One of the talks announced for the Black Hat conference this summer in Las Vegas is about 802.11 driver vulnerabilities, which can affect users even if they aren't connected to a network.
All modern operating systems, such as Linux, BSD, Windows, and Mac OSX, have a similar fundamental security measure: the separation of kernel and user code. The kernel is the core of the operating system and controls processes, disk access, and hardware access. While programs are typically prevented from accessing the memory of other programs or directly controlling the hardware, the kernel has no such restrictions.
Vulnerabilities at the kernel layer are especially dangerous. Operating in the kernel, malicious code has complete control of the system. So-called "root kits" can alter the kernel to hide files from anti-virus scanners, hide running programs from the user, and capture input from the mouse or keyboard. Root kits have become an increasing risk with malicious software.
Drivers - remote data at kernel level
Device drivers function at the kernel level. Network device drivers are especially at risk as they handle remote data, which cannot be trusted. Any bugs in the code that handle remote packets can lead to system crashes, or worse, code execution at the kernel layer.
Remote driver bugs have typically been rare and can be quickly fixed once the vendor is notified. Kernel-layer bugs are very difficult to defend against without a vendor update. Antiviral software typically operates outside of the kernel, and firewall software can prevent connections on TCP/IP ports but not vulnerabilities at the wireless layer. 802.11 management packets contain no IP traffic data and are not passed to the wireless layer, but a flaw in the driver's handling of the management contents could lead to an exploitable vulnerability.
Many methods can be used to find vulnerabilities. The method du jour is "fuzzing." A fuzzer is a smart brute-force algorithm that provides enough structure to generate a packet that appears valid, but the contents of the fields are filled with iteratively randomised data. Fuzzing is not limited to wireless protocols; it has been a valuable technique for testing software responses to different types of invalid data for in-house developers and security researchers.
How to minimise the risks
Fortunately, the risks of bugs in wireless drivers can be minimised. The window of exposure is extremely limited. Unlike someone attacking an Internet server, the attacker must be within radio range of the victim. Always run the latest version of the drivers for your wireless card, as they may contain fixes for vulnerabilities such as these.
The ultimate protection? Turn off your wireless card when you aren't using the network.
Mike Kershaw is author of Kismet, a popular open-source project for 802.11 wireless network detection, sniffing, and intrusion detection as well as an editorial board member of the WVE. This article appeared in Network World.