Network News

X My Profile
View More Activity

Follow-up to the Macbook Post

I'd like to respond to the people who commented on yesterday's post about the video's depiction of the use of a third-party wireless card on the Macbook. I spent more than an hour with Dave Maynor watching this exploit in action and peppering him with questions about it.

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.

To all of the commenters who complained about why this demo was not shown live, I refer you back to the text of the blog post, which pointed out the dangers inherent in showing this type of exploit live to a room overflowing with curious hackers who would like nothing more than to capture a copy of the exploit wirelessly and experiment with it.

Again, the whole point of this story was not to pick on Macs, but to point to a security issue that affects multiple operating systems and one that is long overdue for some serious code review by the companies that OEMs rely upon to produce this software.

As always, thanks for all the comments. Keep them coming.

-- Brian Krebs

By washingtonpost.com Editors  |  August 3, 2006; 9:00 AM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Hijacking a Macbook in 60 Seconds or Less
Next: Intel Issues Patches to Fix Wireless Flaws

Comments

Ok. Thanks for restating that. I thought it was pretty clear, but not being firmly in one camp or the other I realized that this is a flaw in wireless everywhere.

The suggested fix is also the best fix. Learn how your computer operates and learn how to protect yourself from your own stupidity. Turn off you automatic services if you don't need them. This includes things like bluetooth on your cell phone and other things. Turn on your pop up blocker and os firewall and learn to use them instead of stupidly accusing it of being a worthless pain in your neck.

Posted by: Cwes | August 3, 2006 9:55 AM | Report abuse

Still not clear on one thing: This also appears to be an access point phishing exploit, where the computer being "hacked" has to actively join a bogus WiFi network (that's being run off of another laptop nearby).

That being the case, I think that the standard credit card and password threats posed by running a bogus T-Mobile access point at a Satrbucks is much worse.

Posted by: jhoj | August 3, 2006 10:24 AM | Report abuse

We Mac owners are rather pleased with the fact tat our OS is both designed and initially configured to defend itself from many of the sorts of malware that attack Windows machines daily. We get defensive when similarly defensive Windows advocates point out - for example - that over 200 vulnerabilities have been discovered for OS X in the past two years while fewer than a hundred have been discovered for XP in that time. The XP vulnerabilities have been successfully exploited while those for OS X have not.

The fact that a Mac was chosen for this demonstration suggests a personal response to our pleasure, flaunted in the face of tormented Windows users. Someone wants to slap that self-satisfied smile off our face and get us to frown like everyone else. The fact is, vile motives aside, we need to see it this way. We need to be shown that our wonderful OS is not without flaw - even if it is in many ways much better than the alternatives. We need to wake up and start protecting ourselves ... a bit.

Posted by: DLMeyer | August 3, 2006 10:30 AM | Report abuse

One thing that is not mentioned in his presentation is whether the exploit entails superuser privileges or merely the privileges of the current user on the machine. If it were a root-level exploit, I feel that most security researchers would mention it. Granted, user-level privileges can be bad enough in terms of personal data loss, but if the machine is properly secured otherwise, and with proper backups, the exploiter could not do more than delete user files, which could later be recovered to a recent state.

Posted by: Chris | August 3, 2006 10:31 AM | Report abuse

John Johnson: The only numbers that are significant there are the Apple to Microsoft numbers. Because Mozilla is just a software suite, same with Adobe, you can't compare their lower numbers to Apple or Microsoft which provide complete operating systems AND software suites.

Additionally, it is worth noting that many of the fixes that Apple releases are not in Apple software but open source software that Apple uses - like recently they delivered a security update that had updates for OpenSSL. Not an Apple product...

And finally - the measure of how many holes have been fixed is not what we should be concerned about. It is how many holes have NOT been fixed that is more of the problem.

In any event - wireless ANYTHING is a security risk. The only question is the amount of work to "crack" it. ANYTHING can be cracked with enough resources and time... All we can do is make sure that no one has the resources or time - by making it harder to crack and limiting exposure...

