Centrino WLAN vulnerabilities – Getting your virus with a malformed packet

Maybe it’s because we are used to getting patches to our PC every month or so now that the following story has not seen wide spread attention so far: Intel admits Centrino chipset driver issues: These allow attackers to send malformed wireless lan frames to insert and execute malicious code (read viruses).

This is scary for two reasons:

Firstly, no user interaction is required. This means that a user doesn’t even have to browse to a malicious webpage to get infected. It’s enough to have your WLAN card activated. Airports and conferences might become nice playgrounds for past time hackers and self replicating viri once an exploit for this hits the net.

Secondly, the fixes have to be installed manually. There is no auto update functionality like for example for Microsoft Windows patches which are downloaded and installed by the operating system once available. I’ve downloaded and installed the patch for a notebook with a Centrino 2200BG card. A 129 MB (MEGABYTE!) download. Incredible! At least it installed o.k. and the driver was updated. Then I downloaded the patch for another notebook which has a Centrino 2100 chipset. A refreshingly short 13 MB download… When executing the file it installed an update for the helper program but failed to update the driver for the chipset. The program showed no sign that the driver, where the real problem sits, was not updated. Perfect, the average user will never notice that… So I manually installed the driver update from the hardware settings. To make the day perfect, many notebook vendors have chosen to write their own wireless lan configuration utilities that interface with the driver in some way. Of course they could be broken if you install the driver. Take a look at F-Secure’s blog. Once an exploit for this hits the wild, it’s going to be big.

Speculation: Could the same scenario happen in the cellular world, too? In theory I could imagine this happening in the cellular world as well. Imagine that somebody finds a bug in the IP stack of mobile devices or in the mobile browser that could be exploited in the same way. Downloading fixes on such devices is still a procedure most device manufacturers have yet to come to terms with. For the moment, though, I think such a scenario is unlikely. Unlike in the PC world with a dominance of Windows and Intel Centrino chipsets the mobile space is much more diverse which would prevent or at least slow down such a scenario. Nokia with their Series 60 phones might have a good approach to this. No buffer overflows possible as per OS design and software and patches can be pushed to a device Over the Air (OTA) starting with S60 3rd edition.

One thought on “Centrino WLAN vulnerabilities – Getting your virus with a malformed packet”

  1. S60 3rd edition does not support OTA firmware updates yet. That feature was introduced in Symbian OS v9.3, while current 3rd edition devices are based on v9.1.

Comments are closed.