The Windows Ad-Hoc Exploit

By Eric Griffith

http://www.wi-fiplanet.com/news/article.php/3578271/The-Windows-Ad-Hoc-Exploit.htm (Back to article)

Here's the scenario:

You have an access point at home with a Service Set Identifier (SSID) still set to the default name, such as "linksys." Next time you take your Windows XP or 2000-based laptop out of the house, as it boots, it connects to any network with the SSID "linksys" — even an ad-hoc (peer-to-peer) connection with another laptop in the vicinity that is advertising that as its SSID. If you don't catch the connection or change anything, the next time you reboot, your laptop advertises itself as an ad-hoc network called "linksys." This could push the same problem to another laptop.

The real threat is that hackers know many people don't bother to reset their router/access point SSIDs from the default, and can use this feature of XP to associate directly with a laptop. It's an "evil twin" attack on automatic, but instead of mimicking a hotspot's SSID, the attacker looks like your home network.

This is described as a "configuration error that spreads virus-like from laptop to laptop" by Nomad Mobile Research Centre, which issued a report on this on January 14. The author of the report, Mark Loveless, is known as Simple Nomad. He gave a presentation (PPT file) on this at the ShmooCon security conference last weekend that has set many a buzz. However, the overall threat of this exploit is small.

NMRC's report, "Microsoft Windows Silent Ad-hoc Network Advertisement," says that it will usually impact laptops that leave their embedded wireless active and with DHCP turned on to acquire an IP address. If the computer doesn’t connect to hardware with a DHCP server, Windows uses APIPA (Automated Private IP Address) to get a Link-Local address between 169.254.0.0 and 169.254.0.16 — thus, later, the laptop can advertise itself for ad-hoc use. (Under XP Service Pack 2, users are notified of being "attached" to an ad-hoc network even if it's only advertising itself as one.) Attackers can also offer their connection with DHCP.

In testing the problem on the road, Simple Nomad counted as many as 62 ad-hoc connections in an airport terminal that doesn't offer any commercial Wi-Fi service.

The chances of this becoming a major industry problem are extremely limited, considering the easy fixes available (see below) and the amount of work any criminal hacker would have to put in to get anything.

Even the author says in the report, "Yes this is lame. I know this, don't email me with that info. However I deem it serious due to the exposure in laptops with wireless."

His report says Microsoft "failed to properly heed" its own warning against using it with WLANs; the company co-authored the Link-Local RFC (request for comment). Microsoft and Apple have both supported Link-Local addresses in their operating systems since 1998.

Microsoft has responded to the report's authors saying it would include a fix in future service packs that would prevent peer-to-peer connections without explicit user instructions.

NMRC recommends three possible workarounds until an official fix is out. The first is to disable wireless when not in use, the second is to use a third-party WLAN client manager (not XP's), and the third is to set XP to use "Access point (infrastructure) networks only" in the wireless settings, which will prevent any ad-hoc network use at all. At the very least, update to XP SP2 to get the "ad-hoc attached" warning.

A software firewall would also help prevent any attacks, even if you do manage to connect with a malicious user — XP SP2 has a Windows Firewall turned on by default.

Also of note is that much of the in-field testing on this problem was done not just in airports, but on planes while in flight. Many ad-hoc connections were found there as passengers used laptops with Wi-Fi turned on, not expecting to connect to anything (if they were even aware the Wi-Fi on their machines was live). The other interesting thing to note is with that much Wi-Fi running, no planes seemed to have navigation problems with the signals, despite Federal Aviation Administration regulations on U.S. flights that prohibit the use of Wi-Fi while in the air (just in case having Wi-Fi services like Connexion by Boeing running safely on foreign planes isn't enough for the FAA).