Posted by: VR | August 3, 2006 10:34 AM | Report abuse

I have some questions. Sure, they say that the Mac drivers are also vulnerable, but there are other issues:

1. They said that the machine's defaults were slightly modified. How?
2. Was the default config to ask for an admin password changed to automatically join an open wifi? If so, that's convenient.
3. What privleges did the exploit gain?
4. In Mac OS X, root is not enabled by default, do they claim to have gotten root priv.? If so, how?

Posted by: rahrens | August 3, 2006 10:58 AM | Report abuse

As an owner of a Macbook, I must point out that that it is IMPOSSIBLE to install a 3rd party wireless card. There is no card slot.

Someone needs to get his story together -- someone who has at least understands Mac hardware.

Posted by: nosegunner | August 3, 2006 11:00 AM | Report abuse

The point is that as a reporter your now gone from actually watching it to just taking their word on thing. Wireless in inherently not secure, but seeing as the default isn't to autoconnect to any available base station (a non-obvious option)it becomes significantly less of a problem, that and the fact that notebooks (at least apple ones) sleep when closed, the impact is even more minimized. Drivers will be fixed, but problems will still remain.

Posted by: Aram | August 3, 2006 11:04 AM | Report abuse

So let me get this right.....

They demonstrated hacking a USB WiFi driver because hacking the native WiFi driver would have embarrassed Apple and they didn't want to do that.

But THEN they then told you that they could easily hack the built in Apple card using the same method. Thus embarrasing Apple anyway.

But they didn't actually show you this. You simply accepted that all WiFi drivers are equally vulnerable without any actual proof?

What else did you learn at journalism school?

Posted by: Glyn Williams | August 3, 2006 11:14 AM | Report abuse

Brian Krebs is dishonest.

Many other posters have pointed out how his sensationalism and deceptive omissions made for a more interesting story than he actually posted.

He himself above admits that he delibertately left out information that made his story irrelevant, insipid and vacuous.

He himself admitted that his original story was written with known inaccuracies.

He even "stands by" his lies, distortions, omissions, confabulations and other deceptions.

It would seem he learned his ethics and PR practices from the likes of Ken Lay and Jeff Skilling.

It is readily apparent that his absence of personal integrity and journalistic ethics is almost total.

Posted by: Journalism Critic | August 3, 2006 11:56 AM | Report abuse

Are you kidding me?? You people actually believe that crap story? The whole thing is a fake and made up.

Hoe gullable are you all? Brian Krebs is a bit of a winger...

The iPhone rumors are 100x's more credible!

Posted by: Johnno | August 3, 2006 12:40 PM | Report abuse

"Way to stick by your article Brian. People really should read the whole thing before jumping on the "Oh no he's bashing my Mac!" conclusion."

Mike, you are missing the point. People *did* read the whole article, which stated that the exploit attacked the drivers for the internal wireless card. After that, the video came out where the guys clearly were using a third-party wireless card, and absolutely no mention was made of any vulnerability in the internal card driver.

So what, precisely, is wrong with questioning the original article? Brian set us up to believe one thing and what happened on the video was another. That is not our fault, and I think even Brian must realize this even if he is feeling defensive from so many angry comments, including my own of yesterday.

Today's update fills in details that were missing, although there are still lots of unanswered questions. Had Brian wrote yesterday what he wrote today, I for one would not have been unhappy with the article.

Posted by: Thor | August 3, 2006 1:04 PM | Report abuse

As long as there are no details, no names and no info, I can only regard your facts as hoax.

There have been too many times when bloggers have wanted hitrates by intentionally mocking mac-users. The mac community is so tightly woven that they respond immediately - thereby resulting a lot of hits. So many times have people exploited this fact.

It may very well be true, but until proven (at least on a number of machines) we have to regard this as false.

