Wireless network card drivers have been under attack since the Black Hat USA 2006 conference, and nearly every super-popular driver now appears vulnerable. Security researchers, David Maynor and Jon Ellch, started things off by targeting an Apple MacBook's wireless driver at the August show, and hackers' interest in the new attack vector was quickly piqued. Intel Centrino wireless drivers were among the first to fall, tumbling in July. On November 11, hacker, Johnny Cache, reported a stacked based buffer overflow in the widely used Broadcom wireless driver. These are used in Cisco, Linksys, and Dell wireless NICs. Netgear wireless devices have been found vulnerable and D-link wireless drivers exploitable.
Proof-of-concept exploit code abounds. Metasploit released at least two exploit code modules (for Netgear and Broadcom), and others are cropping up all around the Internet. Most exploit code currently works against Microsoft Windows or Mac OS X, but exploit code writers note that Linux and FreeBSD systems are just as likely to be exploitable.
Even though I have no specific information to back up my postulations, I'm speculating that many more wireless drivers will fall in the coming months. And because wireless drivers usually run in the system or root security contexts, a malicious attacker may remotely execute arbitrary code on a vulnerable computer.
Initially, I thought it would be hard to worm this type of exploit, but upon further reflection, a remote wireless attack is ripe for automated exploitation. The first attacker could manually infect the first wireless victim, and let the worm search for new victims from there. It gets worse: Most laptops come with their wireless cards enabled. Unbeknownst to the user, their laptop could be sending out its wireless broadcast signal. A hacker scans the airwaves to find victims: In most cases, even without special antennas or other signal boosters, they need only be within 120 feet of the laptop's physical location to compromise it.
It's true that affected wireless card vendors responded relatively quickly to the exploits and introduced updated drivers without the previous buffer overflows. Most vendors, however, haven't made the drivers overly easy to find, although that is changing. My gut feeling tells me that this round of wireless exploits won't be the next Slammer or Code Red, but who wants to be exploited by some jerk or professional criminal while computing in an airport or using a laptop in your own building?