On Wed, 20 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, Lee Phillips wrote:
>Check out this interesting but not very serious vulnerability:
>
>http://lee-phillips.org/info/networking/sandia.html
Yeah, it's almost like the guys who wrote the press release pulled buzzwords
out of the paper, and sensationalized something from that.
Press Release:
LIVERMORE, Calif. - The next time you're sipping a latte and surfing the
Net at your favorite neighborhood wireless caf<E9>, someone just a few seats
away could be breaking into your laptop and causing irreparable damage to
your computer's operating system by secretly tapping into your network
card's unique device driver, researchers at Sandia National Laboratories
in have concluded.
There is, however, some cheerful news. By role-playing the position of an
adversary (also known as red teaming), Sandia researchers have
demonstrated a unique "fingerprinting" technique that allows hackers with
ill intent to identify a wireless driver without modification to or
cooperation from a wireless device. Revealing this technique publicly,
Sandia researchers hope, can aid in improving the security of wireless
communications for devices that employ 802.11 networking.
Paper:
9 Conclusion
We designed, implemented, and evaluated a technique for passive wireless
device driver fingerprinting that exploits the fact that most IEEE
802.11a/b/g wireless drivers have implemented different active scanning
algorithms. We evaluated our technique and demonstrated that it is capable
of accurately identifying the wireless driver used by 802.11 wireless
devices without specialized equipment and in realistic network conditions.
Through an extensive evaluation including 17 wireless drivers, we
demonstrated that our method is effective in fingerprinting a wide variety
of wireless drivers currently on the market. Finally, we discussed ways to
prevent fingerprinting that we hope will aid in improving the security of
wireless communication for devices that employ 802.11 networking.
Really brief synopsis: Wireless NICs actively scan for access points to
connect to by periodically sending out probe request frames. The algorithm
used to scan for access points is not explicitly defined in the 802.11
standard. Therefore, every NIC driver author is doing it "his way". By just
listening to the _rate_ at which a given NIC (identifiable by the MAC address
used during a session), you can ID the driver, and therefore may be able to
deduce which of your Junior Skript KiddieZ exploits to try to use to knock
over the system. As the NIC driver is running in kernel space, if you can
kick that door down, you 0wn3Z that box. Note that the paper does not talk
of any _exploits_ but merely that you can passively ID the driver.
I'm reminded of two (WW2 German Wehrmacht) sayings mentioned in "Instruments
of Darkness" by Alfred Price (1967, 1977, Chas. Scribner's Sons, 1978, ISBN
0-683-15806-X), which is a "standard" text on "radio warfare":
Feind h<F6>rt mit! (Sign on German military communications gear in WW2)
"The Enemy is Listening" (also seen posted as "Feind hoert mit!")
Aller Funkverkehr ist Landesverrat (Luftwaffe [WW2] Signals Command axiom)
"All radio traffic is high treason"
There was a recent demonstration at a Black-Hats convention, where two
presenters demonstrated an exploit that was targeting a third party driver
on an Apple - running OSX if I recall correctly. No details were released,
and there was some controversy about the demonstration. Try the newsgroup
alt.internet.wireless if interested - it was about 3-6 weeks ago.
About the only solution at the moment is to see that you stay up to date
with the updates for your distribution. This would _usually_ be a kernel
update, so ESPECIALLY if you are using wireless, loose the Macho about
uptime, and keep your kernel up to date - yes, it does mean rebooting,
and loosing all that umpty-dump days since last reboot.
Old guy
Similar Threads
Linear Mode