Posted by: Tigerdyr | August 3, 2006 1:12 PM | Report abuse

What a joke, this isn't supposed to be an article picking on Mac????
Every headline today is stating Macbooks hacked!!!
CHeck Google. Not one headline generalizes and points to wifi cards in general. This would have been impressive if a stranger brought his macbook to them and said, go ahead and break into my computer, wirelessly.
Damn journalists suck with their
misinforming the public. Don't quit your day job.

Posted by: dwhite | August 3, 2006 1:12 PM | Report abuse

Yesterday, Brian wrote:

"The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless 'device driver,' the software that allows the internal wireless card to communicate with the underlying OS X operating system."

Of course, we all know now that the video does not show this or even mention this possibility. Nobody should be surprised that Mac fans got their danders up given this obvious contradiction between the article and the actual video.

Brian, I accept that you stand by your story and I have no reason to think that your update today is untrue. I think you should, however, accept some blame for the reaction to your article given the way things transpired.

Posted by: Thor | August 3, 2006 1:13 PM | Report abuse

Outside of BK's rather naive acceptance of Maynor's explanation for using a third-party device to complete this "hack," (Apple leaned on them like the White House leans on the NYT), Maynor never suggests that he actually "has root" (superuser access) in UNIX parlance. "Hijacked" is a loaded, exploitative term itself. But it gets attention.

"Truthiness," as Mr. Colbert would put it.

Posted by: turkeyneck | August 3, 2006 1:20 PM | Report abuse

This is a great first step to wake users up to smell the coffee. I do wish, however, that the demonstration would have included a Dell running Windows XP, side by side with the Mac, so that people have a better understanding that the problem is OS-neutral. As it stands, the biased media is turning an otherwise great story into a story specifically about the MacBook.

Posted by: rasterbator | August 3, 2006 1:23 PM | Report abuse

"Posted at 12:12 PM ET, 08/ 3/2006"

That's an hour from now. Did you use a hitherto unknown vulnerability in the spacetime continuum to hack into the future?

Posted by: hag | August 3, 2006 1:33 PM | Report abuse

Apple Macintosh: National Treasure

Ben Gates: Once the MacBook hits a certain temperature, an alarm goes off and it is taken to the Preservation Room.

Ben Gates: The preservation room. Enjoy. Go ahead. Do you know what the preservation room is for?

Riley Poole: Delicious jams and jellies?

Ben Gates: No, that is our opportunity to hack the MacBook.

Posted by: rasterbator | August 3, 2006 1:34 PM | Report abuse

Obviously the story will have holes, taking into account the environment in which the demo was given. No one with common sense would demo a little known exploit in a room full of hackers if they wanted to actually "help" the public. As for all of the posters commenting on how this is impossible, I assure you that it is very possible. I run Linux, Mac, & Win and I'm aware that exploits of this kind are possible on each & every platform. Computers are bound in a logical world created by man & thus any new technology will be voulnerable until it is a dead technology. And to everyone whining about "what can they do about it?"... the answer is simple. Learn what, how & why these neat little tech toys do those neat things they do, then report anything like this to the manufacturers to fix it.

Posted by: Common Cents | August 3, 2006 1:35 PM | Report abuse

Obviously the story will have holes, taking into account the environment in which the demo was given. No one with common sense would demo a little known exploit in a room full of hackers if they wanted to actually "help" the public. As for all of the posters commenting on how this is impossible, I assure you that it is very possible. I run Linux, Mac, & Win and I'm aware that exploits of this kind are possible on each & every platform. Computers are bound in a logical world created by man & thus any new technology will be voulnerable until it is a dead technology. And to everyone whining about "what can they do about it?"... the answer is simple. Learn what, how & why these neat little tech toys do those neat things they do, then report anything like this to the manufacturers to fix it.

Posted by: Common Cents | August 3, 2006 1:36 PM | Report abuse

Speaking of Apple security, today's USA Today states "The analysis found that since January 2005, Apple has had to fix 67% more security holes than Microsoft. Apple issued security patches for 262 vulnerabilities, compared with 157 for Microsoft, 150 for Mozilla and 46 for Adobe."

