Where are the Wi-Fi Driver Vulnerabilities?

Published: 2010-12-18
Last Updated: 2010-12-18 13:27:21 UTC
by Raul Siles (Version: 2)
1 comment(s)

Recently I've been presenting about "Wi-Fi (In)Security" on the GOVCERT.NL Symposium 2010 in Rotterdam (November 2010) and (a reduced version) on the 4th CCN-CERT meeting in Madrid (in Spanish; December 2010). The full presentation can be found on Taddong's lab web page. My main goal was to create awareness about all the still prevalent Wi-Fi vulnerabilities, threats, and security risks we are facing both on the wireless infrastructure and the client side. It is almost year 2011, and there is a general feeling that our Wi-Fi environments are pretty secure, as we already have WPA2-Enterprise with multiple authentication methods based on 802.1x/EAP to choose from. However, still there are lots of things to be aware of, specially on the client side (including laptops and mobile devices).

On the infrastructure side, in the best case scenario, we will end up with two worlds, the secure one, based on WPA2-PSK/Enterprise, and the insecure one, based on open Wi-Fi networks (e.g. hotspots) . This is also reflected on the Wi-Fi Alliance roadmap, and it is their goal for 2014 (yes, 3 years from now!).

Of special interest is what has happened to the security research regarding Wi-Fi driver vulnerabilities. I reflected my concerns on slide #73 of the presentation, and is a topic that was also brought up by David B. during the Q&A portion of Madrid's presentation. Somehow, everything started in 2006, when a new vulnerability was announced on the drivers of Apple's Wi-Fi Airport cards and "presented" during the BlackHat USA 2006 conference. As a result, Apple issued Security Update 2006-005. The whole debate ended up with the craze of "the Month of <put-a-technology-here> Bugs", such as the Month of Kernel Bugs (MoKB) in 2006, the Month of Apple Bugs (MoAB) in 2007, and lots of similar projects around those dates.

The following years (2006-2008) were an intense and interesting research period for the whole security industry, evaluating the quality and security stance of Wi-Fi drivers for all major vendors and operating systems, mainly through fuzzing techniques and layer-2 attacks. The impact of a vulnerability in a Wi-Fi driver is really serious, as (potentially) the attacker will get kernel privileges (or ring 0), that is, full control of the target device. Surprisingly, all that interest and research has quietly fade off during the last two years, and nowadays is hard to impossible to find new research, documentation, tools, or vulnerabilities associated to Wi-Fi drivers. This fact is also reflected by a great project where most of this research was archived, the Wireless Vulnerabilities and Exploit (WVE) project, that died out at the end of 2008.

My main concern is that the situation today is even worse than 3 years ago. The current Wi-Fi or IEEE 802.11 specification (802.11-2007) is "ONLY" 1233 pages in length, and it simply includes the definition of 802.11a/b/d/g/h/i/j/e. If you take into consideration other 802.11 technologies we already have implemented in our devices, such as 802.11n or 802.11w, you end up with two additional specifications that are 536 pages and 111 pages in length, respectively. These specification are implemented by hardware (firmware) and/or software (drivers) in compact pieces of (software) code and silicon chips. Think about what's inside your mobile device: a proprietary implementation of all these wireless standards (as well as a few others: Bluetooth, 2G, 3G, etc). Due to the complexity of the 802.11 technologies and its enhancements... what is the chance of most Wi-Fi drivers and/or firmwares being vulnerable to multiple security issues? HIGH!!

It is not clear if Wi-Fi driver vulnerabilities are out of the focus of security researchers today, if they are still being researched, but the results and conclusions are not released to the public, if those results are being used or sold in underground markets, or... <put your own thoughts here, and let us know through the comments section below of our ISC contact page>.

BTW, do not forget to update your (or your organization) Wi-Fi drivers/firmware (network devices and clients) to the latest version provided by the vendor! (When was the last time you updated them? :-)

Raul Siles
Founder and Senior Security Analyst with Taddong

1 comment(s)


No...I can assure you that there are some researchers fully engaged in Wireless Vulnerability testing, myself included.

At present, I work for AirDefense @ Motorola Solutions Inc. We have a few folks there that are always testing different things. Truthfully, between doing my action job, and having time to run labs, I have found myself forgetting the point of what I was doing last, and choose to find something new to test.

Lately, I have been searching for old (already fixed) vulnerabilities to re-test using some of the latest fuzzing techniques to see if drivers and other service-level processes on our products are vulnerable.

Maybe I will be able to complete some items over the holidays and share any pertinent findings.


Diary Archives