Breaking into a laptop via Wi-Fi

Flaws in software that runs wireless-networking hardware could let attackers take over PCs, including Macs, Black Hat warns.

By Joris Evers
Staff Writer, CNET News.com

Published: August 2, 2006, 3:17 PM PDT

LAS VEGAS--Flaws in the software that runs wireless-networking hardware could let an attacker break into a PC over Wi-Fi, security researchers warned Wednesday.

An attacker could gain complete control over a laptop by sending malformed network traffic to a vulnerable computer, David Maynor, a senior researcher at security service provider SecureWorks, said in a presentation at the Black Hat security event here.

Maynor, along with researcher Jon "Johnny Cache" Ellch, showed a video of a successful attack on an Apple Computer MacBook. However, the attack is possible also on other computers, both laptops and desktops, and not just MacBooks, the researchers said.

"These driver flaws are pretty common," Maynor said. Researchers are starting to find those bugs as they shift their focus from hunting for operating system flaws to exploitable errors in drivers and in applications, he said. The reason for the shift is that operating systems are becoming increasingly more secure, he added.

There is no immediate threat to the millions of laptop-toting wireless users. Maynor and Ellch are not releasing the details of their attack, and they deliberately did not show a live demonstration to prevent anyone from copying their attack.

"People who should be worrying about this are the hardware and software makers, so this doesn't make it into the mainstream," Maynor said.

Consumers should be streetwise when using their laptop by not connecting to networks they aren't sure they can trust and by disabling the wireless radio when it is not needed, Maynor said. "There is no need to run out and rip your wireless card out of your laptop, but you should take precautions," he said.

With their Black Hat talk, Maynor and Cache hope to wake up makers of buggy drivers. "We want to educate developers and hardware makers about this threat before it becomes a wide-scale issue," Maynor said. "We're not talking about something that people don't know about, but a lot of people don't know the severity."

Driver flaws have been getting more attention recently. Microsoft, for example, is readying tools for driver developers to scan their code for common vulnerabilities. According to a recent experiment by Intel flaws in driver software may be worrisome and a potentially serious threat, but there is no need for alarm yet.

To launch an attack using the Wi- Fi driver flaws, the would-be intruder needs to be within about 100 feet, or 30 meters, of its target--the typical reach of a Wi-Fi signal. However, new wireless technologies are extending this range significantly and could increase the threat, so new bugs will likely be found, Maynor said.

To facilitate an attack, the researchers found a way to remotely identify the wireless driver that a particular computer is running, Maynor said. Then malicious data traffic needs to be crafted and sent to the vulnerable PC. A flaw in the way that computer processes the data subsequently causes the compromise, he said.

Coincidentally, Intel late last week issued fixes for flaws in software that controls its popular Centrino wireless hardware. These patches are not related to the Black Hat research, Maynor said. The researchers have worked with hardware and software makers on the issue of Wi-Fi drivers, but not with Intel, he said.

Black Hat runs until Thursday.