Login  |  Register  |  Contact

Another Take on the Mac Wireless Hack

On Friday the Mac Wireless hack issue exploded again after Apple PR issued a carefully worded press release. Next thing you know one of my favorite sites, The Unofficial Apple Weblog posts a headline that’s just wrong.

There have been a lot of really bad posts on this topic, but John Gruber at Daring Fireball winds his way through the press and blog hype in a well reasoned article, The Curious Case of the Supposed MacBook Wi-Fi Hack. John’s reasoning is strong, but I believe we can take his assumptions in a different direction and finish with essentially the opposite results.

First some full disclosure- I was at Black Hat and Defcon, talked with Maynor and Ellch, and have followed up with Maynor and SecureWorks since the event. I won’t be revealing any secret information here, but will just analyze John Gruber’s assumptions and see how his conclusions might change. John and I also emailed a bit on this issue over the weekend (he’s on vacation this week, so might not be able to respond).

For those of you with short attention spans I believe that Maynor and Ellch will emerge with their reputations intact and have been trying to do the right thing from the start. If I’m wrong I’ll be the first to call myself on it and apologize, but I really don’t expect that to happen.

John’s first assumption is:

“What”s notable about this disclosure is that it is about the driver. We already know, just from watching the demonstration video, that it was also based on a third-party card. This means that either (a) the exploit they discovered uses neither the MacBook”s built-in card nor Mac OS X”s built-in driver; (b) the exploit they discovered works against both the third-party driver demonstrated in the video and against Apple”s standard driver, and they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video; or (c) that the “experts” at SecureWorks do not understand the difference between a driver and a card. My money is on (a).”

Let’s explore option (b), especially the last part: ‘…they have inexplicably decided to post this disclaimer to explicitly describe only what is being demonstrated in the video’ . (bold added) I propose an alternative: that they purposely posted the disclaimer to explicitly describe only what is being demonstrated in the video. Why would they do this? Not all security researchers believe in full disclosure. If you are one of these researchers and you don’t want to disclose the details of an unpatched vulnerability but want to demonstrate the class of vulnerability (device driver exploits) you might choose to demonstrate the vulnerability using an unidentified device. In the background you would notify any affected vendors and give them time to respond. If you show the attack on the built-in wireless device you instantly identify the vendor involved. An anonymous third-party card avoids this exposure.

Let’s move to the next few points which focus on Brian Krebs. John states,

“The reason this is notable is that if (a) is true (that the vulnerability they discovered does not apply to the standard AirPort driver software from Apple) it entirely contradicts Brian Krebs”s original and much-publicized story. Krebs wrote (emphasis added): “The video shows Ellch and Maynor targeting a specific security flaw in the Macbook”s [sic] wireless “device driver,” the software that allows the internal wireless card to communicate with the underlying OS X operating system. While those device driver flaws are particular to the MacBook – and presently not publicly disclosed – Maynor said the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS. Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the “Mac user base aura of smugness on security.”

Brian is a reporter and as such has different motivations than a security researcher. Brian posted this information and stands by it. Maynor and Ellch have followed a policy of not commenting on the potential vulnerability of native MacBook wireless drivers. Thus we have a situation where Brian reported something, but the sources won’t validate or repudiate the statement. Maynor and Ellch have yet to either confirm or deny Brian’s reporting. Why might they do this?

If the vulnerability was real and they didn’t wish to disclose it until the vendor involved issued a patch. For this to be true they would have to have informed Apple (and the anonymous third-party device vendor) and said vendor wasn’t ready, for whatever reasons, to issue a patch. Since we’re only a few weeks from the initial disclosure we’re still in a reasonable timeframe. Remember, if they confirm Brian’s post they thus release enough details on the vulnerability that it could be replicated. But they haven’t denied the statement, which either indicates it’s true, Brian is wrong, or they lied. I don’t believe this is something they would lie about. Brian is now in the unenviable position of trying to justify his reporting without confirmation from his sources. While not a reporter (I’m just an analyst and blogger) I’ve come close to similar situations and they’re no fun.

