Another Take on the Mac Wireless HackBy Rich
On Friday the Mac Wireless hack issue exploded again after Apple PR issued a carefully worded press release. Next thing you know one of my favorite sites, The Unofficial Apple Weblog posts a headline that’s just wrong.
There have been a lot of really bad posts on this topic, but John Gruber at Daring Fireball winds his way through the press and blog hype in a well reasoned article, The Curious Case of the Supposed MacBook Wi-Fi Hack. John’s reasoning is strong, but I believe we can take his assumptions in a different direction and finish with essentially the opposite results.
First some full disclosure- I was at Black Hat and Defcon, talked with Maynor and Ellch, and have followed up with Maynor and SecureWorks since the event. I won’t be revealing any secret information here, but will just analyze John Gruber’s assumptions and see how his conclusions might change. John and I also emailed a bit on this issue over the weekend (he’s on vacation this week, so might not be able to respond).
For those of you with short attention spans I believe that Maynor and Ellch will emerge with their reputations intact and have been trying to do the right thing from the start. If I’m wrong I’ll be the first to call myself on it and apologize, but I really don’t expect that to happen.
John’s first assumption is:
“What”s notable about this disclosure is that it is about the driver. We already know, just from watching the demonstration video, that it was also based on a third-party card. This means that either (a) the exploit they discovered uses neither the MacBook”s built-in card nor Mac OS X”s built-in driver; (b) the exploit they discovered works against both the third-party driver demonstrated in the video and against Apple”s standard driver, and they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video; or (c) that the “experts” at SecureWorks do not understand the difference between a driver and a card. My money is on (a).”
Let’s explore option (b), especially the last part: ‘…they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video’ . (bold added) I propose an alternative: that they purposely posted the disclaimer to explicitly describe only what is being demonstrated in the video. Why would they do this? Not all security researchers believe in full disclosure. If you are one of these researchers and you don’t want to disclose the details of an unpatched vulnerability but want to demonstrate the class of vulnerability (device driver exploits) you might choose to demonstrate the vulnerability using an unidentified device. In the background you would notify any affected vendors and give them time to respond. If you show the attack on the built-in wireless device you instantly identify the vendor involved. An anonymous third-party card avoids this exposure.
Let’s move to the next few points which focus on Brian Krebs. John states,
“The reason this is notable is that if (a) is true (that the vulnerability they discovered does not apply to the standard AirPort driver software from Apple) it entirely contradicts Brian Krebs”s original and much-publicized story. Krebs wrote (emphasis added): “The video shows Ellch and Maynor targeting a specific security flaw in the Macbook”s [sic] wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the MacBook – and presently not publicly disclosed – Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the “Mac user base aura of smugness on security.”
Brian is a reporter and as such has different motivations than a security researcher. Brian posted this information and stands by it. Maynor and Ellch have followed a policy of not commenting on the potential vulnerability of native MacBook wireless drivers. Thus we have a situation where Brian reported something, but the sources won’t validate or repudiate the statement. Maynor and Ellch have yet to either confirm or deny Brian’s reporting. Why might they do this?
If the vulnerability was real and they didn’t wish to disclose it until the vendor involved issued a patch. For this to be true they would have to have informed Apple (and the anonymous third-party device vendor) and said vendor wasn’t ready, for whatever reasons, to issue a patch. Since we’re only a few weeks from the initial disclosure we’re still in a reasonable timeframe. Remember, if they confirm Brian’s post they thus release enough details on the vulnerability that it could be replicated. But they haven’t denied the statement, which either indicates it’s true, Brian is wrong, or they lied. I don’t believe this is something they would lie about. Brian is now in the unenviable position of trying to justify his reporting without confirmation from his sources. While not a reporter (I’m just an analyst and blogger) I’ve come close to similar situations and they’re no fun.
Next we have to look at Apple’s official response. John states:
“In response to SecureWorks”s admission that their demonstration did not exploit the built-in driver, Apple on Friday released a statement regarding the supposed vulnerability. Lynn Fox, Apple”s director of Mac PR, told Macworld: “Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To the contrary, the SecureWorks demonstration used a third party USB 802.11 device – not the 802.11 hardware in the Mac – a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.” Fox”s statement on behalf of Apple is unequivocal: Maynor and Ellch”s exploit involves neither the MacBook”s standard Wi-Fi hardware card or software driver. That, of course, does not mean that Apple”s standard driver isn”t somehow similarly vulnerable, but if it is, Maynor and Ellch have not demonstrated such a vulnerability to Apple, according to Fox.”
But we can parse Apple’s statement a little differently. In their Black Hat/Defcon presentations Maynor and Ellch never identified any specific wireless device that was vulnerable. SecureWorks may have been quoted as saying that, but the only source is Krebs’ article (not the presentation or any official press release). They made an explicit decision, stated in the presentation, not to identify any vulnerable device/driver, and used an unidentified external card to support this decision. The only part that doesn’t make sense to me is that they have provided no evidence that in fact it is. This statement is supported by:
Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”
John considers this an unequivocal statement that the exploit doesn’t involve the MacBook native wireless, but we can read this in a different way. Maynor and Ellch have “not shared or demonstrated any code… relevant to the hardware and software we ship”. For us in the security business this doesn’t mean there isn’t a vulnerability, it’s just a statement as to the level of detail given to Apple. You can exchange details of a vulnerability without sharing or demonstrating code. Apple only denied code was exchanged or demonstrated, they don’t deny the vulnerability.
