Article

Wireless cards make notebooks easy targets for hackers

Bill Brenner

Updated Friday, Aug. 18 to include SecureWorks' admission that the MacBook used in the demonstration was equipeed with a third-party device driver.

LAS VEGAS -- Security experts have spent the last couple years warning laptop users to take care when accessing wireless Internet hotspots

Requires Free Membership to View

in cafes, airports and elsewhere. At Black Hat USA 2006 Wednesday, two researchers demonstrated just how easy it is for malicious attackers to compromise the wireless cards within those laptops.

David Maynor, a senior researcher with Atlanta-based managed security services provider (MSSP) SecureWorks Inc., and vulnerability researcher Jon "Johnny Cache" Ellch, showed attendees a video in which Maynor used a Dell Inc. laptop to compromise a MacBook in about 60 seconds, just by targeting its wireless card and wireless device driver.

"Vendors like Microsoft and Apple have been hardening their operating systems, so attackers are digging down to the device driver level," Maynor said. "The overall security of drivers isn't very good, and our hope is to make the vendors more aware" by demonstrating the ease of an attack.

SecureWorks has since posted a disclaimer on its Web site noting that the MacBook used in the demonstration was equipped with a third-party device driver and not one from Apple Computer Inc.

"Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver, not the original wireless device driver that ships with the MacBook," SecureWorks said. "As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."

While this may come as a surprise to attendees who saw the demonstration as an illustration of Mac insecurity, Maynor and Ellch noted during the demonstration that they were exposing a weakness affecting most wireless cards, not just one from a particular vendor.

During the demonstration, Maynor and Ellch listed several reasons why wireless cards are an easy target:

  • Vendors are obsessed with speeding wireless products off to the market.
  • In the process, wireless technology isn't being tested properly.
  • Too many wireless protocols are being designed "by committee," which makes them overly complicated and easy to take advantage of.

    Ellch said 802.11 is an example of a wireless standard ripe for the picking by malicious hackers. "It's too big, too ambitious and too complicated," he said. Complexity is a hacker's best friend, he added, "and 802.11 is not lacking in complexity."

    The researchers noted that device drivers have been susceptible to attacks that exploit several recent flaws, including the TCP/IP [Transmission Control Protocol/Internet Protocol] vulnerability Microsoft addressed last year and two Windows flaws Microsoft fixed last month in bulletin MS06-035.

    As another example of the looming wireless device threat, they pointed to Intel Corp.'s disclosure Tuesday of three security holes in Microsoft Windows drivers and applications for its Centrino-based Intel PRO/Wireless Network Connection hardware. Attackers could exploit these vulnerabilities to remotely run malicious code on a victim's machine, obtain access to wireless network security information or escalate system privileges to the kernel level. Intel has provided upgrades for the software.

    Allan Paller, research director of the SANS Institute in Bethesda, Md., said the exploits Maynor and Ellch demonstrated should be taken very seriously.

    "This is a big story for several reasons," Paller said in an email. "First, it shoots a pretty big hole in the bulletproof image Apple is trying to project. Second, it isn't just about Macs. The vulnerabilities apparently can also be found in Centrino-based laptops as well. Third, by nature, attackers are swarm organisms. That means they will see [Maynor's and Ellch's] work as a beacon to follow toward a new cache of useful vulnerabilities."

    The bad guys are already exploiting these flaws, Paller added, and are probably annoyed that Wednesday's presentation shed light on the threat.

    Maynor stressed that while he attacked an Apple computer for the demonstration, the problem affects a vast range of products. "We don't want to beat on Mac, and I happen to like Mac," he said. But, he added, recent Apple commercials touting the Mac's security prowess stressed that the company needed a wake-up call.

    "After seeing this video, Apple was quite responsive," Maynor said, adding that he's now working with Apple to help the company address the weaknesses.

    If audience reaction was any indication, the demonstration had the sobering effect Maynor and Ellch were going for.

    "This is alarming," said Jonathan Taylor, an IT security engineer who works for Mather, Calif.-based Sutter Health. When he gets back to work, he said he'll urge his colleagues to think of ways to blunt the threat in their environment.

    "I'll tell them to pay attention to device driver upgrades," Taylor said, "and not to expect the firewall to protect them against this."