Next we have to look at Apple’s official response. John states:

“In response to SecureWorks”s admission that their demonstration did not exploit the built-in driver, Apple on Friday released a statement regarding the supposed vulnerability. Lynn Fox, Apple”s director of Mac PR, told Macworld: “Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To the contrary, the SecureWorks demonstration used a third party USB 802.11 device – not the 802.11 hardware in the Mac – a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.” Fox”s statement on behalf of Apple is unequivocal: Maynor and Ellch”s exploit involves neither the MacBook”s standard Wi-Fi hardware card or software driver. That, of course, does not mean that Apple”s standard driver isn”t somehow similarly vulnerable, but if it is, Maynor and Ellch have not demonstrated such a vulnerability to Apple, according to Fox.”

But we can parse Apple’s statement a little differently. In their Black Hat/Defcon presentations Maynor and Ellch never identified any specific wireless device that was vulnerable. SecureWorks may have been quoted as saying that, but the only source is Krebs’ article (not the presentation or any official press release). They made an explicit decision, stated in the presentation, not to identify any vulnerable device/driver, and used an unidentified external card to support this decision. The only part that doesn’t make sense to me is that they have provided no evidence that in fact it is. This statement is supported by:

Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

John considers this an unequivocal statement that the exploit doesn’t involve the MacBook native wireless, but we can read this in a different way. Maynor and Ellch have “not shared or demonstrated any code… relevant to the hardware and software we ship”. For us in the security business this doesn’t mean there isn’t a vulnerability, it’s just a statement as to the level of detail given to Apple. You can exchange details of a vulnerability without sharing or demonstrating code. Apple only denied code was exchanged or demonstrated, they don’t deny the vulnerability.

Yes- we’re parsing words as finely as a politician here but if there’s one thing I’ve learned in 5+ years as an analyst it’s to never trust PR, no matter how respectable the vendor they represent it. Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that’s a glaring omission. Apple could put this to rest with a single statement, but they haven’t.

As for Atheros it may be they haven’t been contacted directly. If this is a Mac specific issue on native hardware I would probably contact Apple first myself, so the Atheros denial (which I believe is true) doesn’t affect the overall argument.

John’s next section is the most essential to his piece:

This entire saga boils down to one simple question: Have Maynor and Ellch discovered a vulnerability against MacBooks using Apple”s built-in AirPort cards and drivers? Given all the facts laid out in the previous section, you might at first think this question has been answered, and that the answer is “no”, but unless I”m missing something, this is, inexplicably, still an open question.

It’s not inexplicable, but a potentially valid situation if we are dealing with an unpatched vulnerability that no one wishes to disclose until a patch is released.

John continues:

We do have enough facts, however, to know with certainty that some of our protagonists will not emerge with their reputations intact. Someone, clearly, is either lying or incompetent (or both)… …For example, from Apple”s statement on Friday, we know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability – which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Apple”s Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?

As shown we may have totally valid reasons for both the actions of Maynor/Ellch/SecureWorks and Krebs. Apple has only stated no code was exchanged and that no demonstration has been shown against native Mac hardware/software. Apple’s statement can be true, Maynor’s statements true, and Krebs’ statements true. How?

1. Maynor and Ellch may be following responsible disclosure guidelines and refusing to validate the vulnerability status of any hardware/software. 2. Krebs may have either misheard or reported something Maynor and Ellch didn’t mean to expose. If true, and they neither want to lie nor expose the vulnerability and thus the best course of action is to neither confirm nor deny. 3. Apple may know about the vulnerability and for the same reasons not wish to expose that their platform is vulnerable. The statement from Fox can be true without denying the vulnerability. Considering how protective Apple is of the brand I could see this as a very real possibility.

If SecureWorks, Maynor, and Ellch are working with Apple they could easily be in the position of not even being able to validate what platform was used. Why? Because most people are forgetting what their Black Hat/Defcon presentation was about.

