Blog

Another Take on the Mac Wireless Hack

By Rich

On Friday the Mac Wireless hack issue exploded again after Apple PR issued a carefully worded press release. Next thing you know one of my favorite sites, The Unofficial Apple Weblog posts a headline that’s just wrong.

There have been a lot of really bad posts on this topic, but John Gruber at Daring Fireball winds his way through the press and blog hype in a well reasoned article, The Curious Case of the Supposed MacBook Wi-Fi Hack. John’s reasoning is strong, but I believe we can take his assumptions in a different direction and finish with essentially the opposite results.

First some full disclosure- I was at Black Hat and Defcon, talked with Maynor and Ellch, and have followed up with Maynor and SecureWorks since the event. I won’t be revealing any secret information here, but will just analyze John Gruber’s assumptions and see how his conclusions might change. John and I also emailed a bit on this issue over the weekend (he’s on vacation this week, so might not be able to respond).

For those of you with short attention spans I believe that Maynor and Ellch will emerge with their reputations intact and have been trying to do the right thing from the start. If I’m wrong I’ll be the first to call myself on it and apologize, but I really don’t expect that to happen.

John’s first assumption is:

“What”s notable about this disclosure is that it is about the driver. We already know, just from watching the demonstration video, that it was also based on a third-party card. This means that either (a) the exploit they discovered uses neither the MacBook”s built-in card nor Mac OS X”s built-in driver; (b) the exploit they discovered works against both the third-party driver demonstrated in the video and against Apple”s standard driver, and they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video; or (c) that the “experts” at SecureWorks do not understand the difference between a driver and a card. My money is on (a).”

Let’s explore option (b), especially the last part: ‘…they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video’ . (bold added) I propose an alternative: that they purposely posted the disclaimer to explicitly describe only what is being demonstrated in the video. Why would they do this? Not all security researchers believe in full disclosure. If you are one of these researchers and you don’t want to disclose the details of an unpatched vulnerability but want to demonstrate the class of vulnerability (device driver exploits) you might choose to demonstrate the vulnerability using an unidentified device. In the background you would notify any affected vendors and give them time to respond. If you show the attack on the built-in wireless device you instantly identify the vendor involved. An anonymous third-party card avoids this exposure.

Let’s move to the next few points which focus on Brian Krebs. John states,

“The reason this is notable is that if (a) is true (that the vulnerability they discovered does not apply to the standard AirPort driver software from Apple) it entirely contradicts Brian Krebs”s original and much-publicized story. Krebs wrote (emphasis added): “The video shows Ellch and Maynor targeting a specific security flaw in the Macbook”s [sic] wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the MacBook – and presently not publicly disclosed – Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the “Mac user base aura of smugness on security.”

Brian is a reporter and as such has different motivations than a security researcher. Brian posted this information and stands by it. Maynor and Ellch have followed a policy of not commenting on the potential vulnerability of native MacBook wireless drivers. Thus we have a situation where Brian reported something, but the sources won’t validate or repudiate the statement. Maynor and Ellch have yet to either confirm or deny Brian’s reporting. Why might they do this?

If the vulnerability was real and they didn’t wish to disclose it until the vendor involved issued a patch. For this to be true they would have to have informed Apple (and the anonymous third-party device vendor) and said vendor wasn’t ready, for whatever reasons, to issue a patch. Since we’re only a few weeks from the initial disclosure we’re still in a reasonable timeframe. Remember, if they confirm Brian’s post they thus release enough details on the vulnerability that it could be replicated. But they haven’t denied the statement, which either indicates it’s true, Brian is wrong, or they lied. I don’t believe this is something they would lie about. Brian is now in the unenviable position of trying to justify his reporting without confirmation from his sources. While not a reporter (I’m just an analyst and blogger) I’ve come close to similar situations and they’re no fun.

Next we have to look at Apple’s official response. John states:

“In response to SecureWorks”s admission that their demonstration did not exploit the built-in driver, Apple on Friday released a statement regarding the supposed vulnerability. Lynn Fox, Apple”s director of Mac PR, told Macworld: “Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To the contrary, the SecureWorks demonstration used a third party USB 802.11 device – not the 802.11 hardware in the Mac – a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.” Fox”s statement on behalf of Apple is unequivocal: Maynor and Ellch”s exploit involves neither the MacBook”s standard Wi-Fi hardware card or software driver. That, of course, does not mean that Apple”s standard driver isn”t somehow similarly vulnerable, but if it is, Maynor and Ellch have not demonstrated such a vulnerability to Apple, according to Fox.”

