David Chartier reports for TUAW, “Remember those hackers in the Washington Post story who claimed to have hacked a MacBook’s wireless drivers to gain control of it? Then remember the follow-up story where the author, Brian Krebs basically, um, how shall I say: ‘slightly falsified’ his way through backing up the original story with excuses that the flaw does exist in Apple’s drivers, but Apple ‘leaned’ on them not to publicize this so they decided to use a 3rd party card? Finally, remember how, in the original article, David Maynor, one of the hackers, is quoted saying ‘We’re not picking specifically on Macs here, but if you watch those ‘Get a Mac’ commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something.’ Boy, that sure doesn’t betray any sense of ‘I am going to lie, cheat and steal to prove whatever I want’ bitterness, does it?”
Chartier reports, “Sounds like SecureWorks, the company who sponsored all this Mac hackery, is finally fessing up to their falsification and admitting that they, in fact, did not find the flaw in Apple’s drivers, and that they used a 3rd party card and software to facilitate the exploit.”
Full article here.
SecureWorks’ statement:
This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver – not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.
Full article here.
Thomas Claburn reports for InformationWeek, “Apple sees the clarification as vindication. ‘Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,’ Apple spokesperson Lynn Fox said in a statement. ‘To the contrary, the SecureWorks demonstration used a third party USB 802.11 device – not the 802.11 hardware in the Mac – a device which uses a different chip and different software drivers than those on the Mac. To date, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.'”
Full article here.
Earlier this week, The Washington Post’s Brian Krebs wrote, “I’ve been asked this many times, so let me make this crystal clear: I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook — but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in. As far as I’m aware, only one other person at the conference saw the demo the way I saw it (a Black Hat staff member whom I’m not at liberty to name); the discrepancy over the wireless card is probably the biggest reason why the Mac community was so confused and upset by my original post. I tried to clarify that in a follow-up, and am posting the contents of that interview — verbatim — to give the public all of the information I have about this particular exploit.”
Full article here.
MacDailyNews Take: Shouldn’t Apple seek some sort of recourse? Some monetary compensation and/or public apology or at least a shot at stabbing these bozos in the eyes with lit cigarettes or something?
Contact:
Related articles:
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006
Hijacking an Apple Macbook in 60 seconds video posted online – August 03, 2006
Hijacking an Apple Macbook in 60 seconds – August 02, 2006
Perhaps I’m missing the most glaringly obvious thing of all but…
How do you plug in a third party wireless card to a Macbook? It has no expansion slots. Does anyone even make an external wireless USB adapter? And if not, how can their “modified” hardware be trusted?
The wireless card plugged in via USB.
Not only did they not “exploit” the built-in wireless card and driver in the MacBook, that so-called third-party wireless “card” was itself some hack job. No one calls a USB wireless device a “card”; they are ALL called “adapters” and they look like those USB flash micro drives. That white thing in the video looked like it was made from white cardboard.
My theory… the whole thing was fake. They demo’ed to the journalists with regular non-hacked wireless connectivity using the built-in MacBook connection – NO “hijacking.” I’m sure a bunch of techheads can fool a bunch of journalists into thinking the connection was hacked, when it was just a normal “permitted” connection. That’s why, when that Brian Krebs guy saw the demo earlier, there was no USB device. Later, when they had to show it to a larger audience, they realized they could not fool everyone. So they folded and taped some white cardboard over a USB flash drive, called it a wireless “card,” and proceeded to do the fake demo again (this time on video).
They now claim that they cannot disclose the source of the wireless card or driver, so no one can prove that they faked the whole thing. How convenient… Not only did they not hack Apple’s wireless hardware (which they admitted), they probably did not hack any wireless hardware at all.
Well Mr. Krebs has posted some sort of packbedal on his blog but it is very unsatisfactory and doesn’t actually acknowledge that the whole thing was a lie or his part in spreading the lie. It is actually full of ass covering with him blaming everyone else but himself.
http://blog.washingtonpost.com/securityfix/2006/08/update_on_the_apple_macbook_cl.html
So I posted this on his blog as well:
“. . . the point here is that Mr. Krebs, as a journalist, has a duty to the public to thoroughly investigate facts and both sides of any claims to be fact.
The headline of the original has turned out to be a very one-sided slant on the facts. It is akin to writing a headline that states “Man has sex with 3 women in one night” meanwhile omitting to say that he had actually kidnapped, raped and tortured them as well.
The fact is also now coming out that the whole exercise was basically a sham and Mr. Krebs, by not being an impartial or judicious observer, reporter and investigator of the facts was party to the sham.
As a journalist you cannot take video evidence provided to you by an interested party in a claim as proof of the claim and that is what Mr. Krebs did which has pretty much negated any credibility he has an impartial reporter of the facts.