In the presentation Maynor and Ellch discussed the use of “fuzzing” to discover device driver exploits. Only a very small part of the presentation was devoted to the specific exploit in the video. They each described different techniques for fuzzing and the systems they used to explore wireless driver vulnerabilities. The actual Mac hack was just a short demo at the end. A knowledgeable attacker could use this very technique to discover/exploit similar vulnerabilities across a range of wireless devices. This brings us to John’s conclusion (I’m skipping sections on other responses we’ve seen on the web to focus on Maynor and Ellch):

The principle of Occam”s Razor holds that the most obvious explanation is the most likely to be true. By that guideline and the evidence at hand, it is my guess that Maynor and Ellch are disingenuous publicity hounds who studied a previously-identified vulnerability in a FreeBSD Wi-Fi driver and concluded that they could perhaps use this published vulnerability against Mac OS X. I think they tried – and failed – to find an exploit that works against the standard AirPort cards and drivers used by nearly all Mac users, and that they then realized they could, in a demo, exploit buggy drivers other than Apple”s on a doctored MacBook and draw much more attention to themselves and their firm than if their demo had been performed on any other computer, using Windows or an open source operating system. I believe the “informed” Apple about a FreeBSD wireless driver issue that Apple already knew about, so that they (i.e. Maynor and Ellch) could honestly claim to have approached “about a I.e. that despite the fact that the exploit they had discovered is completely and utterly irrelevant to anyone using a MacBook with Apple”s default AirPort driver and card, which is to say all MacBooks other than the one that Maynor and Ellch modified specifically for their contrived demo, they chose to perform their demo using the MacBook.

Or, they discovered a related vulnerability as part of their research on fuzzing to expose device driver exploits. Trying to be responsible they don’t want to disclose the platforms involved until patches are released and used an unidentified third-party card. The BSD vulnerability might have shown them an avenue for research, but their presentation supports the position that their goal wasn’t to crack a single device, but to show new techniques for exposing a class of vulnerabilities. Unfortunately very few bloggers/reporters were in the presentation to see this.

John ends with:

Now that the “fireworks” are starting, my guess is that Maynor and Ellch, if they choose to defend themselves rather than quietly walking away from the table, will do so by claiming that they never stated nor implied that they had found any vulnerabilities in the MacBook”s built-in card and driver. But their prevarications were far too clumsy for them to get away with this. It is a simple yes or no question: Have Maynor and Ellch found a vulnerability that affects MacBooks using Apple”s built-in cards and drivers? That Maynor and Ellch haven”t answered it speaks volumes. Bring on the fireworks.

John’s totally correct- one option is they can come out and state they never claimed native drivers were vulnerable. In that case then the only person at fault is Krebs in his blog. But there’s another option- Apple could release a patch or Maynor/Ellch could release details (or both at the same time). Then everyone is right, although Apple PR doesn’t come out as well.

I think John has, by far, the best analysis of this situation but it leads me to a different conclusion. I can see how in the process of being responsible and of working with Apple that Maynor and Ellch would keep quiet as the fireworks start.

I don’t know how this will end up. I don’t know what will finally be released (or not). But using only John’s own analysis (and the fact I saw the original presentation) I can easily see Maynor, Ellch, SecureWorks, and Krebs emerging with their reputations more than intact.(edited 8/22 to clean formatting)

—Rich

No Related Posts
Previous entry: Concerts vs. Airports- the Really Short Version | | Next entry: Home Security Tip of the Day: SpamSieve for Mac

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By GW Mahoney  on  08/22  at  08:01 AM

The video in question was only shot with one camera. Thus, the screen shot being overanalyzed may not match the procedure they are describing. In fact, we know it doesn’‘t show what they say is happening, but I don’‘t think it is intentional deception. These guys are hackers, not cinematographers. Don’‘t read to much into the screen close-up.

On the other hand, Apple and MS do not attack researchers who try to show them vulnerabilities. I am very surprised you write the press release off so blithely. SecureWorks would have every right to publicize the exploit now. I think they’‘ve wheeled out an old FreeBSD vulnerability that does not affect AirPort, and Apple is tired of the bad press while Maynor and Co try to make an exploit out of it. They may come up with a crash later, or something equally unimpressive and try and salvage their reputations, but clearly they don’‘t have it yet, or else Apple would not be waiting for it weeks after the conference.

They never should have said that they could hack the AirPort drivers until they were ready. Now Krebs and Maynor look like idiots.

