One of the major conveniences of wireless networking is its invisibility, but
that is also one of its major weaknesses. A recent
of wireless driver flaws serves as a reminder that simply having a wireless
card installed may be enough to allow unauthorized access. Unlike other
network devices, there is no wire to remind the user that they may be
making their computer vulnerable to malware.
Two security researchers used an open source tool called
lorcon to send a large
number of wireless packets to various wireless devices. They were looking to
see if they could cause the drivers to fail when they received unexpected
data. The result was that they found many flaws in the wireless drivers,
including one that would
allow a malicious user to take over a machine that was equipped
with the vulnerable wireless card. Many of the driver flaws they
found did not require that the user or wireless card actually be connected to
the network to be exploited.
It is unclear whether this
exploit is of concern to Linux users as the researchers are not releasing
many details until their talk at the
Hat conference on 2 August. It is clear, however, that this is an area that
is ripe for exploitation on Linux as well as other platforms. Wireless cards
do a lot of things invisibly in order to determine what other devices there
are in the neighborhood and these actions are often completely
outside of the control of the user.
Normally, open source drivers provide at least a path to quickly fix any
security problems discovered -- unfortunately, this is not the case with
many of the wireless drivers used on Linux systems. Wireless card
manufacturers have so far been mostly unwilling to release enough information
for kernel hackers to create full open source drivers for those devices.
Because of this, many users are installing closed source drivers to access
their wireless cards.
In some cases, users are installing Windows drivers and using
NdisWrapper to link those
into the Linux kernel. Because the wireless vendors are relatively likely to fix the
windows drivers, this approach may provide a reasonably quick resolution to
security problems. At least, that may be the case for currently-supported
hardware, if the vulnerability does not originate in the interaction
between the driver and ndiswrapper, and if the user knows to download and install the updated
driver. It is likely that any closed source native Linux wireless
driver would have a lower priority for a vendor to fix and therefore a security
vulnerability might remain unpatched for a significant amount of time.
It is far better, of course, to use hardware which has open-source
support. Vulnerabilities in open-source drivers should be fixed quickly,
and those fixes will be made available by the distributor's package
As wireless technology becomes more prevalent and more devices and protocols
are deployed, it is clear that more exploits and vulnerabilities will be found.
Italian researchers recently ran an
at the Milan airport to highlight the number of potentially exploitable
Bluetooth devices they could find; in 23 hours were able to spot 1400 of them.
Wireless manufacturers and standards
committees do not seem to learn from the security flaws of the past and that
will lead to exploits in the future.
to post comments)