Recently I've been presenting about Wi-Fi (In)Security on the GOVCERT.NLSymposium 2010 in Rotterdam (November 2010)December 2010). The full presentation can be found on Taddong's lab web page. My main goal was to create awareness about all the still prevalent Wi-Fi vulnerabilities, threats, and security risks we are facing both on the wireless infrastructure and the client side. It is almost year 2011, and there is a general feeling that our Wi-Fi environments are pretty secure, as we already have WPA2-Enterprise with multiple authentication methods based on 802.1x/EAPto choose from. However, still there are lots of things to be aware of, specially on the client side (including laptops and mobile devices).
On the infrastructure side, in the best case scenario, we will end up with two worlds, the secure one, based on WPA2-PSK/Enterprise, and the insecure one, based on open Wi-Fi networks (e.g. hotspots) . This is also reflected on the Wi-Fi Alliance roadmap, and it is their goal for 2014 (yes, 3 years from now!).
Of special interest is what has happened to the security research regarding Wi-Fi driver vulnerabilities. Ireflected my concerns on slide #73 of the presentation, and is a topic that was also brought up by David B. during the QAportion of Madrid's presentation. Somehow, everything started in 2006, when a new vulnerability was announced on the drivers of Apple's Wi-Fi Airport cards and presented during the BlackHat USA2006 conference. As a result, Apple issued Security Update 2006-005. The whole debate ended up with the craze of the Month of put-a-technology-here Bugs, such as the Month of Kernel Bugs (MoKB) in 2006, the Month of Apple Bugs (MoAB) in 2007, and lots of similar projects around those dates.
The following years (2006-2008) were an intense and interesting research period for the whole security industry, evaluating the quality and security stance of Wi-Fi drivers for all major vendors and operating systems, mainly through fuzzing techniques and layer-2 attacks. The impact of a vulnerability in a Wi-Fi driver is really serious, as (potentially)the attacker will get kernel privileges (or ring 0), that is, full control of the target device. Surprisingly, all that interest and research has quietly fade off during the last two years, and nowadays is hard to impossible to find new research, documentation, tools, or vulnerabilities associated to Wi-Fi drivers. This fact is also reflected by a great project where most of this research was archived, the Wireless Vulnerabilities and Exploit (WVE)project, that died out at the end of 2008.
My main concern is that the situation today is even worse than 3 years ago. The current Wi-Fi or IEEE802.11 specification (802.11-2007)is ONLY 1233 pages in length, and it simply includes the definition of 802.11a/b/d/g/h/i/j/e. If you take into consideration other 802.11 technologies we already have implemented in our devices, such as 802.11n or 802.11w, you end up with two additional specifications that are 536 pages and 111 pages in length, respectively. These specification are implemented by hardware (firmware)and/or software (drivers) in compact pieces of (software)code and silicon chips. Think about what's inside your mobile device: a proprietary implementation of all these wireless standards (as well as a few others:Bluetooth, 2G, 3G, etc). Due to the complexity of the 802.11 technologies and its enhancements... what is the chance of most Wi-Fi drivers and/or firmwares being vulnerable to multiple security issues?HIGH!!
It is not clear if Wi-Fi driver vulnerabilities are out of the focus of security researchers today, if they are still being researched, but the results and conclusions are not released to the public, if those results are being used or sold in underground markets, or... put your own thoughts here, and let us know through the comments section below of our ISCcontact page.
BTW, do not forget to update your (or your organization)Wi-Fi drivers/firmware (network devices and clients) to the latest version provided by the vendor! (When was the last time you updated them? :-)
Founder and Senior Security Analyst with Taddong
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.