But we can parse Apple’s statement a little differently. In their Black Hat/Defcon presentations Maynor and Ellch never identified any specific wireless device that was vulnerable. SecureWorks may have been quoted as saying that, but the only source is Krebs’ article (not the presentation or any official press release). They made an explicit decision, stated in the presentation, not to identify any vulnerable device/driver, and used an unidentified external card to support this decision. The only part that doesn’t make sense to me is that they have provided no evidence that in fact it is. This statement is supported by:

Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

John considers this an unequivocal statement that the exploit doesn’t involve the MacBook native wireless, but we can read this in a different way. Maynor and Ellch have “not shared or demonstrated any code… relevant to the hardware and software we ship”. For us in the security business this doesn’t mean there isn’t a vulnerability, it’s just a statement as to the level of detail given to Apple. You can exchange details of a vulnerability without sharing or demonstrating code. Apple only denied code was exchanged or demonstrated, they don’t deny the vulnerability.

Yes- we’re parsing words as finely as a politician here but if there’s one thing I’ve learned in 5+ years as an analyst it’s to never trust PR, no matter how respectable the vendor they represent it. Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that’s a glaring omission. Apple could put this to rest with a single statement, but they haven’t.

As for Atheros it may be they haven’t been contacted directly. If this is a Mac specific issue on native hardware I would probably contact Apple first myself, so the Atheros denial (which I believe is true) doesn’t affect the overall argument.

John’s next section is the most essential to his piece:

This entire saga boils down to one simple question: Have Maynor and Ellch discovered a vulnerability against MacBooks using Apple”s built-in AirPort cards and drivers? Given all the facts laid out in the previous section, you might at first think this question has been answered, and that the answer is “no”, but unless I”m missing something, this is, inexplicably, still an open question.

It’s not inexplicable, but a potentially valid situation if we are dealing with an unpatched vulnerability that no one wishes to disclose until a patch is released.

John continues:

We do have enough facts, however, to know with certainty that some of our protagonists will not emerge with their reputations intact. Someone, clearly, is either lying or incompetent (or both)… …For example, from Apple”s statement on Friday, we know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability – which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Apple”s Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?

As shown we may have totally valid reasons for both the actions of Maynor/Ellch/SecureWorks and Krebs. Apple has only stated no code was exchanged and that no demonstration has been shown against native Mac hardware/software. Apple’s statement can be true, Maynor’s statements true, and Krebs’ statements true. How?

1. Maynor and Ellch may be following responsible disclosure guidelines and refusing to validate the vulnerability status of any hardware/software. 2. Krebs may have either misheard or reported something Maynor and Ellch didn’t mean to expose. If true, and they neither want to lie nor expose the vulnerability and thus the best course of action is to neither confirm nor deny. 3. Apple may know about the vulnerability and for the same reasons not wish to expose that their platform is vulnerable. The statement from Fox can be true without denying the vulnerability. Considering how protective Apple is of the brand I could see this as a very real possibility.

If SecureWorks, Maynor, and Ellch are working with Apple they could easily be in the position of not even being able to validate what platform was used. Why? Because most people are forgetting what their Black Hat/Defcon presentation was about.

In the presentation Maynor and Ellch discussed the use of “fuzzing” to discover device driver exploits. Only a very small part of the presentation was devoted to the specific exploit in the video. They each described different techniques for fuzzing and the systems they used to explore wireless driver vulnerabilities. The actual Mac hack was just a short demo at the end. A knowledgeable attacker could use this very technique to discover/exploit similar vulnerabilities across a range of wireless devices. This brings us to John’s conclusion (I’m skipping sections on other responses we’ve seen on the web to focus on Maynor and Ellch):

The principle of Occam”s Razor holds that the most obvious explanation is the most likely to be true. By that guideline and the evidence at hand, it is my guess that Maynor and Ellch are disingenuous publicity hounds who studied a previously-identified vulnerability in a FreeBSD Wi-Fi driver and concluded that they could perhaps use this published vulnerability against Mac OS X. I think they tried – and failed – to find an exploit that works against the standard AirPort cards and drivers used by nearly all Mac users, and that they then realized they could, in a demo, exploit buggy drivers other than Apple”s on a doctored MacBook and draw much more attention to themselves and their firm than if their demo had been performed on any other computer, using Windows or an open source operating system. I believe the “informed” Apple about a FreeBSD wireless driver issue that Apple already knew about, so that they (i.e. Maynor and Ellch) could honestly claim to have approached “about a I.e. that despite the fact that the exploit they had discovered is completely and utterly irrelevant to anyone using a MacBook with Apple”s default AirPort driver and card, which is to say all MacBooks other than the one that Maynor and Ellch modified specifically for their contrived demo, they chose to perform their demo using the MacBook.