Any fool can make claims about anything and journalists have a duty to the public to report all sides of the story and take the claimants to task. Mr. Krebs pointedly failed to do this.
From now on I will certainly be taking Mr. Krebs’s future “musings” as precisely that and not ascribe to them any form of journalistic credence.”
Looks like the WoPo have removed my above post from the Krebs blog.
The truth hurts.
David Maynor’s Q&A slides that he made available in security forums, show for Question 6:
[Q]
I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its not, who is right?
[A]
They both are. The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in card. We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple.
‘Nuff said. Krebs lies when he says he saw the hack on the internal wireless card of a MacBook.
To be noted that Apple explicitly said they have received no words from Maynor and/or Ellch.
I have no intention to take sides in this discussion (I believe both SecureWorks and Apple could approach the issue at hand in a more professional and effective manner) but I can’t avoid to point out that this discussion would not exist if the common and well-accepted methodology of modern science was followed:
Researchers are supposed to document and publish their work; methodology, the specific conditions and assumptions and the results of their experiments so they can be scrutinized by their peers and other independent third-parties in order to verify the validity and implications of their work.
If we really expect anybody to consider infosec research a serious profession based on scientific foundations we need to be willing to accept and demand the practices of modern science when it comes to research work.
Otherwise we will continue to discuss about secret marketing and PR agendas, veiled threats, implausibly bullet-proof (unbreakable?) software and your favorite flavor of conspiracy theories.
I am very skeptic about any allegations of bulletproof security qualities in Apple’s drivers: as there is no silver bullet in software there is no bulletproof security either, but I am equally skeptic about SecureWorks’ research findings unless it is presented for public scrutiny. I realize that may happen tomorrow, next week, next month or next year (or never)…
Until then, I’ll just sit and watch the fireworks or go find the facts
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
myself
By the way, I posted on the Washington post with a nickname that here in MDN should be recognized by some old patrons
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
Now that I think of it, those posts might disappear as well, hence here for the record:
Posted by: Seahawk | August 19, 2006 06:13 AM
Jim Thompson writes: “Its worse than Brian admits.
The USB device was NOT IN USE during the video.
The “hack” took place using the internal Apple Airport card.
Details here: http://www.smallworks.com/archives/00000461.htm“
Can you read and understand, man?
“Inspection of FreeBSD’s ieee80211_input.c shows that data frames with both FC blts cleared are dropped, so this avenue isn’t open as an exploit on Apple’s hardware. (At least, not on the Atheros-based hardware, and I happen to know the guy who maintains the Apple Broadcom driver, and he’s sure to have closed that hole as well.)
What is really telling is that Maynor and Ellch have to have known about this bug (they admit to same when they attempt to discredit me), so they MUST HAVE TRIED TO EXPLOIT IT on Apple’s “Airport” hardware.
And they must have failed.
But rather than come out and state “the Airport card is not vulnerable”, they decided that they must have enough sizzle in their story to get noticed. It just wasn’t going to get anyone’s notice if they showed their little hack on Windows. Everyone knows that Windows is swiss cheese by now.”
Posted by: Seahawk | August 19, 2006 06:16 AM
More on the issue about the ifconfig showing the internal wireless used. As stated in the presentation on slide 70 at Black Hat, most often a direct return shell is not possible.
En1 actually is the built in wireless card, but you don’t run this
exploit against an IP, you run it against a Mac address. En1 was
asociated to the linux machine (the Dell laptop) as a way to get the connectback shell to work. Normally with these types of exploits the wireless driver you exploit will either die or cease working correctly so. So the USB driver carries the exploited flaw, then to carry on with the hack en1 got used as the transport for it.
Without this COMBO you could not hack the MacBook. Which goes by saying it is NOT exploitable per se, as Apple and Atheron are trying indeed to say.
Posted by: Seahawk | August 19, 2006 06:27 AM
Not only that, even the USB card ALONE is not exploitable: the driver would die. So far, thence, only if you get yourself set with two ways to carry on wireless access, one to get hacked, and the second to keep the connection alive when the hacked driver dies or stops working.
It is certainly a serious problem to be fully researched upon or spinned to get some easy publicity. But it is definitely a cigarette that proved to be hurtful, only not for the intended target.
Posted by: Seahawk | August 19, 2006 06:36 AM
Also, again, I’d urge you to read this:
<http://www.macworld.com/forums/ubbthreads/showthreaded.php?Cat=0&Number=438291&page=0&vc=1>
In fact, I’m going to reproduce it here:
It looks to me that Dave Maynor was blowing smoke in the demonstration anyway. From Brian Krebs there is a transcript. While the apparent deception continues through the use of cryptic and what appears to me technobabble, you can read his “explanations” and the credulous responses from Krebs.