By rmac  on  08/22  at  08:07 AM

This story is dividing people in two categories: those who were in Vegas and those who weren’‘t. What is really disturbing here is that some analysts like Jim Thompson and David Shaw have had access to see the high resolution video of the demo. They have been able to see what was typed in the terminal. I don’‘t think that people who were in the room did have that kind of view on what was happening. So if you were there some 100 feet of the podium, that doesn’‘t really make you an expert of everything. They have made their analysis based on what they saw on the video.

We can read between the lines forever. We can argue whether "is" means "is" or something else. There are also some cold hard facts. Shaw did not see signs of root-level access in the video which is troubling since exploit at driver-level should grant that. He writes: "And when he "cd"s to "Desktop", he isn’‘t using "/Users/dave/Desktop", he just types "Desktop"." What is your comment on that?

On the other hand Thompson writes: "Inspection of FreeBSD’s ieee80211_input.c shows that data frames with both FC blts cleared are dropped, so this avenue isn’‘t open as an exploit on Apple’s hardware". Are you saying that he is wrong? If so, do you have anything to prove your point?

We should remember that there is PR talk and technical talk. We don’‘t need to start analyzing what the PR people say because we also have very detailed technical information available.

By rmogull  on  08/22  at  08:29 AM

I’‘m fortunate enough to have had a personal demonstration of the exploit (on the third party card) with a detailed discussion of the technical issues.

Based on those discussions and the demonstration I’‘m convinced this is real. Maynor took a few demo shortcuts to enable the reverse shell but has explained to me how the exploit could be used to drop a bot on the exploited system. Basically a separate network association was made to enable the reverse shell since the exploit crashes the wireless as part of the attack. A real attacker would have to drop call-back code to reconnect after the wireless came back up. It was thus a demonstration shortcut that isn’‘t necessary in a real world attack.

I think we’‘re all spinning our wheels on this one and the truth will be out soon. From a technical standpoint I’‘m convinced the demonstration at Black Hat (and the one I saw up close) were real. I’‘ll be the first to apologize if I’‘m wrong.

By rmac  on  08/22  at  09:49 AM

I don’‘t know what it means that the demonstration is real. You saw what you saw. The key thing here is can you prove that with the exploit one is able to get root? Is Shaw wrong in what he saw? Dropping a file and dropping a bot are two very different things in Darwin, Unix and Linux. In Windows it usually is less challenging to execute a binary that has been injected. Of some posts I keep getting the feeling that not all of the bloggers get that.

Another thing that keeps confusing people is the wild assumption that a driver problem that occurs in FreeBSD must occur as well in Darwin. There is no techical background for such assumption. For Brian Krebs all the evidence he needs is the lack of patch from Apple. How to patch a problem that doesn’‘t exist?

By rmogull  on  08/22  at  10:14 AM

Code is injected into the kernel- you can inject a process running with kernel privileges. If you’‘d like this to give you root, I’‘m sure it’s possible since you now have an arbitrary process running in ring 0 (root doesn’‘t matter in ring 0).

Agree- it is a mistake to assume that a FreeBSD flaw is also in Darwin. But this doesn’‘t matter if there is a flaw in a device driver specific to a particular OS. In my mind the FreeBSD flaw is just an example of this class of vulnerability, as was the patched Centrino flaw. It doesn’‘t mean that’s where the flaw originated for the third party wireless card. There could be independent vulnerabilities.

Actually, I expect a bunch of these to crop up on different platforms with different wireless devices.

By rmac  on  08/22  at  11:34 PM

I thought the demo showed a file planted on user’s desktop. What do you mean by injecting code into the kernel in this case?

"But this doesn’t matter if there is a flaw in a device driver specific to a particular OS."
It does matter since a big part of computer security is in the way how drivers are distributed. Microsoft is using ‘‘signed’’ drivers that have some sort of approval. Linux is probably the most vulnerable in this sense since very few hardware vendors provide official linux drivers. The users cannot be sure what code they compile when they try to get their wlan adapter working.

