| Not much of a flaw The way I read it, the only thing that MS' implementation is doing wrong is looking for ad-hoc instead of infrastructure mode associations. Take that away, and unless you were using WPA or WPA2 (for mutual authentication), you can still suffer the same results. All the attacker needs to do is pull the SSID from the probe requests your client radio is sending and set up a soft access point advertising that SSID (see all the noise last year about "rogue APs"). The only thing they can fix without breaking the way 802.11 networking works is whether the attacker can use off-the-shelf ad-hoc functionality or he has to know a tiny little bit about how to set up an access point.
Either way, if you wander around with your device's WiFi adapter enabled, you can be providing a network connection to your device (again, unless it was configured to only use WPA or some other mutual-authentication scheme).
(Oh, and all the stuff about "getting a local address"? That's just the autoconf link-local addressing, and it has _nothing_ to do with WiFi. The attacker could just as easily provide DHCP on his soft-AP or ad-hoc peer, and the attackee would obtain an address from that and you'd still have connectivity.) |