Posted by: John Johnson | August 3, 2006 1:41 PM | Report abuse

"Time present and time past
Are both perhaps present in time future,
And time future contained in time past.
If all time is eternally present
All time is unredeemable."

- T.S. (Thomas Stearns) Eliot

Posted by: rasterbator | August 3, 2006 1:41 PM | Report abuse

Hey, I did it too!! I'm posting ~2 1/2 hours into the future using my MacBook. So if it takes 60 seconds to hack into my laptop, I can just go back in time and undo the hack. Man, those guys at Apple think of everything. Brilliant!

Posted by: hag | August 3, 2006 1:45 PM | Report abuse

There is not enough factual, objective, verifiable information in this very-sensational[-istic] demonstration to clearly demonstrate what, if anything, has been "proved" here.

If they had said, to someone at-random, "let me borrow your laptop.. thank you.. (sixty seconds later).. now, here, see for yourself that I am now 'root' on your computer ... now would anyone else like to try?" that would have been different. But they didn't do that.

"Snake oil" is very common in the security business: both unsubstantiated claims of strength and unsubstantiated claims of weakness.

"Obscurity" is almost a dead giveaway. They carefully arranged things so that no one could objectively verify their work. If the vulnerability exists as stated, then full and complete technical details should have been provided: this is NOT "unethical"... it is standard security industry practice. Only then can the truth or validity of the claim, and the true extent of any vulnerability that may exist, be objectively determined through peer review.

These people were not going for that: they wanted to make headlines, and they did.

Posted by: Studiously unconvinced | August 3, 2006 1:54 PM | Report abuse

"OS which is mostly used by PC users will be the main target for attackers. That dosen't mean that less popular OSs are completely secure. Attackers aren't interested those OSs. Maximum damage is their objective.

Mac users should try to understand this fact."

Shhhhh. You'll ruin it for us all!

signed,

Hackers looking for unexploited flaws in complacent Mac snobs' systems.

Posted by: Mac Hackerz | August 3, 2006 2:12 PM | Report abuse

Sorry to be the odd-man-out here, but I'm not convinced.

Here's why: obscurity.

In the real security business, information about exploits is fully and publicly disclosed, in all details, to facilitate objective peer-review. Look at the CERN advisories and there are no secrets there. No one ever says, "Sssh! Don't talk about that because I haven't fixed it yet!"

"Snake oil" cuts both ways: there can be unsubstantiated claims of weakness just as there can be unsubstantied claims of strength. Because the topic is so volatile, and so important, full disclosure is the name of the game. We're all from Missouri here: "show me. Prove it. Now, let me prove it for myself."

But these people didn't want that. They wanted a front-page story on the newspaper. And, they got it. Sure you reported what you saw... but what, actually, did you see?

There are plenty of weaknesses and vulnerabilities in wireless. Many of these are social: carelessness. For a wireless driver to lead all the way to root-level session access, especially given that in Mac OS/X "root" is normally disabled entirely, is a questionable claim at best.

Had the claim been valid, there would have been no "secret taping," no "we can't talk about this or the hackers will get us." Sure these are appealing notions, but that's not how the security game is actually played -- and, indeed it is done thusly PRECISELY for those very reasons. Security practitioners utterly rely upon full disclosure .. of algorithms, of strengths, and of weaknesses and exploits. The fact that these people did not .. that they took great pains "not to" .. is, immediately and prima-facie, highly suspect.

Posted by: Unconvinced | August 3, 2006 2:13 PM | Report abuse

"Again, the whole point of this story was not to pick on Macs..", well why not Brian. Are you afraid to pick on macs? Don't back down to the smug mac users who have the false sense of security. Security by obscurity is at its end for mac users and it's time to point that out.

