Drive-by attacks on WLAN drivers
Wardrivers used to be the only way known to detect and map open access points and WLAN devices via GPS and WLAN equipment. But soon, drive-by shooters may be able to infect laptops and other mobile devices with malicious code. At the upcoming Black Hat Conference, David Maynor of Internet Security Systems (ISS) and John Ellch of the US Naval Postgraduate School in Monterey will be showing how this works. Basically, a device does not even need to be logged into a WLAN network; in many cases, it suffices if the WLAN card is enabled and looking for a nearby network - which is often the case. Specially prepared WLAN packets are apparently then able to exploit errors in WLAN drivers and, for instance, smuggle Trojans into a system.
Maynor and Ellch bombarded various WLAN drivers with numerous packets using the Open Source tool LORCON (Loss of Radio Connectivity) and monitored the response of the drivers. They detected numerous holes, and in one case they even managed to get full control of a laptop. On the one hand, the problem is caused by a lack of awareness about security on the part of the driver developers; on the other, devices and software are overloaded with features. The researchers are withholding additional details until they give their presentations on August 2 at the conference that will be taking place in the US.
Unlike Maynor and Ellch, researchers at Intel concluded at the recent NetSec Conference that the risks stemming from errors in Windows drivers was very low. One reason is that device driver programming is just not something that script kiddies are particularly knowledgeable about, unlike publicly available worm code. Maynor agreed in principle in an interview but also argued that, while driver hacking is rather demanding, script kiddies can, in the meantime, use new tools such as LORCON to attack WLANs.
The freely available exploits for the recently plugged SMB hole not only show that the researchers at Intel were not quite on the mark, but also how kernel mode drivers can be used to break into a Windows system.