The recent controversy at this year’s Black Hat conference highlighted a growing trend in vulnerability research and reporting — the inability of some to make a distinction between technically interesting, novelty attacks versus real threats.
In this case, I'm referring to a talk given by researchers David Maynor and Johnny Cache that showed how attackers could fingerprint wireless cards, as well as remotely compromise laptops running a specific wireless card. For the moment, let's ignore that 90 percent of the researchers' presentation was about fingerprinting wireless cards and, as most in the audience did, instead focus on the juicier, more press-worthy topic of remotely compromising a laptop "over-the-air" through only a wireless card.
The concept of remotely compromising a computer through its wireless card is neither technically interesting nor, from a threat perspective, deserving of more attention than almost any one of your run-of-the-mill Internet Explorer zero-day threats. This is a point that almost every single article and blog on the matter has missed. In the passionate writing around this threat, everyone has forgotten to answer the basic questions, "Who should care?" and "Why should they care?" Remember, again, that this industry is much more concerned with what is socially interesting, because everyone can understand it, rather than what is technically interesting or presents a real threat.
In reality, these wireless vulnerabilities are no different than any other software vulnerability we have seen to date. The two researchers themselves even pointed out that the interesting aspect of these vulnerabilities were that they affected low-level kernel drivers, and that the attacks were in relation to the hardware wireless devices. Now these two points are very interesting, but they are by no means new. Both kernel driver vulnerabilities and hardware vulnerabilities have been previously discussed and documented. In fact, the hacking demonstration had nothing to do with the wireless hardware itself, but the wireless software driver code. Finally, we get to the "scary part" — the idea that you could compromise a computer "without wires" and "over-the-air." But is that really something IT should panic over as the media suggested? The clear answer is no.
Do we all really believe that the next major wave of identity theft attacks is going to happen by Eastern European hackers flying to the United States to sit at your local Starbucks and hope that someone with the correct vulnerable wireless card driver is going to fall victim to their scheme? Your chances now, and for the foreseeable future, of being compromised via a criminal camping out at your local public wireless hotspot are going to be a lot less than your computer being compromised by the next Microsoft client application zero-day.
Some may argue that this could be used for targeted attacks. But again, what sort of "James Bond" scenario are we painting here? If someone is dedicated enough to physically stalk and hack into one of your employees' laptops via wireless, then this same attacker would be willing to simply steal the laptop or a million other James Bond-like schemes we could come up with. In reality, the bad guys much rather prefer sitting in the comfort of their office and use the latest zero-day exploit against employees they have pilfered out of social networking sites such as Linked-In.
Don't get me wrong; the idea of taking over a computer via a wireless vulnerability is interesting. But for those of us that are concerned with threats that will do real damage, we need to look beyond the hype and evaluate the real impact they will have on our networks. In this case, you should probably be more concerned with what Microsoft releases on Patch Tuesdays than these types of wireless flaws.
Marc Maiffret is founder and CTO of eEye Digital Security.