Posted by: dana | August 3, 2006 2:20 PM | Report abuse

"During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported."

B.S. Was this on the record? Why don't you show what they actually said about this? Or go into further detail? Apple leaned on them, huh? Blog reporting = friggin' joke. How do you keep your jobs, at the Washington Post no less? Possibly acceptable reporting standards for a 13 year old kid, but for a Washington Post blogger?

Posted by: Seamus D Dog | August 3, 2006 2:21 PM | Report abuse

So you claim that Apple leaned on the guy to use a third party card. So why, exactly, did he give in to this pressure? Was Apple threatening not to honor his Applecare warranty? Did Apple loan him the system and threaten to ask for his return? What's the story here? How exactly could could Apple threaten a researcher? Or is this just an after-the-fact fabricated justification for using a third party card?

Posted by: Joe | August 3, 2006 2:24 PM | Report abuse

John Johnson's reference to USA Today's statistical pap is absolutely appropriate to this discussion in that it is illustrative of the disservice this sort of reporting does to the computing community. If one consults the National Vulnerabilities Database and searches with a "Mac OS X" search phrase, one discovers that a large number of vulnerabilities attributed to OS X are actually due to third-party applications written for the Mac -- like, ironically, Microsoft Excel. Similar dissolute results can be gained by searching with variants of the "Windows" keyword. The insight that might be gained by such details are lost to the reader thanks to journalistic focus on shallow but provocative generalizations.

Your approach is no better. Sure, telling a tale of heroic hackers in romantic (albeit virtual) black hats supposedly stealthily sneaking their way into the heretofore virgin territory of those self-assured, intolerably smug Mac users is titillating and salacious, but is it ethical or responsible -- or even truly informative? In spite of the explosive growth of cyber-crime and concerns for personal security, the answer to this question apparently needs to be explicitly stated: No, it isn't!

I sincerely thank these gentlemen for alerting Microsoft and Apple to the issues they discovered (however long ago that they did -- was it a day or two?). I also thank them for being responsible enough to not expose their exploit to possible interception and distribution in the Viennese den of intrigue I gather exists at this conference. Those were the professional and ethical things to do.

But broadcasting this issue to the world at large before it is corrected gets no thanks from me at all. And baiting Mac and Windows users with belligerent comments about smugness is anything but professional. Surrendering now what little you or the others might have held back just because (you say) your accuracy or forthrightness might have come into question does nothing to improve my assessment of your ethics, either. I'm left with little from your article than the ugly feeling that I, and likely others, have been unfairly exploited for the sake of someone else's aggrandizement. In fact, the only satisfaction I feel from this episode is in its affirmation of my decision long ago to cancel my subscription to the Post.

Posted by: Phil | August 3, 2006 2:26 PM | Report abuse

DL Meyer wrote: "We need to wake up and start protecting ourselves.."

Claiming Mac users are complacent is a common refrain, but nobody has ever come up with a good explanation of exactly what we're supposed to be doing. Other than turning on your firewall, turning off unused services, and installing OS updates as they become available, there isn't anything you can do. Anti-virus software only picks up PC viruses, Anti-spyware only picks up some of the PC spyware, and spam is always going to be a problem no matter what software you use.

Mac users have already taken a giant step in avoiding malware: they've chosen to use a more secure operating system. No, it's not 100% secure, but neither is Fort Knox.

Posted by: Chris | August 3, 2006 2:28 PM | Report abuse

I think it would have been more accurate, more professional, and more honest to have not stressed the Mac issue right off the bat, but instead to have reported "Multiple operating systems, OSX included for a change...." To single out Macs was a cheap shot at sensationalism.