Or, they discovered a related vulnerability as part of their research on fuzzing to expose device driver exploits. Trying to be responsible they don’t want to disclose the platforms involved until patches are released and used an unidentified third-party card. The BSD vulnerability might have shown them an avenue for research, but their presentation supports the position that their goal wasn’t to crack a single device, but to show new techniques for exposing a class of vulnerabilities. Unfortunately very few bloggers/reporters were in the presentation to see this.

John ends with:

Now that the “fireworks” are starting, my guess is that Maynor and Ellch, if they choose to defend themselves rather than quietly walking away from the table, will do so by claiming that they never stated nor implied that they had found any vulnerabilities in the MacBook”s built-in card and driver. But their prevarications were far too clumsy for them to get away with this. It is a simple yes or no question: Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple”s built-in cards and drivers? That Maynor and Ellch haven”t answered it speaks volumes. Bring on the fireworks.

John’s totally correct- one option is they can come out and state they never claimed native drivers were vulnerable. In that case then the only person at fault is Krebs in his blog. But there’s another option- Apple could release a patch or Maynor/Ellch could release details (or both at the same time). Then everyone is right, although Apple PR doesn’t come out as well.

I think John has, by far, the best analysis of this situation but it leads me to a different conclusion. I can see how in the process of being responsible and of working with Apple that Maynor and Ellch would keep quiet as the fireworks start.

I don’t know how this will end up. I don’t know what will finally be released (or not). But using only John’s own analysis (and the fact I saw the original presentation) I can easily see Maynor, Ellch, SecureWorks, and Krebs emerging with their reputations more than intact.(edited 8/22 to clean formatting)

No Related Posts
Comments

[...] The fact that this is a publicly held company that was prepared to go to the wire and use someone else’s registered trademark for a new product demonstrates that Apple is not risk-averse, to put it mildly. Let’s look at Lynn Fox’s original statement: “Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To the contrary, the SecureWorks demonstration used a third party USB 802.11 device — not the 802.11 hardware in the Mac — a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.” [...]

By Maynor/Ellch Mac wireless exploit resurfaces &raqu


Rich, again, thanks for your comments and clarifications.

RE:  a "weird series of events around the presentation and I suspect the real story will eventually emerge"—I couldn’‘t agree more.  But the weirdness started when Brian Krebs broke the story in the morning that a MacBook was going to get hacked via airport, the video showed something else (a third party card), Krebs refused to back down on his story and released a transcript contradicting what Maynor and Ellch were saying elsewhere, and then accused people of "hate mail" when they tried to get the real story.  Blown out of proportion—yes—but let’s be clear on who is doing the blowing.

By bkwatch


Others may have signed an NDA, I haven’‘t asked. Yes, my personal demo was after the conference. We were going to try and do it at Defcon but we couldn’‘t make it work with our schedules.

I can’‘t comment on what others may have seen. My demo was after the conference and essentially exactly what was shown in the video (except I got to ask a lot of detailed questions).

I met Brian and he seemed like a nice enough guy- better than a lot of reporters I’‘ve worked with over the years. I definitely won’‘t get involved in any controversy around his reporting, but am happy to discuss what I know and can release.

I do think this is blown out of proportion. There’s been a weird series of events around the presentation and I suspect the real story will eventually emerge.

By rmogull


Rich, thanks for your answers.  I was a little confused by your answer to #2 (it sounds as if you got a private demo via AIM AFTER the conference) but don’‘t worry about that—I was trying to clear up a statement by Dave that he gave a demo to 3 people at the conference.

And thanks also for answering the questions about the NDA—the object there is not to pry but just to see if Dave Maynor is requiring NDA before viewing the demo live, or just asking people to keep it quiet until released.  I was a bit confused about George Ou saying he was "under a NDA" when in a likehood it was a similar arrangement or an appeal to "journalistic ethics".

In addition, thanks for the insight on the native card being used to enable the reverse shell.

Just to be clear, I don’‘t have a problem with Maynor/Ellch—if there is a flaw in my Mac I want it fixed, fast—but I do have a beef with Krebs’s and Ou’s reporting on this issue.

