Microsoft said Tuesday that under certain circumstances, attackers could exploit an anomaly in how Windows 2000, XP and Windows 2003 systems establish wireless connections. But users can take simple steps to neutralize the threat.
Mark "Simple Nomad" Loveless -- senior security researcher for Mountain View, Calif.-based Vernier Networks Inc.'s Vernier Threat Labs and a self-described hacker -- released details of the glitch last weekend at the ShmooCon 2006 hacker conference in Washington, D.C. In his written findings, Loveless said, "If a laptop connects to an ad hoc network it can later start beaconing the ad hoc network's SSID as its own ad- hoc network without the laptop owner's knowledge. This can allow an attacker to attach to the laptop as a prelude to further attack."
The problem is essentially a configuration error that spreads virus-like from laptop to laptop, Loveless said in his written findings. In field tests, numerous ad hoc SSIDs such as "linksys," "dlink," "tmobile," "hpsetup" and others have been documented, he said.
A Microsoft spokesman said via e-mail Tuesday that the vendor investigated Loveless' findings and determined that "customers who have connected to an 'ad hoc' wireless network in the past that was not protected with wireless encryption could be lured into connecting to a malicious advertised 'ad hoc' wireless network under limited circumstances." But, he added, "Customers that are using a firewall and a fully updated system are at reduced risk from attack following this connection."
Washington Post cybersecurity expert Brian Krebs said in his Security Fix blog that Loveless gave him a personal demonstration of how the flaw could be exploited:
"I set up an ad hoc wireless network connection on my Windows XP laptop named 'hackme' [and] within a few seconds of hitting 'Ok' to create the network, my laptop was assigned a 169.254.x.x address," Krebs said. "A few seconds later, Loveless could see my computer sending out a beacon saying it was ready to accept connections from other computers that might also have the 'hackme' network pre-configured on their machines. Loveless then created an ad hoc network with the same name, and told his computer to go ahead and connect to 'hackme.' Voila! His machine was assigned a different 169.254.x.x address and we both verified that we could send data packets back and forth to each other's computer."
What's more disturbing, he said, was that "no more than five minutes after I had deleted the 'hackme' network ID from my laptop, Loveless and I spotted the same network name being broadcast from another computer that didn't belong to either of us. Turns out, someone else at the hacker conference was trying to join the fun."