Wireless networking driver vulnerabilities [LWN.net]

July 12, 2006

This article was contributed by Jake Edge.

One of the major conveniences of wireless networking is its invisibility, but that is also one of its major weaknesses. A recent announcement of wireless driver flaws serves as a reminder that simply having a wireless card installed may be enough to allow unauthorized access. Unlike other network devices, there is no wire to remind the user that they may be making their computer vulnerable to malware.

Two security researchers used an open source tool called lorcon to send a large number of wireless packets to various wireless devices. They were looking to see if they could cause the drivers to fail when they received unexpected data. The result was that they found many flaws in the wireless drivers, including one that would allow a malicious user to take over a machine that was equipped with the vulnerable wireless card. Many of the driver flaws they found did not require that the user or wireless card actually be connected to the network to be exploited.

It is unclear whether this exploit is of concern to Linux users as the researchers are not releasing many details until their talk at the Black Hat conference on 2 August. It is clear, however, that this is an area that is ripe for exploitation on Linux as well as other platforms. Wireless cards do a lot of things invisibly in order to determine what other devices there are in the neighborhood and these actions are often completely outside of the control of the user.

Normally, open source drivers provide at least a path to quickly fix any security problems discovered -- unfortunately, this is not the case with many of the wireless drivers used on Linux systems. Wireless card manufacturers have so far been mostly unwilling to release enough information for kernel hackers to create full open source drivers for those devices. Because of this, many users are installing closed source drivers to access their wireless cards.

In some cases, users are installing Windows drivers and using NdisWrapper to link those into the Linux kernel. Because the wireless vendors are relatively likely to fix the windows drivers, this approach may provide a reasonably quick resolution to security problems. At least, that may be the case for currently-supported hardware, if the vulnerability does not originate in the interaction between the driver and ndiswrapper, and if the user knows to download and install the updated driver. It is likely that any closed source native Linux wireless driver would have a lower priority for a vendor to fix and therefore a security vulnerability might remain unpatched for a significant amount of time.

It is far better, of course, to use hardware which has open-source support. Vulnerabilities in open-source drivers should be fixed quickly, and those fixes will be made available by the distributor's package management system.

As wireless technology becomes more prevalent and more devices and protocols are deployed, it is clear that more exploits and vulnerabilities will be found. Italian researchers recently ran an experiment at the Milan airport to highlight the number of potentially exploitable Bluetooth devices they could find; in 23 hours were able to spot 1400 of them. Wireless manufacturers and standards committees do not seem to learn from the security flaws of the past and that will lead to exploits in the future.

(Log in to post comments)

Wireless networking driver vulnerabilities

Posted Jul 13, 2006 14:08 UTC (Thu) by eskild (subscriber, #1556) [Link]

I think some of the reasons why securty lessons don't seem fully applied to new designs are:

* It is really, really hard to do a good, secure design
* It thus takes a lot of time and effort to do
* But customers want "feature X" NOW, NOW, NOW, or that's at least what everybody seems to think

Who wins? Money wins: Provide a product ASAP, even if security is mediocre, and sell tons of units. Sad part is that the customers are the ones to suffer at the end.

Another observation is this: If a product/design with lousy security gets "first-mover" advantage in a market and sales booms, then it may live for years, perhaps decades, before being replaced with something better. That's a huge windows of vulnerability. Think Telnet, FTP, and any clear-text protocol you may care to mention. They're still with us, even though they should have been put to rest years ago. Think wireless WEP security -- "wired equivalent" security, anyone?! OMG! (On a sadistic note, think Fortran, think Cobol! (OK, Only kidding! ;-))

Enough ranting. Thanks for reading.

Wireless networking driver vulnerabilities

Posted Jul 13, 2006 14:45 UTC (Thu) by mmarsh (subscriber, #17029) [Link]

> That's a huge windows of vulnerability.
                ^^^^^^^

Freudian slip?

I actually heard an add on the radio recently for a company looking to hire Cobol programmers.

Wireless networking driver vulnerabilities

Posted Jul 14, 2006 8:38 UTC (Fri) by eskild (subscriber, #1556) [Link]

Hahaha, didn't catch that when I wrote it 8-) Thanks, your comment made me laugh.

Re. Cobol: I think someone once said something along the lines of: "The mistakes we make will come back to haunt us, indefinitely." Well, maybe not indefinitely, but for a long while; decades. It's funny how we always underestimate how long our systems remain in production use. Technology is very uneven that way: Some (albeit few) people still run on VAX machines today, but we sometimes worry that we won't be able to read our digital content 10 years from now because of newer formats replacing the old. It's very hard to predict what has longevity and what hasn't.