Security
researchers have found a way to seize control of a laptop computer by
manipulating buggy code in the system's wireless device driver.
The
hack will be demonstrated at the upcoming Black Hat USA 2006 conference
during a presentation by David Maynor, a research engineer with
Internet Security Systems and Jon Ellch, a student at the U.S. Naval
postgraduate school in Monterey, California.
Device
driver hacking is technically challenging, but the field has become
more appealing in recent years, thanks in part to new software tools
that make it easier for less technically savvy hackers, known as script
kiddies, to attack wireless cards, Maynor said in an interview.
The
two researchers used an open-source 802.11 hacking tool called LORCON
(Loss of Radio Connectivity) to throw an extremely large number of
wireless packets at different wireless cards. Hackers use this
technique, called fuzzing, to see if they can cause programs to fail,
or perhaps even run unauthorized software when they are bombarded with
unexpected data.
Using tools like
LORCON, Maynor and Ellch were able to discover many examples of
wireless device driver flaws, including one that allowed them to take
over a laptop by exploiting a bug in an 802.11 wireless driver. They
also examined other networking technologies including Bluetooth, Ev-Do
(EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).
The
two researchers declined to disclose the specific details of their
attack before the August 2 presentation, but they described it in
dramatic terms.
"This would be the
digital equivalent of a drive-by shooting," said Maynor. An attacker
could exploit this flaw by simply sitting in a public space and waiting
for the right type of machine to come into range.
The victim would not even need to connect to a network for the attack to work.
"You
don't have to necessarily be connected for these device driver flaws to
come into play," Ellch said. "Just because your wireless card is on and
looking for a network could be enough."
More
than half of the flaws that the two researchers found could be
exploited even before the wireless device connected to a network.
Wireless
devices are often configured to be constantly sniffing for new
networks, and that can lead to security problems, especially if their
driver software is badly written. Researchers in Italy recently created a hacking lab on wheels, called project BlueBag,
to underscore this point by showing just how many vulnerable Bluetooth
wireless devices they could connect with by wandering around public
spaces like airports and shopping malls. After spending about 23 hours
wandering about Milan, they had found more than 1,400 devices that were
open to connection.
"Wireless device
drivers are like the Wild, Wild West right now," Maynor said. "LORCON
has really brought mass Wi-Fi packet injection to script kiddies. Now
it's pretty much to the point where anyone can do it."
Part of the problem is that the engineers who write device drivers often do not have security in mind, he said.
A
second problem is that vendors also make devices do more than they
really need to in order to be certified as compliant with a particular
wireless standard. That piling on of features can open security holes
as well, he said.