Two leading security researchers have warned that Wi-Fi equipment developed without due care can be inherently insecure allowing hackers to use flaws in device drivers to take control of laptops.
David Maynor of Internet Security Systems and Jon Ellch, a student at the US Naval postgraduate school in Monterey, plan to demonstrate the problem by seizing control of a laptop through its wireless device driver at the Black Hat USA 2006 conference in Las Vegas next month.
Wireless device drivers are developed without proper attention to security, and new features are rushed in for competitive reasons, so the code is often buggy and insecure, the pair claim.
Tools are now readily available to take advantage of the vulnerabilities. One tool, lorcon (loss of radio connectivity) , created by Joshua Wright, security architect at Aruba Networks, and Michael Kershaw, can overload wireless LAN cards with 802.11 frames in multiple driver frameworks, a technique known as "fuzzing". If the packets cause the driver to fail, then the hacker stands a chance of running unauthorised code.
The attack can be mounted by sitting in a public space and waiting for a machine to come within range. Even if it is not connected to a WLAN, it can be attacked through the low-level "sniffing" that most network cards carry out, looking for WLANs to attach to.
"Wireless device drivers are like the Wild, Wild West right now," Maynor told Infoworld. "LORCON has really brought mass Wi-Fi packet injection to script kiddies. Now it's pretty much to the point where anyone can do it."