In the case of Apple there is hardly ever a situation when a user would need to install a driver. In the past few years I’‘ve plugged tens of cameras, scanners, drives, mouses and keyboards into my macs aqnd never had a need to install any drivers. Thats part of the way how the product was designed: it has all the drivers needed. By this Apple can also make sure that the drivers don’‘t cause security risks.

This is also one reason why the people have thought the demo was unfair. There is no reason to install a third-party wlan adapter but there is even less reason to install any additional drivers. It’s just not a good demo if you first purposedly make the hole and then exploit it.

By Gozi  on  08/23  at  04:09 AM

There is no reason to install a third-party wlan adapter but there is even less reason to install any additional drivers.

I install my 3rd party card in my 802.11g-enabled notebook all the time for two reasons:

1. To take advantage of proprietary range/speed enhancements when connected to my (same 3rd party) access point.  125 Mbps at the kitchen table!

2. My built-in kit (is this 1st party or 2nd party?) doesn’‘t support WPA2 (or other of the latest WiFi security bolt-ons) and neither does AirPort if it’s non-Extreme(tm) hardware or your Mac OS is ealuer than 10.4.2… etc., etc..

By rmogull  on  08/23  at  05:22 AM

rmac,

When the exploit occurs it executes code in the kernel to create the reverse shell. What happens is the wireless attack exploits a vulnerability in the third-party wireless device driver. That vulnerability allows code to run in the kernel. The code inserted tells the victim machine to connect back to the attacking machine (over a second wireless connection that isn’‘t hacked using the native Airport Extreme card) using a shell (I guess usingTelnet, but forgot to ask that part). In the video Dave then creates a file on the Desktop to show he controls the victim. To save time, as part of the exploit code that creates the reverse shell Dave runs a script that puts him right on the desktop, which is why he just has to type "Desktop" as shown in the video. If he hadn’‘t added that part of the script, he would have had to type the full path as you notice a couple of posts back.

As for purposely making the hole by using a third party card, Dave had to do that to show the demonstration without revealing what hardware/drivers were vulnerable. In my mind that’s being responsible.

By ticktock  on  08/23  at  06:17 AM

As for purposely making the hole by using a third party card, Dave had to do that to show the demonstration without revealing what hardware/drivers were vulnerable

OK, maybe, but if he were being all that resonsible it might have been better to conceal the fact he was using a Mac, rather than highlighting it in the presentation.

By Crazy Apple Rumors Site » Blog Archive &raqu  on  08/24  at  05:23 AM

[...] This is the graph that Maynor’s defenders kind sorta wish wasn’t there and, if you repeat it, will probably make them stick their fingers in their ears and go “LA-LA-LA-LA-LA-LA! I AM NOT LIS-TEN-ING!” [...]

By rahrens  on  08/24  at  06:54 AM

“As for purposely making the hole by using a third party card, Dave had to do that to show the demonstration without revealing what hardware/drivers were vulnerable”

Sorry, but in the case of Apple equipment, this is a stupid excuse.  He was using a MacBook to perform the demo;  everybody knows who the manufacturers of the laptop and the internal card are, it’s not like he was demoing on an anonymous laptop or anything!

By using the MacBook, the authors allowed themselves to be seen as biased, especially given the dumb remarks made in the interview.  If they had merely made the attack on a Dell or another, brand-anonymous laptop, and made the statement that the vulnerability was with more than one platform, that would have given them more credibility, without all the mudslinging that has gone on to obscure the issue.

For the purposes of the demo, I would much rather have seen them perform the call back mentioned earlier, than the clumsy shell.  It was missleading, especially to the press and uninformed users, and did nothing to advance their position.

And GOZI:

"2. My built-in kit (is this 1st party or 2nd party?) doesn’t support WPA2 (or other of the latest WiFi security bolt-ons) and neither does AirPort if it’s non-Extreme(tm) hardware or your Mac OS is ealuer than 10.4.2… etc., etc.."

Of course you do, you obviously have an earlier model than a MacBook;  this demo is about the MACBOOK, which is newer.  Your model is not mentioned as one connected to this vulnerability.  At least so far.  So MacBook users really have no reason to use a third party card or driver.  Trust me, I’‘ve got one, and it would only complicate my life without adding an ounce of additional functionality to my MacBook.