So, not trying be combatative, if the native card is just being used to enable reverse shell, how do you account for Brians Krebs’s version of events—where he claimed to have seen the exploit done on a MacBook without a third party wireless card attached—during his private demo before the conference?

By bkwatch


Reasonable questions:

1. I’‘m in direct contact with them (Ellch only at the conference, still with Maynor). At Black Hat/Defcon that’s what I saw them using.

2. I saw it over live remote video (on my Mac over AIM), not live at the conference. Thus there was no one else around. I got to ask detailed questions at each stage.

3. I do not sign NDAs so legally could disclose what I’‘ve seen or know. But I respect when someone asks me to keep something confidential, especially when I think it’s for a legitimate reason.

Now for the second set of points:

1. The attack is definitely against the thrid party wireless card. The native card is associated with the PC (as an access point) to enable to reverse shell only. If that connection were attacked successfully (using a different exploit, being a different card) the reverse shell wouldn’‘t work since the attack kills the wireless association. At least the exploit that works on the third party card, I suppose if there were one for the native wireless it could possibly leave the connection live but I doubt it.

2. Because I didn’‘t think Atheros was contacted at that time.

Krebs isn’‘t under NDA- he’s a reporter running under journalistic ethics (and I only know what those are from watching TV). I’‘m not under a formal NDA but have agreed to keep certain details in confidence until released.

What I can say is the exploit demonstrated in the video against the third party card is absolutely real.

By rmogull


Thanks for your generally sober commentary.  I agree with 80% of what you are saying.

But a few points to clear up:

1.  You claim Maynor/Ellch are Mac users—how did you get this information.

2.  Maynor/Ellch claim to have show the demo to three people at Blackhat:  You, Krebs and Ou?  Where there other people with you when you where shown the demo in person.

3.  Did Maynor/Ellch make you sign a NDA before viewing the demo in person?

That being out of the way, here’s some more thoughts.

1.  If you follow Thompson’s viewing of video, it appears that on the video may be showing an exploit against the native airport card, NOT the 802.11 USB card.  If that is true, does it violate any ethical consdideration by a security researched to then claim later the video only shows an attack against the USB.

2.  Very minor point, you say:

Yes- we’re parsing words as finely as a politician here but if there’s one thing I’ve learned in 5+ years as an analyst it’s to never trust PR, no matter how respectable the vendor they represent it. Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that’s a glaring omission. Apple could put this to rest with a single statement, but they haven’t.

As for Atheros it may be they haven’t been contacted directly. If this is a Mac specific issue on native hardware I would probably contact Apple first myself, so the Atheros denial (which I believe is true) doesn’t affect the overall argument.

It’s a little ironic that in one paragraph you say that "never trust PR" then in the next say the "Atheros denial (which I believe is true)".  Why trust Atheros more than Apple on this?

Just to make my point clear, I don’‘t have much of a problem with Maynor/Ellch.  I even grant you your version of events might be correct.  I do have a problems with Krebs’s and Ou’s reporting of the issue.

I am asking about the NDA because Ou claims to be under one, you make a reference to "secrets" but Krebs has not said anything about a NDA at all, and given that he posted his transcript of his interview, it appears he is not under a NDA.

Brian Krebs Watch

By bkwatch


[...] Voor meer details (maar lees dan ook alle reacties!): zie bv. http://securosis.com/2006/08/21/another-take-on-the-mac-wireless-hack/    Comments » [...]

By MacAzine :: MacBook als goocheldoos :: August :: 2


[...] After reading about the MacBook Hijact and the resulting commentary from the highly-regarded (by more than me, honestly) John Gruber, the logic-mashing inanity of George Ou and the realistic-yet-still-easily-disproved sub-evaluation by Rich Mogull it’s quite easy to figure out and explain to you, dear reader what is really going on. [...]

By Hamm On Wry » Blog Archive » I know th


Ian,

Thanks for the link- considering how I feel about Macs (and am typing this on a Mac, sitting next to another Mac, with a third Mac being delivered by DHL today) it’s amusing. I responded over on your site.

By rmogull


But Maynor and Ellch went out of their way to emphasize that the MacBook’s native wireless card was vulnerable.

As I understand it, this claim was made by Krebs. Maynor and Ellich have neither confirmed nor denied it.

Incidentally Rich, welcome to the world of commenting on the Mac. You’‘re already being accused of being part of a "black PR conspiracy" against the platform in the comments over on my blog (check out "Zato"‘s comments at http://technovia.typepad.com/technovia/2006/08/is_the_macs_air.html#comments)

By ianbetteridge


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.