Interesting People mailing list archives
more on good advice Windows Wireless Flaw a Danger to Laptops
From: David Farber <dave () farber net>
Date: Mon, 16 Jan 2006 06:40:11 -0500
Begin forwarded message: From: Christian Huitema <huitema () windows microsoft com> Date: January 15, 2006 8:32:16 PM EST To: dave () farber net, ip () v2 listbox com Subject: RE: [IP] Windows Wireless Flaw a Danger to Laptops The article is somewhat imprecise. It mentions Windows 2000 and Windows XP as if the wireless support was identical, but Microsoft does not provide a "wireless autoconfiguration" service for Windows 2000. On this system, the wireless configuration is typically managed by third party client, often provided by the maker of the wireless card. Even on Windows XP, the original Microsoft software is often replaced by a third party client provided by the make of the wireless card, or the maker of the computer, or in some case a wireless service provider. The behavior of these clients is quite diverse. The rules for managing wireless configuration in Windows XP were tightened a lot by the successive service packs. The paper presents the danger of a specific behavior, in which the wireless client remembers the name of the last network to which it was connected, and then broadcast an invitation to join an ad hoc network of the same name. That behavior is not present in Windows XP SP2. Also, the wireless software distinguishes between "infrastructure" networks, and "ad hoc" or "computer to computer" network. The attack in a plane reported in the article just does not work if you have installed XP/SP2 and are using the Microsoft client. That being said, it is fairly easy to trick computers into connecting to various wireless networks. Take the example of a computer configured to connect to "starbucks". It will automatically establish a connection every time you enter a Starbucks establishment, which is the expected behavior. But a hacker sets up a "pirate" access point and names it "starbucks", the computer will also automatically connect. Computers have not yet learned how to smell the coffee... If you are carrying a Windows laptop and connecting to multiple wireless services, you should really be using XP/SP2, and you should definitely enable the firewall! -- Christian Huitema
-----Original Message----- From: David Farber [mailto:dave () farber net] Sent: Sunday, January 15, 2006 12:36 PM To: ip () v2 listbox com Subject: [IP] Windows Wireless Flaw a Danger to Laptops Begin forwarded message: From: Brian Randell <Brian.Randell () ncl ac uk> Date: January 15, 2006 2:20:10 PM EST To: dave () farber net Subject: Windows Wireless Flaw a Danger to Laptops Hi Dave: A colleague just alerted me to this - I assume that you'll have already been sent it by some other IPer, but just in case . . . . Cheers Brian Full story at: http://blogs.washingtonpost.com/securityfix/Windows Wireless Flaw a Danger to Laptops At the ShmooCon gathering in Washington, D.C., today, old-school hacker and mischief maker Mark "Simple Nomad" Loveless released information on a staggeringly simple but very dangerous wireless security problem with a feature built into most laptop computers running any recent version of the Microsoft Windows operating
system.
Laptops powered by Windows XP or Windows 2000 with built-in wireless capabilities (these includes most laptops on the market today) are configured so that when the user opens up the machine or turns it on, Windows looks for any available wireless connections. If the laptop cannot link up to a wireless network, it creates what's known as an ad-hoc "link local address," a supposed "private network" that assigns the wireless card a network address of 169.254.x.x (the Xs represent a random number between 1 and 254). Shmoocon_002 Microsoft designed this portion of Windows so that the address becomes associated with the name or "SSID" of the last wireless network from which the user obtained a real Internet address. The laptop then broadcasts the name of that network out to other computers within a short range of the machine (which may vary depending a number of things, including the quality of the laptop's embedded network card and things that may obstruct the signal, like walls, e.g.). What Loveless found was that by creating a network connection on his computer that matches the name of the network the target computer is broadcasting, the two computers could be made to associate with one another on the same link local network, effectively allowing the attacker to directly access the victim's machine. I followed Loveless up to his hotel room to get a first hand example of how this attack would work. I set up an ad hoc wireless network connection on my Windows XP laptop named "hackme." Within a few seconds of hitting "Ok," to create the network, my laptop was assigned a 169.254.x.x address. A few seconds later, Loveless could see my computer sending out a beacon saying it was ready to accept connections from other computers that might also have the "hackme" network pre-configured on their machines. Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to "hackme." Viola! His machine was assigned a different 169.254.x.x address and we both verified that we could send data packets back forth to each other's computer. Here's the really freaky part about all this: No more than five minutes after I had deleted the "hackme" network ID from my laptop, Loveless and I spotted the same network name being broadcast from another computer that didn't belong to either of us. Turns out, someone else at the hacker conference was trying to join the fun. . . . Whoops. Anyway, you might be wondering now how you can make sure your Windows laptop is protected from this.....er, feature. First of all, if you are running any kind of network firewall -- including the firewall that comes built in to Windows XP -- you won't have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test. Also, many laptops have a button you can push that disables the built-in wireless feature until you hit that button again. Turning off the wireless connection when you are not using it also prevents this from being a problem. . . . As a sidenote, Loveless described in delicious detail for a rapt audience at ShmooCon how he used the trick on various airline flights to gain access to Windows machines that other passengers were using. Referring to a previous conversation he had with Jennifer Grannick, a lawyer who represents accused hackers (and who also gave this morning's ShmooCon keynote), Loveless said he believes that since the attacks were mostly carried while the plane was over international waters that U.S. law enforcement might have a hard time making the case that he was violating any laws. The real answer to that very interesting question, he said, would probably not be evident until someone gets sued in court for it.-- School of Computing Science, University of Newcastle, Newcastle upon Tyne, NE1 7RU, UK EMAIL = Brian.Randell () ncl ac uk PHONE = +44 191 222 7923 FAX = +44 191 222 8232 URL = http://www.cs.ncl.ac.uk/~brian.randell/ ------------------------------------- You are subscribed as huitema () windows microsoft com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting- people/
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on good advice Windows Wireless Flaw a Danger to Laptops David Farber (Jan 16)