Yes- we’re parsing words as finely as a politician here but if there’s one thing I’ve learned in 5+ years as an analyst it’s to never trust PR, no matter how respectable the vendor they represent it. Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that’s a glaring omission. Apple could put this to rest with a single statement, but they haven’t.
As for Atheros it may be they haven’t been contacted directly. If this is a Mac specific issue on native hardware I would probably contact Apple first myself, so the Atheros denial (which I believe is true) doesn’t affect the overall argument.
John’s next section is the most essential to his piece:
This entire saga boils down to one simple question: Have Maynor and Ellch discovered a vulnerability against MacBooks using Apple”s built-in AirPort cards and drivers? Given all the facts laid out in the previous section, you might at first think this question has been answered, and that the answer is “no”, but unless I”m missing something, this is, inexplicably, still an open question.
It’s not inexplicable, but a potentially valid situation if we are dealing with an unpatched vulnerability that no one wishes to disclose until a patch is released.
We do have enough facts, however, to know with certainty that some of our protagonists will not emerge with their reputations intact. Someone, clearly, is either lying or incompetent (or both)… …For example, from Apple”s statement on Friday, we know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability – which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Apple”s Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?
As shown we may have totally valid reasons for both the actions of Maynor/Ellch/SecureWorks and Krebs. Apple has only stated no code was exchanged and that no demonstration has been shown against native Mac hardware/software. Apple’s statement can be true, Maynor’s statements true, and Krebs’ statements true. How?
1. Maynor and Ellch may be following responsible disclosure guidelines and refusing to validate the vulnerability status of any hardware/software. 2. Krebs may have either misheard or reported something Maynor and Ellch didn’t mean to expose. If true, and they neither want to lie nor expose the vulnerability and thus the best course of action is to neither confirm nor deny. 3. Apple may know about the vulnerability and for the same reasons not wish to expose that their platform is vulnerable. The statement from Fox can be true without denying the vulnerability. Considering how protective Apple is of the brand I could see this as a very real possibility.
If SecureWorks, Maynor, and Ellch are working with Apple they could easily be in the position of not even being able to validate what platform was used. Why? Because most people are forgetting what their Black Hat/Defcon presentation was about.
In the presentation Maynor and Ellch discussed the use of “fuzzing” to discover device driver exploits. Only a very small part of the presentation was devoted to the specific exploit in the video. They each described different techniques for fuzzing and the systems they used to explore wireless driver vulnerabilities. The actual Mac hack was just a short demo at the end. A knowledgeable attacker could use this very technique to discover/exploit similar vulnerabilities across a range of wireless devices. This brings us to John’s conclusion (I’m skipping sections on other responses we’ve seen on the web to focus on Maynor and Ellch):
The principle of Occam”s Razor holds that the most obvious explanation is the most likely to be true. By that guideline and the evidence at hand, it is my guess that Maynor and Ellch are disingenuous publicity hounds who studied a previously-identified vulnerability in a FreeBSD Wi-Fi driver and concluded that they could perhaps use this published vulnerability against Mac OS X. I think they tried – and failed – to find an exploit that works against the standard AirPort cards and drivers used by nearly all Mac users, and that they then realized they could, in a demo, exploit buggy drivers other than Apple”s on a doctored MacBook and draw much more attention to themselves and their firm than if their demo had been performed on any other computer, using Windows or an open source operating system. I believe the “informed” Apple about a FreeBSD wireless driver issue that Apple already knew about, so that they (i.e. Maynor and Ellch) could honestly claim to have approached “about a I.e. that despite the fact that the exploit they had discovered is completely and utterly irrelevant to anyone using a MacBook with Apple”s default AirPort driver and card, which is to say all MacBooks other than the one that Maynor and Ellch modified specifically for their contrived demo, they chose to perform their demo using the MacBook.
Or, they discovered a related vulnerability as part of their research on fuzzing to expose device driver exploits. Trying to be responsible they don’t want to disclose the platforms involved until patches are released and used an unidentified third-party card. The BSD vulnerability might have shown them an avenue for research, but their presentation supports the position that their goal wasn’t to crack a single device, but to show new techniques for exposing a class of vulnerabilities. Unfortunately very few bloggers/reporters were in the presentation to see this.
John ends with:
Now that the “fireworks” are starting, my guess is that Maynor and Ellch, if they choose to defend themselves rather than quietly walking away from the table, will do so by claiming that they never stated nor implied that they had found any vulnerabilities in the MacBook”s built-in card and driver. But their prevarications were far too clumsy for them to get away with this. It is a simple yes or no question: Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple”s built-in cards and drivers? That Maynor and Ellch haven”t answered it speaks volumes. Bring on the fireworks.
John’s totally correct- one option is they can come out and state they never claimed native drivers were vulnerable. In that case then the only person at fault is Krebs in his blog. But there’s another option- Apple could release a patch or Maynor/Ellch could release details (or both at the same time). Then everyone is right, although Apple PR doesn’t come out as well.
I think John has, by far, the best analysis of this situation but it leads me to a different conclusion. I can see how in the process of being responsible and of working with Apple that Maynor and Ellch would keep quiet as the fireworks start.
I don’t know how this will end up. I don’t know what will finally be released (or not). But using only John’s own analysis (and the fact I saw the original presentation) I can easily see Maynor, Ellch, SecureWorks, and Krebs emerging with their reputations more than intact.(edited 8/22 to clean formatting)