Flaw found in Toshiba wireless device driver

Attackers could exploit a flaw in Toshiba's Bluetooth wireless device driver to cause a denial of service or run malicious code on victims' machines, researchers at SecureWorks have discovered.

Bluetooth wireless technology is used for short-range data communications between electronic devices. While this flaw specifically affects Toshiba's Bluetooth wireless device driver, Atlanta-based SecureWorks said in an advisory that the flaw affects multiple vendors who use the technology in their wireless products, including Dell Computers, Sony [in its VAIO notebooks], ASUS Computers and possibly others.

Attackers could compromise the Toshiba device driver using specially crafted Bluetooth packets, causing memory corruption and system crashes. From there, they could run malicious code at the highest privilege level on a victim's machine, SecureWorks said.

An attacker would need to be within approximately 10 meters of the victim to pull off an exploit. The attacker would also need the Bluetooth address of the victim's device. Bluetooth addresses are easily enumerated through active scanning if the device allows discovery, the advisory noted.

The problem was discovered by SecureWorks Senior Researcher David Maynor and vulnerability researcher Jon "Johnny Cache" Ellch, who made headlines in August with a presentation on wireless card threats at the Black Hat USA 2006 conference in Las Vegas.

In an interview Monday, Maynor said the Toshiba problem is an offshoot of the threat he and Ellch demonstrated at Black Hat.

"The information we presented at Black Hat led to the discovery of this vulnerability," Maynor said. "And we did note in the presentation that the problem could affect Bluetooth."

Toshiba did not immediately respond to an interview request, but Maynor said the vendor has made a fix available for all Bluetooth stacks. Users can access the security updates from the Toshiba Bluetooth Web site. Dell has made the updates available on its support site as well.

To reduce the risk of future Bluetooth attacks, SecureWorks recommended users set their devices to non-discoverable mode during normal operations.

In general, Maynor said, wireless device drivers were not developed with security in mind. He said the goal of the Black Hat presentation was to get other vendors and independent researchers to start looking for device driver flaws so they could be fixed before it's too late.

"Since device drivers were never designed with security in mind, you can still find common flaws people would have otherwise thought to be extinct," Maynor said. "If we had done more to prevent spam 10 years ago, it wouldn't be such a big problem today. We want to fix the device driver problems now so it's not a huge problem in the future."

Fortunately, he said, researchers and vendors alike have responded positively.