In another sign that hardware hacking has come back into vogue, there have been multiple English language websites reporting on a story which originally broke on Russian television regarding Chinese consumer goods shipping with a little bit of extra hardware embedded that attempts to attack nearby devices using open wireless networks.
The reports are vague but I can infer from the headline two possible methods that are used. The most simplistic would be that the rogue device will present itself as an AP and hope that some mug connects to it. An embedded web server would then serve them the malware which a gullible individual would then execute.
Perhaps a more believable method would be to MITM existing connections. This is quite easily achievable over 802.11b/g by sending your response faster than the remote AP. The malware can then be embedded in the next executable file the user attempts to download thus dramatically increasing the chance that the user will open the file (as they are indeed expecting an executable). Such a device may also attempt to use less overt means of infecting the victim – and many possibilities open up when you effectively have LAN like access (some ideas would inclue an RPC exploit that hasn’t yet been patched, or perhaps someone has shared their entire drive and you can just replace one of the executables that is run on boot). The English language material doesn’t elaborate so we are left to speculate.
If I was tasked with writing the firmware for such a device I would forget about trying to infect their machine with malware and instead consider the trove of information that is being transmitted over wireless in the clear on open wireless networks. Even just using a single radio chip you could have the software monitor the most active channel (and by active I mean the channels with the most unencrypted traffic) collecting credentials as they pass by. When the cache is full the device could disable promiscuous mode, connect to an open AP and dump what it has discovered back to its C&C servers. This would have diminishing returns as major sites move away from plain HTTP and most ISPs implement SSLized POP and IMAP.
Hopefully we will hear more about this novel concept (in English, hopefully). I still hold that the Chinese payment terminal saga (with skimming devices preinstalled) trumps this concept by an order of magnitude.
Mike the Crypto Goat 