Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Broadcom wireless drivers vulnerable to attack, says Metasploit creator

Just when you thought that spilling a hot cup of latte was all you had to worry about while surfing the web at your local Starbucks - or any public place for that matter - think again: Nearby attackers can now exploit the wireless drivers used in many popular laptops to assume control of your machine, and there is little you can do to stop them.

The Month of Kernel Bugs project (MoKB), started by a security researcher using the handle LHM and heavily contributed to by H.D. Moore, revealed in an advisory Saturday that Broadcom's wireless drivers are vulnerable to a "stack-based buffer overflow that can lead to arbitrary kernel-mode code execution."

"Although it cannot be exploited over the internet, it can be used against your computer from a distance," according to a follow-up advisory issued Saturday by the Zeroday Emergency Response Team. "If you are near other users with laptops, you are at risk. If you are at an airport, coffee shop or using your computer with the wireless card enabled in a public place, you are at risk."

Moore, director of security research at Austin, Texas-based BreakingPoint Systems, told SCMagazine.com today that the flaw - for which MoKB released exploit code - is effective across different wireless products and versions.

"The interesting thing about the vulnerability is how reliable it is," Moore said. "An attacker can do anything they'd like. There's no security software you can run at all to protect you. The driver receives the (malicious) packet before any firewall does."

It's up to the vendors, such as Hewlett-Packard, Dell and Gateway, to push out fixes after Broadcom released the fixed driver to their partners, according to ZERT. Linksys, Zonet and other wireless card makers also offer devices that ship with the Broadcom driver.

"Contact your vendor," Moore suggested to end users. "Ask them when they (the repaired drivers) will be out."

He also said users should disable the radio on their wireless drivers when in public places.

Although the flaw is considered dangerous, Moore said he has not seen widespread exploit, likely because launching the attack is tedious and expensive.

Moore said that for an exploit to succeed, the attacker must run Linux, use Metasploit Framework 3.0 and have a wireless card that can conduct raw-packet injections.

"It kind of is somewhat of a hassle for people not familiar with wireless (packet injection)," Moore said, adding that MoKB plans to release other wireless exploits soon.

A Broadcom spokesman could not be reached for comment today.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.