Look, folks, Ou has said that he has information that is covered under an NDA he has with the authors.  Fine.  Let’s wait until he is released from that restriction and see what he has.

I think it’s obvious that Maynor and his compatriot are still working on this.  What they’‘ll have, who knows.  Why didn’‘t they have it all when they demo’‘d?  Was Apple dissembling when they used language in their release that didn’‘t specifically state that the authors were IN COMMUNICATION with them - or were working with them on the issue?  All the statement said was that Maynor hadn’‘t "shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

While that statement can be parsed any number of ways, depending on your position in this issue, it can be construed to mean that the authors really haven’‘t shown Apple that their internal hardware/software is vulnerable to that paticular hack.  It doesn’‘t say they haven’‘t talked.  But just talking doesn’‘t demonstrate anything, it doesn’‘t prove anything.

What it means is, like the little old lady in the old MacDonalds commercial:  "Where’s the beef!"

Krebs’’ reporting, and Ou’‘s, as well, have been blatently biased.  They fell prey to what Mac enthusiasts have been warning about all along - the excitement of being the first to either hack a Mac or report it being done.  Their efforts have been clumsy and unprofessional because they didn’‘t insist on getting answers to some obvious questions.  They WANTED it to be true, just like Dan Rather.  As a result, this issue has been clouded by all sorts of questions, claims, counter-claims and inuendo.

In due time, I expect, the authors will come forward with the results of their efforts.  Hopefully, this time they will demonstrate their claims fully and responsibly to the satisfaction of all parties.  I hope so.  The past actions of the authors and their supporting bloggers have so muddied the waters that the bar is higher than it would have been if they’‘d have just done it right in the first place.

By rmogull  on  08/24  at  08:55 AM

rahrens,

I must be misunderstanding your point. They used a third party card to avoid showing that the native MacBook card/drivers are vulnerable. This isn’‘t a stupid excuse- the attack demonstrated did not use any native Mac software, nor take advantage of any flaw specific to OS X. The flaw was specific to the driver for the third party card that they had to manually install. Not all third party USB wireless devices work without a manual driver install- I personally have an external device I use for wireless hacking demos and I had to install drivers for it. (I own 2 Macs, just bought one for my Mom, just convinced my sister to buy one, and am saving for another for my wife- so I’‘m firmly a Mac user and convert everyone I can, just so you don’‘t think I have anything vested in knocking Apple).

Thus we all know it’s a MacBook and OS X, but the flaw demonstrated is in the unidentified external device driver, not OS X itself.

Maynor and Ellch have been clear that all they demonstrated was a flaw in a third party device that happened to be running on a Mac. They used OS X as the target for a few reasons, but one being to ensure no one thought this was just a "Windows" problem.

If the authors have been asked not to disclose the vulnerability by Apple until they are ready to issue a patch there is NO WAY they can responsibly provide any more information. We’‘ll have to wait and see if that’s what’s going on.

Maynor and Ellch are both Mac users, for the record.

By savetheclocktower  on  08/24  at  11:02 AM

<blockquote>"They used a third party card to avoid showing that the native MacBook card/drivers are vulnerable. This isn’t a stupid excuse- the attack demonstrated did not use any native Mac software, nor take advantage of any flaw specific to OS X."</blockquote>
This would make perfect sense under other circumstances.  But Maynor and Ellch went out of their way to emphasize that the MacBook’s native wireless card was vulnerable.  In other words, they demonstrated the exploit and identified a specific card that was vulnerable to a similar exploit.

I’‘m assuming the exploit is similar because otherwise there’‘d be no reason to grab headlines announcing one exploit, then justify that claim by demonstrating an unrelated exploit on separate hardware.

I can believe Maynor and Ellch are acting in good faith, but if that’s the case then they did and said some really stupid things.

<blockquote>"If the authors have been asked not to disclose the vulnerability by Apple until they are ready to issue a patch there is NO WAY they can responsibly provide any more information."</blockquote>

Perhaps, but they can answer questions about the demo itself, such as the aforementioned "running as root" controversy.  Yet they haven’‘t.  Again, I can believe they’‘re keeping their mouths shut for good reasons, but I don’‘t blame people for not granting them the benefit of the doubt.

