Demonstrating the Wi-Fi Drive-By

Researchers who discovered an exploit in the Wi-Fi device drivers of the Apple MacBook as well as various Windows XP Wi-Fi adapters this week provided a demonstration of how a malicious user can take over a laptop.

The exploit, dubbed the Wi-Fi Drive-By when first announced a couple of months ago, involves an unwanted wireless connection between two laptops. However, the victim’s PC doesn’t even have to be looking for a Wi-Fi connection — the Wi-Fi card in the laptop just has to be turned on.

David Maynor, a SecureWorks researcher who found the exploit along with author, grad student and fellow hacker Jon “Johnny Cache” Ellch, said in a demonstration via video made at the Black Hat USA 2006 conference, “For this attack to work, you do not have to have the victim associated or authenticated in any way.”

Maynor demonstrated the exploit by video, instead of having someone local to the demo intercept packets and reverse engineer the attack — and they haven’t published the specifics of the exploit for others to take advantage of either. They demonstrated it using a MacBook as the victim and a Dell laptop running Windows XP at the attacker. With a fuzzing attack (throwing wireless packets at a laptop with a Wi-Fi card), the Dell was able to take control of the Macintosh by installing a root-kit. Using the command-line interface, Maynor easily created and deleted files from the Macintosh desktop in real time. He facilitated a connection by making the Dell appear as an access point using a script he wrote.

The researchers showed the demonstration using a MacBook not only because it is a victim of the device driver flaw that allows the attack, but to also to pierce any misconceptions that Mac users have over their security.

However, the attack as demonstrated wasn’t geared toward the internal Airport Wi-Fi found in the Mac.

“Although we attacked an Apple, the flaw is not specifically in the Apple operating system,” said Maynor in the video. “We used third party hardware. This type of flaw is systemic across all operating systems and hardware, and the only way to prevent it is proper testing. Although this flaw is and can lead to remotely exploitable conditions, it’s not as trivial as a generic buffer overflow.”

The MacBook’s internal Wi-Fi, however, remains a potential victim at this time, according to Maynor.

Scary as it all sounds, there are no reports that this attack has ever been used “in the wild” yet.

Intel’s latest drivers for the Centrino chipset — the most-used Wi-Fi client chips around, found in millions of Windows-based laptops — have been updated to combat some types of remote attacks, likely including this one. The updates were issued a few days before this demonstration. Intel apparently laid the need for the updates at Microsoft’s feet, stating, “An attacker could potentially exploit these vulnerabilities which could potentially lead to remote code execution and system control.”

According to the Washington Post’s Security Fix blog, known device drivers that could be victim to the exploit include Apple computers running Atheros chips (like the MacBook). Even “signed” drivers running under Windows XP — those approved by Microsoft as stable and not harmful — could be affected. This is a problem that could be fixed under Windows Vista, according to Microsoft.

The hackers are working on a tool to identify the chipset and drivers on local computers with Wi-Fi to figure out if they’re a potential victim. Microsoft, Apple and other companies are all aware of the problem and working with OEMs and chipmakers to fix the drivers.