attackers are digging down to the device driver level," Maynor said. "The overall security of drivers isn't very good, and our hope is to make the vendors more aware" by demonstrating the ease of an attack.

Maynor and Ellch listed several reasons why wireless cards are an easy target:

  • Vendors are obsessed with speeding wireless products off to the market.
  • In the process, wireless technology isn't being tested properly.
  • Too many wireless protocols are being designed "by committee," which makes them overly complicated and easy to take advantage of.

    Ellch said 802.11 is an example of a wireless standard ripe for the picking by malicious hackers. "It's too big, too ambitious and too complicated," he said. Complexity is a hacker's best friend, he added, "and 802.11 is not lacking in complexity."

    The researchers noted that device drivers have been susceptible to attacks that exploit several recent flaws, including the TCP/IP [Transmission Control Protocol/Internet Protocol] vulnerability Microsoft addressed last year and two Windows flaws Microsoft fixed last month in bulletin MS06-035.

    As another example of the looming wireless device threat, they pointed to Intel Corp.'s disclosure Tuesday of three security holes in Microsoft Windows drivers and applications for its Centrino-based Intel PRO/Wireless Network Connection hardware. Attackers could exploit these vulnerabilities to remotely run malicious code on a victim's machine, obtain access to wireless network security information or escalate system privileges to the kernel level. Intel has provided upgrades for the software.

    Allan Paller, research director of the SANS Institute in Bethesda, Md., said the exploits Maynor and Ellch demonstrated should be taken very seriously.

    "This is a big story for several reasons," Paller said in an email. "First, it shoots a pretty big hole in the bulletproof image Apple is trying to project. Second, it isn't just about Macs. The vulnerabilities apparently can also be found in Centrino-based laptops as well. Third, by nature, attackers are swarm organisms. That means they will see [Maynor's and Ellch's] work as a beacon to follow toward a new cache of useful vulnerabilities."

    The bad guys are already exploiting these flaws, Paller added, and are probably annoyed that Wednesday's presentation shed light on the threat.

    Maynor stressed that while he attacked an Apple computer for the demonstration, the problem affects a vast range of products. "We don't want to beat on Mac, and I happen to like Mac," he said. But, he added, recent Apple commercials touting the Mac's security prowess stressed that the company needed a wake-up call.

    "After seeing this video, Apple was quite responsive," Maynor said, adding that he's now working with Apple to help the company address the weaknesses.

    If audience reaction was any indication, the demonstration had the sobering effect Maynor and Ellch were going for.

    "This is alarming," said Jonathan Taylor, an IT security engineer who works for Mather, Calif.-based Sutter Health. When he gets back to work, he said he'll urge his colleagues to think of ways to blunt the threat in their environment.

    "I'll tell them to pay attention to device driver upgrades," Taylor said, "and not to expect the firewall to protect them against this."

    This article originally appeared on SearchSecurity.com.

  • Read more on PC hardware