[Tfug] Fraudulent airport WiFi

Angus Scott-Fleming angussf at geoapps.com
Fri Jul 7 13:01:12 MST 2006 

On 3 Jul 2006 at 13:22, Adrian  wrote:

> In addition, all 3 were running Windows APIRA addresses, 169.254.x.x/16 (all
> 3 had the same address infact), with the "access point" periodically
> spitting NetBios announcements of itself. Unfortunately... the person
> running the machine appeared to have screwed up their routing. I couldn't
> get either of the "access points" to route packets properly and none were
> issuing DHCP responses. 

Have you seen this?

------- Included Stuff Follows -------
Researchers hack Wi-Fi driver to breach laptop
    One of many flaws found allowed them to take over a laptop by exploiting a 
    bug in an 802.11 wireless driver
 By Robert McMillan, IDG News Service
 June 21, 2006

    Security researchers have found a way to seize control of a laptop 
    computer by manipulating buggy code in the system's wireless device 
    driver.

    The hack will be demonstrated at the upcoming Black Hat USA 2006 
    conference during a presentation by David Maynor, a research engineer with 
    Internet Security Systems and Jon Ellch, a student at the U.S. Naval 
    postgraduate school in Monterey, California.

    Device driver hacking is technically challenging, but the field has become 
    more appealing in recent years, thanks in part to new software tools that 
    make it easier for less technically savvy hackers, known as script 
    kiddies, to attack wireless cards, Maynor said in an interview.

    The two researchers used an open-source 802.11 hacking tool called LORCON 
    (Loss of Radio Connectivity) to throw an extremely large number of 
    wireless packets at different wireless cards. Hackers use this technique, 
    called fuzzing, to see if they can cause programs to fail, or perhaps even 
    run unauthorized software when they are bombarded with unexpected data.

    Using tools like LORCON, Maynor and Ellch were able to discover many 
    examples of wireless device driver flaws, including one that allowed them 
    to take over a laptop by exploiting a bug in an 802.11 wireless driver. 
    They also examined other networking technologies including Bluetooth, Ev-
    Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).

    The two researchers declined to disclose the specific details of their 
    attack before the August 2 presentation, but they described it in dramatic 
    terms.

    "This would be the digital equivalent of a drive-by shooting," said 
    Maynor. An attacker could exploit this flaw by simply sitting in a public 
    space and waiting for the right type of machine to come into range.

    The victim would not even need to connect to a network for the attack to 
    work.

    "You don't have to necessarily be connected for these device driver flaws 
    to come into play," Ellch said. "Just because your wireless card is on and 
    looking for a network could be enough."

    More than half of the flaws that the two researchers found could be 
    exploited even before the wireless device connected to a network.

    Wireless devices are often configured to be constantly sniffing for new 
    networks, and that can lead to security problems, especially if their 
    driver software is badly written. Researchers in Italy recently created a 
    hacking lab on wheels, called project BlueBag, to underscore this point by 
    showing just how many vulnerable Bluetooth wireless devices they could 
    connect with by wandering around public spaces like airports and shopping 
    malls. After spending about 23 hours wandering about Milan, they had found 
    more than 1,400 devices that were open to connection.

    "Wireless device drivers are like the Wild, Wild West right now," Maynor 
    said. "LORCON has really brought mass Wi-Fi packet injection to script 
    kiddies. Now it's pretty much to the point where anyone can do it."

    Part of the problem is that the engineers who write device drivers often 
    do not have security in mind, he said.

    A second problem is that vendors also make devices do more than they 
    really need to in order to be certified as compliant with a particular 
    wireless standard. That piling on of features can open security holes as 
    well, he said.
--------- Included Stuff Ends ---------

http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/06/21/795
36_HNwifibreach_1.html


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
+-----------------------------------+

More information about the tfug mailing list