Blog

Mac Wi-FI: Gruber Needs to Let It Go (and Maynor and Ellch Should Ignore the Challenge)

By Rich

Last Friday I was packing up for a weekend trip with my wife to Tuscon when my faithful RSS reader chased me down with the latest post on Daring Fireball. I ignored it over the weekend, but think it’s time for a response.

John Gruber, ever the poker player (his words, not mine) issued an open challenge to Dave Maynor and John Ellch to crack a stock MacBook. If they win, they keep it. If they can’t break in, they pay Gruber the retail price. Today John Gruber followed up with this post, upping the ante a bit and explaining why he feels this is a fair challenge. Adding to the data stream, John Ellch broke silence and released some details of a similar exploit using Centrino drivers (now patched) to the Daily Dave security mailing list.

First some full disclosure of my own. I’ve been a fan of Daring Fireball for some time, John and I share a mutual friend, and we’ve traded a few emails over this. But I really wish he had handled this situation differently. I respect John, and hope this post isn’t taken out of context and used for flame bait.

Now, why do I think Gruber is making a mistake? Because his challenge is putting good people in bad positions, it isn’t necessarily good for security, and he isn’t playing for the right stakes. Maynor, Ellch, and the security community in general should just ignore the challenge.

Check out the original post, but John challenges Maynor and Ellch to take a stock MacBook with a basic configuration and delete a file off the desktop via remote exploit. John’s reason for the challenge?

As for the earlier analogy to poker, I’m no fool. I don’t expect to lose this particular bet — but I don’t expect to win it, either. I expect to be ignored. I don’t think Maynor and Ellch have discovered such a vulnerability in the default MacBook AirPort card and driver, and so, if I’m right, they certainly won’t accept this challenge. I think what they’ve discovered — if they’ve in fact discovered anything useful at all — is a class of potential Wi-Fi-based exploit, which they demonstrated on a rigged MacBook to generate publicity at the expense of the Mac’s renowned reputation for security, but that they have not found an actual exploit based on this technique that works against the MacBook’s built-in AirPort. If I’m wrong, and they have discovered such a vulnerability, they may or may not choose to accept this challenge. But it’s a bet that they’ll only accept if they can win. It comes down to this. If I’m wrong, it’d be worth $1099 to know that MacBook users are in fact at risk. And if I’m right, someone needs to call Maynor and Ellch on their bullshit.

John’s challenge is misplaced and he should drop it. Why?

  1. I know the demonstration from Black Hat is real. Why? Aside from being at the presentation I had a personal demo (over live video) or exactly what they showed in the video. I got to ask detailed questions and walk through each step. Maynor and Ellch haven’t bullshitted anyone- their demo, as shown in the video and discussed in their presentation, is absolutely real. End of story. Want to see for yourself? Read to the end and you’ll have your own opportunity.
  2. Using the third-party card for the demo is responsible: Why? Because their goal was to show a class of attack across multiple platforms without disclosing an unpatched vulnerability. By using an anonymous card no single platform is exposed. Why the Mac? Because it demonstrates that a poorly written device driver can expose even a secure system to exploit. The third-party card highlights device drivers, not the OS, as the point of weakness. They could have shown this on Windows but everyone would have assumed it was just another Windows vulnerability. But the Mac? Time to pay attention and demand more from device manufacturers.
  3. Responsible disclosure encourages staying silent until a patch is released, or an exploit appears. Why? If responsibility, protecting good guys, or potential legal issues aren’t good enough for you just understand it’s the accepted security industry practice. Some vendors and independent researchers might be willing to act irresponsibly, but I respect Maynor and Ellch for only discussing known, patched vulnerabilities. I won’t pretend there’s full consensus around disclosure; I’ve even covered it here, but a significant portion of the industry supports staying silent on vulnerabilities while working with the vendor to get a patch. The goal is to best protect users. Some vendors abuse this (to control image), as do some researchers (to gain attention), but Maynor and Ellch staying silent is very reasonable to many security experts. Remember- the demonstration was only a small part of their overall presentation and probably wouldn’t have ga ered nearly as much attention if it weren’t for Brian Krebs’ sensationalist headline. That article quickly spun events out of control and is at the root of most of the current coverage and criticism.
  4. Just confirming an exploit could hurt Maynor and Ellch: Two words: Mike Lynn.
  5. This is between Maynor, Ellch, SecureWorks, and any vendors (including Apple) they may or may not be working with. I like Daring Fireball, but SecureWorks has a history of responsible disclosure and working with affected vendors, and I see no reason for them to change that policy to satisfy the curiosity of bloggers, reporters, or any other outsider.
  6. John’s stakes are too low. He’s asking Maynor and Ellch to bet their careers against MacBooks? If John puts Daring Fireball up as his ante the bet might be fair. Besides, Maynor already has a MacBook.
  7. This challenge doesn’t help anyone. At all. Is my MacBook Pro vulnerable? I don’t know, but even if it is there’s not a damn thing I can do about it until Apple issues a patch. It’s not like I’m turning off my wireless until I hear there’s some well-known exploit floating around. If Maynor and Ellch respond to the challenge all they do is satisfy people’s curiosity- it does NOTHING to improve security. If an exploit appears in the wild and Apple doesn’t patch they are free to disclose all the details they want per nearly anyone’s definition of responsible disclosure.
  8. Time will reveal all. Well, enough. I’m pretty confident all of John’s questions will be answered eventually. I think we’re far better served by letting the relevant parties work through this as part of a responsible disclosure process.

