By Robert McMillan
IDG News Service
22 June 2006
Hackers can take control of laptops by Wi-Fi, even when the user is
not connected to a wireless LAN, according to security researchers.
The hack, which exploits bugs in wireless device drivers, will be
demonstrated at the upcoming Black Hat USA 2006 conference during a
presentation by David Maynor, a research engineer with Internet
Security Systems, and Jon Ellch, a student at the US Naval
postgraduate school in Monterey, California.
Device driver hacking is technically challenging, but the field has
become more appealing in recent years, thanks in part to new software
tools that make it easier for less technically savvy hackers, known as
script kiddies, to attack wireless cards, Maynor said in an interview.
The two researchers used an open-source 802.11 hacking tool called
Lorcon (Lots of Radion Connectivity) to throw an extremely large
number of wireless packets at different wireless cards. Hackers use
this technique, called fuzzing, to see if they can cause programs to
fail, or perhaps even run unauthorised software when they are
bombarded with unexpected data.
Using tools like Lorcon, Maynor and Ellch were able to discover many
examples of wireless device driver flaws, including one that allowed
them to take over a laptop by exploiting a bug in an 802.11 wireless
driver. They also examined other networking technologies including
Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink
The two researchers declined to disclose the specific details of their
attack before the August 2 presentation, but they described it in
"This would be the digital equivalent of a drive-by shooting," said
Maynor. An attacker could exploit this flaw by simply sitting in a
public space and waiting for the right type of machine to come into
The victim would not even need to connect to a network for the attack
"You don't have to necessarily be connected for these device driver
flaws to come into play," Ellch said. "Just because your wireless card
is on and looking for a network could be enough."
More than half of the flaws that the two researchers found could be
exploited even before the wireless device connected to a network.
Wireless devices are often configured to be constantly sniffing for
new networks, and that can lead to security problems, especially if
their driver software is badly written. Researchers in Italy recently
created a hacking lab on wheels, called project BlueBag, to underscore
this point by showing just how many vulnerable Bluetooth wireless
devices they could connect with by wandering around public spaces like
airports and shopping malls. After spending about 23 hours wandering
about Milan, they had found more than 1,400 devices that were open to
"Wireless device drivers are like the Wild, Wild West right now,"
Maynor said. "Lorcon has really brought mass Wi-Fi packet injection to
script kiddies. Now it's pretty much to the point where anyone can do
Part of the problem is that the engineers who write device drivers
often do not have security in mind, he said.
A second problem is that vendors also make devices that go beyond the
requirements of a particular wireless standard. That piling on of
features can open security holes as well, he said.
All contents =A9 IDG 2006
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.