Some highlights with my commentary:
Maynor: OK, so the first step in this is we want to turn this [Windows laptop] into a wireless access point.
BK: Oh, so you do have to have it connected?
Maynor: No, this is just for the demo. This is the way we’ve developed the demo. If I explained it any other way, you wouldn’t see anything. It would just say, “Exploit done.” This way you can see the results of it.
If you have an exploit that can “own” a computer there are an infinite number of ways that you could demonstrate the results of that beyond an “Exploit done” message. This reply makes no sense yet Krebs does not ask obvious questions.
BK: So explain to me again how it is that — you said earlier that you put these two on the same subnet, because you wanted to be able to show the exploitation on the Mac system, right? But what if they weren’t on the same subnet?
Maynor: So that demo compromises the Macbook, and allows me to log into it interactively. It’s just like I’m sitting at the keyboard on the Mac. So that’s possible because we’re on the same IP network.
This is apparently a deception on Maynor’s part. It is hard to understand through Maynor’s obfuscation tactics but apparently he is running code on the MacBook to supply a shell back to the Dell notebook acting as the access point and exploit machine. To say that because they are on the same IP network allows a connection to a shell is bizarre. (I think Maynor means the same subnet here and not IP network but it isn’t clear that he really understand what he is talking about.)
BK: I understand. But let’s say this thing isn’t connected to your network, and it’s just broadcasting and looking for an AP?
Maynor: So at that point there’s no way for a connect-back shell to work because we don’t have a central communication medium, so without writing my own driver that’s going to insert to like bring up the card and get the same IP address on my network, we can’t do bi-way TCP communication. So, an exploit in that case would look like — you would exploit that Macbook, and you would put something on it like a bot. But this wireless exploit is an exploitable flaw and it’s in the wireless IP stack.
This is where he admits his lie in the previous question and answer. Maynor admits here that he can’t insert his own driver to allow a shell to connect back to the exploit machine. He implies that it would be possible but not that he has done such a thing. Yet, he apparently shows exactly that in his demo. So, if he doesn’t have a driver that does that, how did he demo it? It appears likely at this point that he faked the demo. Again, Krebs does nothing to follow up on this. Krebs appears to be incapable of understanding the implications of what he has just heard.
BK: OK, so in that case, the machine would be exploited and you would have it connect up to your IRC channel of choice or something like that?
Maynor: Exactly. It’s just like any other exploit, but the only difference is the communications medium in which that exploit gets delivered. And this could just as easily be a proximity attack — if you have an exploit for a certain type of wireless card, and wait until they come into range — and then using fingerprinting software, determine what kind of wireless card they have and what driver, if they, say, come into the coffee shop and are using a card and firmware that you have an exploit for you could attack them.
Now we get to the real heart of the claims. Maynor claims to have found a way to inject code into a computer through a wireless device driver. This is a pretty bad security hole. But he apparently hasn’t really gotten it to work in any real way. If he had gotten it to work, he would certainly have demonstrated that exploit instead of the apparently fake one. That isn’t to say that someone else wouldn’t be able to exploit the hole but until that happens, this remains a theoretical exploit and not something that is an actual threat.
Now Apple is saying that they don’t have any evidence that their shipped drivers have this problem. That isn’t to say that Apple is right, they’ve obviously had security flaws in the past but who are you going to believe at this point, someone who seems to have faked a exploit demonstration or the an official spokesperson for Apple?
One more point on Krebs. Here is what he says in his article on seeing the exploit himself, “I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook — but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in.”If this is true, then the Apple spokesperson is either misinformed or worse lying. Yet the company that Maynor works for is specifically disclaiming that they exploited the driver in OS X. I think the followup from Krebs will be very interesting. If he is wrong about what he saw, his reputation as a security expert is in tatters.
—
Windows geeks eh? The ‘getamac’ campaign has really pissed them off in a big way and touched the rawest of raw nerves.
They are SO sensitive aren’t they?
A couple fo his geeky friends have obviously seen the light and switched to Mac, and he just can’t accept it.
A very late followup (I was away for the weekend) to Not Applicable – I agree. I never said that reception was a problem on recent models, or on the great majority of Apple laptops (my MacBook Pro has great Wifi reception). Just those PB G4s. My organization has a few of them and they have been a problem. I was responding to Uhh and Raymond’s questions as to why anyone would ever want a third party card. My post wasn’t meant to comment on SecureWorks’ scummy tactics in any way; everyone else here has done a fine job of that.
And today, we learn that Apple had released a patch for the Airport security flaw that (supposedly) doesn’t exist. I love Apple releasing patchs for non-existing flaws, bwahahah.