This year's DEFCON was a lively one for wireless security. Probably the most significant event in the wireless realm was Johnny "Cache" Ellch's and David Maynor's presentation on wireless driver vulnerabilities. This talk was presented at Blackhat by the duo a couple of days earlier.
For those who were skeptical about what a vulnerability in a wireless driver can allow, the demonstration proved to be an eye opener. In the demonstration Maynor was able to infiltrate a MacBook at the kernel level and easily take control of the system. Hackers can exploit this vulnerability to remotely execute malicious code on target machines and devices. More importantly, this can put corporate assets directly at risk as attackers can then obtain access to critical network information and confidential data.
Another interesting set of vulnerabilities that was released at the conference involved PocketPC phones and MMS (Multimedia Messaging Service) messages. According to Collin Mulliner of the Trifinite group, PocketPC phones not only are able to receive MMS messages on their cellular interfaces, but over their 802.11 interfaces as well.
This enables attackers to craft their own MMS messages and bypass any sanitising that the cellular carrier would normally perform on them. By doing this an attacker can overflow certain message headers, allowing them to take control of an affected device (Mulliner's slides).
In addition to the vulnerabilities that were disclosed, some wireless tools were released as well. Researchers from the University of Colorado released the Zulu tool to make injecting arbitrary 802.11 frames easier.
In concept it's very similar to hping, which allows a user to create arbitrary IP datagrams. Also, the Church of WiFi debuted a new version of coWPAtty that can crack WPA2-PSK and several Linksys WRT54G based wardriving platforms created by its members.
Finally on a fun note, there was Rick Hill's presentation on what is arguably the most efficient way to find a large number of wireless networks quickly. Was it Warflying? No, but it's pretty close. Hill showed the crowd how to scan an area for wireless networks by launching a rocket loaded with 802.11 equipment to an altitude of 1.5 miles. At that altitude the rocket has visibility to networks over a 50 square mile area. Unfortunately due to the remoteness of the launch site, only a small number of APs were discovered. However, Hill noted that he was able to discover APs that he didn't pick up when scanning from the ground.
That all being said, the release of new wireless vulnerabilities and tools definitely made for an interesting DEFCON this year.
Andrew Lockhart is lead security analyst at Network Chemistry, security book author, and author of Snort-Wireless, an open source project adding wireless intrusion detection to Snort. He is also an editorial board member of the WVE. This column appeared in Network World.