Let’s be honest- there are a lot of reasons Maynor and Ellch might not be willing to confirm or deny anything. Emergent Chaos has a good alternative. If, for any reason, Maynor and Ellch aren’t free to talk (which is pretty fracking obvious at this point) backing them into a corner doesn’t help anyone.

Still think they’re nothing but bullshit artists? Fine. Go to ToorCon and see for yourself. David Maynor has leaked that he and Johnny plan on doing some live demos on multiple platforms. Don’t expect to see any 0day exploit against any platform, especially a Mac, but you can at least satisfy your curiosity that these guys are the real deal, the third party demonstration was legitimate, and Maynor and Ellch are serious, responsible, researchers with other presentations under their belts. I’m sure they’ll walk you through the technical details.

Look, we all want to know if there’s some vulnerability in our Macs. There are. Plenty of them. Most of which haven’t been discovered yet. No operating system is immune to security vulnerabilities, but I’ve chosen Macs for me and my family because I consider them more secure than other platforms. Is there a wi-fi vulnerability on default Macs? Maybe, but I still plan on using my MacBook Pro at the local coffee house until I hear of some in-the-wild exploit.

Drop the challenge, John. Let any potential “interesting discussions” continue on their own. Just because they don’t want to validate something printed by a reporter doesn’t mean Maynor and Ellch are trying to attack Apple or pull a fast one on us Mac users. Escalating the situation helps no one. Maynor already apologized at Defcon, in front of probably a thousand or more attendees, 2 days after Black Hat, that the trash-talking-Mac quote in Krebs’ article was nothing more than joking around off the record, and never meant for publication. Calling these two liars and personally attacking them without validating through anything other than newspaper reports and blog posts isn’t close to fair.

My challenge to you? Go to ToorCon. Watch the presentation. Ask questions. You probably won’t learn if your Mac is vulnerable, but you will learn these guys know what they’re talking about.

No Related Posts
Comments

[...] As a result of the faulty reporting, tens of thousands of websites have declared Maynor and Ellch as frauds.  Some conspiracy websites even popped up and claimed the original SecureWorks video demo was a "magic show".  Anyone who defended Maynor and Ellch in the media were equally attacked by the these fanatics.  The list of defenders were thin and included myself, Brian Krebs, and Rich Mogull.  I provided one of the most vigorous defenses of Maynor and Ellch and received a ton of heat over it.  A blog site dedicated to attacking Brian Krebs was created and one of the more vulgar Mac blogs refers to me as the security b****.   Even with the confirmation of the Apple Wi-Fi exploit, these sites continue their attack. [...]

By » Apple patches Wi-Fi but refuses to give re


Rich, I’‘m not trying to beat a dead horse here (insofar as this entire subject is a dead horse), but I have to disagree with you on two points.

One, I tend to accept your views about the internal adaptor being associated with the access point to enable to connect back show.  That answers 90% of the points being raised in the smallworks video.  However, one point remains:

"At approximately 02:37 we see the "bad_seed" command. Whats interesting here is that there is a ":6d" at the end of the command. This appears to be the trailing edge fo a MAC address, and this appears to match the MAC address for the Airport card in the MacBook (00:17:f2:41:31:6d)."

The bad_seed command does appear to be run directly against the internal card. 

Now I understand the limits of this type of analysis, and I would be willing to agree to disagree on this point, since I don’‘t have enough facts.

My second problem is more sticky.  If the version of events you describe is TRUE, then it would be impossible for Maynor to have shown Brian Krebs the demo as Krebs described.  Krebs claims he say the demo done against the internal card—which based on your set of facts would be impossible—the internal card would have crashed and not been able to use the terminal connection.  It’s possible that the demo that Krebs saw had a 3rd party USB card attached at the time of the demo, but if so, his failure to notice or mention that is, well, amazing.  This is the center of the controversy.  Dave said one thing a reporter, and then something very different to everyone else, and then refuses to talk.

