The first wireless worm?

Opinion by Ken Munro

Allowing laptops to connect to a wireless network on an ad-hoc basis could give attackers an easy way in

Allowing laptops to connect to a wireless network on an ad-hoc basis could give attackers an easy way in.

A feature peculiar to laptops running some Windows operating systems could create opportunities for wireless worms. In a similar manner to using a cross-over cable, two or more laptops can be connected to one another wirelessly; known as a peer-to-peer or “ad-hoc” connection. All well and good, but these connections can be harnessed by an attacker and used to perpetrate all sorts of mischief.

To create an ad-hoc wireless connection, one configures both laptops to look for the same connection (essentially the SSID). Unless you remove the connection from both laptops, or switch off the wireless cards, the devices will continue to broadcast for the connection, even when out of range of each other.

When looking for the access point in a hotspot, you may have seen these ad-hoc connections in your Windows wireless network configuration. The icon looks like an image of two laptops, rather than the radio beacon icon seen with access points. Common names include “hpsetup” and “free internet access”. I've found laptops broadcasting for ad-hoc connections in government departments, conferences etc. Clearly their users have been trying to get wireless internet access and got a little “click happy”, maybe trying to get access for free or so going through options in the list of wireless devices to connect to after failing to find an access point.

As a result, wireless ad-hoc connections have a habit of propagating. They spread from one laptop to another, as user one tries to connect, the client then starts broadcasting the connection, user two tries to connect to user one, broadcasts, user three tries to connect to user two etc. Then the users travel the country/world, and more laptop users try to connect to them.

To prove a point, I broadcast an ad-hoc connection with the SSID “Free Internet Access” at a conference about wireless security in London. A month or so later, I was rather surprised to find a laptop broadcasting for that exact same SSID in Belfast. Coincidence?

Never, ever try to connect to an ad-hoc connection that you don't trust explicitly. And here's why:

If you attempt to connect to the ad-hoc connection, even though you're unlikely to get any useful network connectivity, the wireless association is cached, so your wireless client will broadcast for the connection whenever your wireless card is running. An attacker can “sniff”' for this connection over the air, impersonate the peer laptop that you connected to previously, and establish a connection to your laptop.

So what? Your Windows XP SP2 firewall is running, surely you're protected against anyone doing this? Not so, if you're missing a recent MS patch that went relatively unnoticed.

Even when firewalled, with no open ports inbound, the laptop will usually search outbound for a DHCP server in order to lease itself an IP address. Using an exploit that takes advantage of a vulnerability in the MS DHCP client (MS06-036), an attacker can execute arbitrary code on the target laptop to take control of it. For instance, he may place a worm on the target laptop, so machines that previously had ad-hoc associations with it would automatically become infected if they came back into wireless range of the target laptop. New laptops trying to make an ad-hoc association with it would also infect themselves.

The payload for a wireless worm that spreads by itself, restricted only by wireless signal range and users ineptitude, could be anything from a backdoor to a Trojan that automails files to a remote server. While this exploit has been patched, it is unlikely to be the last vulnerability in the MS DHCP client.

It's remarkably easy to defend against this threat. Windows wireless config can be modified to allow only access points to be connected to – it's in the advanced settings. Why would your average user need to make an ad-hoc connection? Enforce this in your standard laptop build and prevent the wireless worm in the first place.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events