An ISC reader pointed out this relatively new exploit vector. At the upcoming BlackHat conference, a duo is going to demonstrate hacking WiFi device drivers to assume control of a target machine.
The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.
Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).
The combination of device drivers (which sit close to the kernel) and wireless technology makes this vector uniquely possible. Most devices drivers you couldn’t safely attack because devices are attached to the actual hardware, but wireless is meant to work over distance. The vector is still limited by distance to those close enough to some transmission agent, but with the growing prevalence of free wireless hotspots it is easy to find places where enough laptops congregate to get good results (say a conference or in an airport terminal).