By pauldwaite  on  08/24  at  08:48 PM

I’‘m afraid I don’‘t have any useful technical knowledge to help the discussion, but there’s one statement in your article I’‘m not sure on:

> "Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that’s a glaring omission. Apple could put this to rest with a single statement, but they haven’t."

Surely no computer or software producer would ever state, on the record and unequivocally, that their products were invulnerable to a class of exploit? How could they be sure? Surely without code being shared with them, they couldn’‘t responsibility state their position one way or the other?

By ianbetteridge  on  08/24  at  09:40 PM

But Maynor and Ellch went out of their way to emphasize that the MacBook’s native wireless card was vulnerable.

As I understand it, this claim was made by Krebs. Maynor and Ellich have neither confirmed nor denied it.

Incidentally Rich, welcome to the world of commenting on the Mac. You’‘re already being accused of being part of a "black PR conspiracy" against the platform in the comments over on my blog (check out "Zato"‘s comments at http://technovia.typepad.com/technovia/2006/08/is_the_macs_air.html#comments)

By rmogull  on  08/25  at  02:11 AM

Ian,

Thanks for the link- considering how I feel about Macs (and am typing this on a Mac, sitting next to another Mac, with a third Mac being delivered by DHL today) it’s amusing. I responded over on your site.

By Hamm On Wry » Blog Archive » I know th  on  08/28  at  05:23 PM

[...] After reading about the MacBook Hijact and the resulting commentary from the highly-regarded (by more than me, honestly) John Gruber, the logic-mashing inanity of George Ou and the realistic-yet-still-easily-disproved sub-evaluation by Rich Mogull it’s quite easy to figure out and explain to you, dear reader what is really going on. [...]

By MacAzine :: MacBook als goocheldoos :: August :: 2  on  08/29  at  05:13 AM

[...] Voor meer details (maar lees dan ook alle reacties!): zie bv. http://securosis.com/2006/08/21/another-take-on-the-mac-wireless-hack/    Comments » [...]

By bkwatch  on  09/01  at  12:16 PM

Thanks for your generally sober commentary.  I agree with 80% of what you are saying.

But a few points to clear up:

1.  You claim Maynor/Ellch are Mac users—how did you get this information.

2.  Maynor/Ellch claim to have show the demo to three people at Blackhat:  You, Krebs and Ou?  Where there other people with you when you where shown the demo in person.

3.  Did Maynor/Ellch make you sign a NDA before viewing the demo in person?

That being out of the way, here’s some more thoughts.

1.  If you follow Thompson’s viewing of video, it appears that on the video may be showing an exploit against the native airport card, NOT the 802.11 USB card.  If that is true, does it violate any ethical consdideration by a security researched to then claim later the video only shows an attack against the USB.

2.  Very minor point, you say:

Yes- we’re parsing words as finely as a politician here but if there’s one thing I’ve learned in 5+ years as an analyst it’s to never trust PR, no matter how respectable the vendor they represent it. Notice Apple has not made any formal statement that the MacBook (or any other product) is not vulnerable to this class of exploit? In my mind that’s a glaring omission. Apple could put this to rest with a single statement, but they haven’t.

As for Atheros it may be they haven’t been contacted directly. If this is a Mac specific issue on native hardware I would probably contact Apple first myself, so the Atheros denial (which I believe is true) doesn’t affect the overall argument.

It’s a little ironic that in one paragraph you say that "never trust PR" then in the next say the "Atheros denial (which I believe is true)".  Why trust Atheros more than Apple on this?

Just to make my point clear, I don’‘t have much of a problem with Maynor/Ellch.  I even grant you your version of events might be correct.  I do have a problems with Krebs’s and Ou’s reporting of the issue.

I am asking about the NDA because Ou claims to be under one, you make a reference to "secrets" but Krebs has not said anything about a NDA at all, and given that he posted his transcript of his interview, it appears he is not under a NDA.