In one of your earlier posts you mentioned on how they took some shortcuts with the demo, and perhaps but of my points can be explained by "shortcuts."

Well, on to Toorcon, where hopefully some of these questions will be answered….I do think we have an interesting macro question here on whether these sort of security issues are best raised in a specialized enviorment or in blogistan, and also what to do with a story when it jumps from one to another.

Thank you again for your analysis.

By bkwatch


That is where I feel there should not have given press interviews or released the video demo to the press. In the demo, they make it look like you could just hack into a MacBook and create and delete files at will on the victim’s system.

If the actual exploit crashes the wireless process, leaving them no way to connect back to the attacking machine without a second interface, they should have just stuck to a technical presentation and leave it at that. The video demo and press interviews were where they misrepresented.

By lonewolf


Yes- the internal adapter is associated with teh access point to enable the connect back shell. This was a convenience for the demo, and wouldn’‘t be needed for a real attack where you would inject code into the kernel instead. That’s where all the confusion on the IP address comes from. The smallworks analysis is wrong.

The exploit is totally against the third party card. Since the exploit crashes the wireless process the internal card was used in the demo to show a terminal connection as a convenience.

They didn’‘t misrepresent. Dave states clearly that’s what he’s doing, and he emphasized that during the talk in the presentation.

By rmogull


Rich,

you say you saw a demo of the hack. Did you see this http://www.smallworks.com/~jim/maynor_exploit_video.mov and the related posts?

What is clear to me is that the IP on the MacBook Maynor is talking about is NOT one of the USB adaptor he says he plugged in but the one of the internal Airport express card. The MAC address is 00:17:f2:41:31:6d which as shown at http://www.curreedy.com/stu/nic/ is manufactured by Apple. So in the exploit they show they use the internal Airport card BUT he says he is using an adapter.
Why? That’s the $64,000 question.
Not to reveal that the internal device driver is hackable? Is that a reputable thing to do? Why not actually do the exploit using the "third party wireless card" which he seems to plug-in?

Sorry but that’s a very strange thing to do. I’‘ma researcher in medical sciences and I know that there are things that I’‘m not confortable to show or say at a seminar about my most recent research BUT I WOULD NEVER MISREPRESENT what I’‘m doing.
Which he clearly is, because he says he is doing/using one thing but actulay doing another.

That’s my question.

Giulio

By giulio


Rich —

Good, well-reasoned post. Having been a long-time BH attendee, it is indeed entirely defensible that Maynor and Ellch would have sought to do the demo over video rather than risk getting their traffic sniffed. And the other steps they took are also defensible and fit the scenario you described.

Your phrasing "got caught up in something well beyond their intentions" is both true and false. It’s true in the sense that their (apparent) caution and conservatism has gotten them inadvertently roasted alive by skeptics. But it’s also false because they should have seen this coming.

Let’s assume that their presentation methods were solety designed to follow conservative ("responsible") disclosure practices. But to the lay person, it looked like they were hiding something. That’s not just a view being taken by the Mac press and folks like Gruber. Look at what Ivan Arce has had to say about it — he’s waiting to see a proof-of-concept too.

They also scored an own-goal with the "I’‘d like to poke those smug Mac users in the eye with a lit cigarette" comment, which was been seized upon as evidence that Maynor and Ellch were simply jonesing to hose the Mac platform. The "cigarette" comment was a dumb thing to day, because it’s given free ammunition to those, like Gruber, who would discount their arguments.

Look, I know these guys by reputation, and they are not known to be charlatans or trolls. They are credible security researchers with a pedigree and a track record. But they’‘ve also been around the block a few times, too. They should have known that:
1) the press doesn’‘t do nuance well, and…
2) reporters will, when not inclined or capable of discerning nuance will always go for the simplest, most compelling "angle" on any given story (the headline was "Hijacking a Macbook in 60 Seconds or Less", not "Researchers Demonstrate Pervasive Flaws in Wireless Gear")
3) a lot of Mac partisans were bound to go wild over this
3) a lot of people would automatically denounce them for "concealing" details

For that reason, I’‘ve concluded that if the research is real, they would have been better served by waiting until after the patch (if indeed one is in development) is released. They needed to choose between 1) responsibly disclosing "early" at Black Hat and getting roasted over their methods and honesty as a result,  and 2) more fully disclosing later, after the patch was released and everything’s out in the open. They chose option 1, and have reaped the whirlwind as reward. In short, they chose poorly.

If Maynor and Ellch’s research is valid — and I give better than even odds that it is — they will have, at best, achieved a Pyrrhic victory. Never mind "betting their careeers" by taking Gruber’s bet; their reputations are *already* tarnished over this, rightly or wrongly. In retrospect, it’s hard to see how they could have come out of this unscathed.

