The fuss caused yesterday by a video presented at Black Hat 2006 of a Wi-Fi hack is still ongoing: Some folks want to deny that the hack is possible because the researchers didn't show it live in controlled circumstances. Instead, they showed a video (available at Security Fix) that shows part of the process of owning a MacBook Pro. Unfortunately for those who want to deny the possibility of this, and despite Apple's lack of public statement on it, Intel just released driver updates a few days ago for its Centrino adapters that basically state precisely what these guys have said they uncovered as a flaw and reported to Intel, Apple, and others.
The flaw affects Windows XP and Mac OS X, although it's probably only a MacIntel problem. (I have to believe that with seven years of AirPort and three of AirPort Extreme, that this category of flaw would have been uncovered on the PowerPC side, if anyone cared.)
So my guess? It has to do with a malformed beaconing frame. Access points that are not set to closed status in which the SSID (service set identifier or the name of the network) isn't broadcast are constantly sending out frames that explain who they are. Whether connected to a network or not, Wi-Fi adapters are receiving and processing this information; it's why you see a list of Available Networks in Windows XP or have a dropdown list from the AirPort menu in Mac OS X.
A specially crafted beaconing frame is the only method I can conceive of in which a computer that is otherwise not engaged in specific behavior, such as connected to a network or connecting to one, could be attacked, and that's what the researchers claim can happen. Other thoughts?
Update: Jim Thompson details extensively what he thinks is at work, including the kinds of frames that unassociated and unauthenticated Wi-Fi cards will accept.