Brian Krebs Watch

By rmogull  on  09/03  at  01:29 PM

Reasonable questions:

1. I’‘m in direct contact with them (Ellch only at the conference, still with Maynor). At Black Hat/Defcon that’s what I saw them using.

2. I saw it over live remote video (on my Mac over AIM), not live at the conference. Thus there was no one else around. I got to ask detailed questions at each stage.

3. I do not sign NDAs so legally could disclose what I’‘ve seen or know. But I respect when someone asks me to keep something confidential, especially when I think it’s for a legitimate reason.

Now for the second set of points:

1. The attack is definitely against the thrid party wireless card. The native card is associated with the PC (as an access point) to enable to reverse shell only. If that connection were attacked successfully (using a different exploit, being a different card) the reverse shell wouldn’‘t work since the attack kills the wireless association. At least the exploit that works on the third party card, I suppose if there were one for the native wireless it could possibly leave the connection live but I doubt it.

2. Because I didn’‘t think Atheros was contacted at that time.

Krebs isn’‘t under NDA- he’s a reporter running under journalistic ethics (and I only know what those are from watching TV). I’‘m not under a formal NDA but have agreed to keep certain details in confidence until released.

What I can say is the exploit demonstrated in the video against the third party card is absolutely real.

By bkwatch  on  09/04  at  06:50 AM

Rich, thanks for your answers.  I was a little confused by your answer to #2 (it sounds as if you got a private demo via AIM AFTER the conference) but don’‘t worry about that—I was trying to clear up a statement by Dave that he gave a demo to 3 people at the conference.

And thanks also for answering the questions about the NDA—the object there is not to pry but just to see if Dave Maynor is requiring NDA before viewing the demo live, or just asking people to keep it quiet until released.  I was a bit confused about George Ou saying he was "under a NDA" when in a likehood it was a similar arrangement or an appeal to "journalistic ethics".

In addition, thanks for the insight on the native card being used to enable the reverse shell.

Just to be clear, I don’‘t have a problem with Maynor/Ellch—if there is a flaw in my Mac I want it fixed, fast—but I do have a beef with Krebs’s and Ou’s reporting on this issue.

So, not trying be combatative, if the native card is just being used to enable reverse shell, how do you account for Brians Krebs’s version of events—where he claimed to have seen the exploit done on a MacBook without a third party wireless card attached—during his private demo before the conference?

By rmogull  on  09/04  at  08:57 AM

Others may have signed an NDA, I haven’‘t asked. Yes, my personal demo was after the conference. We were going to try and do it at Defcon but we couldn’‘t make it work with our schedules.

I can’‘t comment on what others may have seen. My demo was after the conference and essentially exactly what was shown in the video (except I got to ask a lot of detailed questions).

I met Brian and he seemed like a nice enough guy- better than a lot of reporters I’‘ve worked with over the years. I definitely won’‘t get involved in any controversy around his reporting, but am happy to discuss what I know and can release.

I do think this is blown out of proportion. There’s been a weird series of events around the presentation and I suspect the real story will eventually emerge.

By bkwatch  on  09/04  at  10:01 AM

Rich, again, thanks for your comments and clarifications.

RE:  a "weird series of events around the presentation and I suspect the real story will eventually emerge"—I couldn’‘t agree more.  But the weirdness started when Brian Krebs broke the story in the morning that a MacBook was going to get hacked via airport, the video showed something else (a third party card), Krebs refused to back down on his story and released a transcript contradicting what Maynor and Ellch were saying elsewhere, and then accused people of "hate mail" when they tried to get the real story.  Blown out of proportion—yes—but let’s be clear on who is doing the blowing.

By Maynor/Ellch Mac wireless exploit resurfaces &raqu  on  03/07  at  07:55 AM

[...] The fact that this is a publicly held company that was prepared to go to the wire and use someone else’s registered trademark for a new product demonstrates that Apple is not risk-averse, to put it mildly. Let’s look at Lynn Fox’s original statement: “Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To the contrary, the SecureWorks demonstration used a third party USB 802.11 device — not the 802.11 hardware in the Mac — a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.” [...]

Name:

Email:

Remember my personal information

Notify me of follow-up comments?