I’‘m not trying to troll or take sides here — just pointing out the move/counter-move quality to this whole episode. Being right isn’‘t the only thing — being *perceived* as right is equally important.

By ajaquith


I can’‘t fully answer everything, but I’‘ll do my best by giving a little perspective.

Both in my current day job as an analyst, and in the past as a paramedic/rescue worker I’‘ve dealt a lot with the press. I met Brian and he seemed nice enough, but it’s VERY easy for words to be misinterpreted after they’‘ve been filtered through the press.

I won’‘t criticize Maynor and Ellch for talking to the press- they were doing good work and it was a potentially interesting story. Reporters are paid to get readers (as much as some of us wish they were just paid to report) and there’s always a tendency to sensationalize. And when you aren’‘t as technical as your interview subjects it’s really easy to make mistakes.

I think there were some miscommunications and this entire thing spun out of control. Maynor, Ellch, and even Krebs are all stuck since there are now limits on what everyone is allowed to say. The video demo was to avoid anyone sniffing the exploit- which would also identify the third party card. Even if they disguised the card anyone sniffing could figure out the device.

And based on experience wireless hacking demos are really freaking hard in conferences where everyone is already messing with the traffic. I use video a lot more after a few bad experiences on stage.

I have no basis to comment on anything that might be going on in the comments over at Krebs’’ site, but I can say there’s a been a bit of a (to sound cliche) perfect storm over what was said to who, and what’s allowed to be said now.

I’‘ve been in the security game for a while and I can be pretty hard on irresponsible disclosure (some vendors are really on my bad side), but Maynor and Ellch got caught up in something well beyond their intentions, and there aren’‘t any realy ways to address the problem right now. I suspect time will help validate them.

BTW- I appreciate everyone’s maturity in the comments on this site. We seem to be avoiding the flame battles from other sites.

By rmogull


Good points lonewolf. I agree that Rich does lay out the best defense so far for the "researchers", but I think that’s mainly because it’s in the context of arguing against the daring fireball challenge. I also agree that Maynor and Ellch are trying to have it both ways by hyping things up in the press and then acting like this is not meant for general public discussion (which is also elitist). Not to mention that their actions seem completely out of the realm of "responsible disclosure". My prediction, like yours, is that they’‘re going to try and do analysis of the public reaction at Toorcon to shift the focus from the supposed exploit.

By dgtruckses


Rich

You provide by far the most rational and well-elucidated defence of the researchers so far. But even supposing that they have really discovered an exploit against the stock MacBook drivers, your central arguments that the findings of their work was

1) not meant for general public discussion, and was really targeted to the security community
and
2) done in a responsible disclosure manner

are kind of weak.

My questions would be

1) If they did not intend their work to be challenged and dissected by the "general public", why did they release a video demo and gave interviews to the press? WP and ZDnet are not exactly technical publications, let alone ones competent to report on technical details on security. Shouldn’‘t they have written up a paper and submitted it to a journal like ACM or equivalent? Now that this has caught the attention of everyone (including those whom I think are a bit over-zealous), they now turn around and say "You guys have no right to ask or comment on anything because what we did & reported is not meant for you". Isn’‘t this a bit hypocritical?

2) If they (and the company they work for) really practice responsible disclosure policy, then why did David Maynor tell Brian Krebs that the MacBook is similarly vulnerable to the same exploit? And even showed a demo of it to him in private. Don’‘t you think responsible disclosure policy necessitate the caution that the last thing you want to do is tell these things to a newspaper reporter? Now if he did not do that, then Brian Krebs must be lying, then shouldn’‘t David Maynor just say "At no point in time did I discuss stock MacBook drivers with the Washington Post". He can easily do this without divulging whether the drivers are indeed exploitable, no? The fact that he has choosen to remain silent give the general perception that he did indeed talk about the MacBook drivers with Krebs. So in that case, if the drivers are indeed exploitable, he (and the company he represent) have NOT practiced responsible disclosure policy. Don’‘t you agree?

I’‘m a techie and I emphatize with the researchers for some of the abuse that has been heaped on them, but your main arguments to support them are weak, I’‘m sorry to say. I feel that they have not acted responsibly and professionally. I hope they redeem themselves in Toorcon. But just looking at the synopsis of their talk there, I have a feeling that they are going to set their presentation up as "All these Apple fanboys are going to destroy security research on the Mac platform" kind of talk. I hope I’‘m wrong but let’s see ......

By lonewolf


Thanks for the clarification on "equal stakes."  I misread your post as you do make that clear in the orginial posting.

By bkwatch


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.