Posted by: ziplock | August 3, 2006 2:33 PM | Report abuse

Great video. It is apparent that this is a current user level exploit with knowledgeable participation, and it was unclear if he could parse that user's password as this essentially came "from underneath", if that is the case then this is certainly something to be concerned about if you regularly hook up anonymously to unknown wireless networks. The machine will inform you that it is not one of your "trusted" networks but users rarely pay much attention to that and if they can get wireless on the park bench they are usually happy to do so. Small efforts can do much to mitigate potential damage. Apple needs to step up a bit, in the name of ease of use they do not even mention that when you set your machine up for the first time, the password you choose as the primary user (with full admin privileges) is also that of root. While the root user is disabled by default knowing that 99% of users use the same password it would be trivial to enable the root user and access core system files. Mac users need to know from the beginning that they should create a non-admin user for themselves to use the machine daily with a different password and if they store passwords in files, that they use one of the multiple encrypt-able products available for that task utilizing another unique password. Remember too that you can easily turn off the airport from the menubar when you have no intention of networking and just as simply turn it on when needed, maybe Apple should sleep it when not in use etc etc. I hope to hear something from them soon. Thanks for the heads up.

Posted by: ecrelin | August 3, 2006 2:37 PM | Report abuse

"One thing that is not mentioned in his presentation is whether the exploit entails superuser privileges or merely the privileges of the current user on the machine."

Priveleges are totally irrelevant. This is a driver-level attack.

Posted by: Mark F. | August 3, 2006 2:45 PM | Report abuse

Oh and BTW, I am an Apple user for over twenty years and a super defender and apologist, you whiners better wise up because I bet nearly all of you have connected to an unknown network in the recent past. The higher the horse you ride the longer the fall dudes. Who's fault will it be if someone grabs, deletes or messes with some of your files? Don't shoot the messenger, these guys went very very easy on Apple. I know I'm going to be more aware.

Posted by: ecrelin | August 3, 2006 2:45 PM | Report abuse

First, They work for (or are) the company "SecureWorks". This is much like Norton telling you how vulnerable your computer is. They have an obvious ulterior motive... purely a financial one with free advertising. His blatant and arrogant displaying of the Apple logo shows an intent other than purely scientific.

Using a USB wireless card when NO ONE with such a Mac uses anything but the much more easy to use and configure, built-in, FREE internal card.

He also already was accessing the Mac's UNIX shell in order to make a connection and gain access.

He claims that all wireless cards have this vulnerability, but he obviously was NOT unable to do it with the Airport wireless card built into the Mac, or else he would have used it! He, also, couldn't do it with the MacBook just sitting there. It HAD to be connected via the UNIX shell.

So, he may be right. If you leave your Mac open and available, using the shell to access a wireless connection via a 3rd party USB wireless adapter (and totally ignoring your much better and faster built-in Airport card and its associated very easy to use software), you MAY be vulnerable to this type of attack.

Can someone, please, tell me what is that likelihood? I'd think it would be much more likely that someone would just steal the unattended MacBook.

Posted by: M di L Buonarroti | August 3, 2006 2:53 PM | Report abuse

My ? is...If I were in a hotel and using my laptop (power book) would I notice things going on that were not my doing? That would be of concern for me. I always turn my airport off when not actually using it. I also have a user acct with minimal internet use and almost no other access. Am I still vulnerable? One other thing I do is turn filevault on when on the road. Is that any help defeating this exploit? Just asking questions...a mac user/ former windows user.

Posted by: GE | August 3, 2006 2:58 PM | Report abuse

I don't want to take sides as I really don't know what is the truth about the vulnerability, but let's assume it is a valid one. What I know is that this reporting was really done unprofessionally and unwisely.

First if there is a vulnerability, tell about it correctly, tell about specifics (which models does it affect, how to protect oneself) so people could do the right thing. Second, the sentiment of the first article, especially the headline and the quote about stabbing was not appropriate. Third, if you want to demonstrate a vulnerability be a man and tell the whole truth, really, what is the third-party wifi doing in the demo?

What leverage can Apple possibly have on them so that they are willing to alter the truth and make many macbook owners feel falsely safe: "I don't use third-party wifi, I'm safe". Would I trust my data security on these guys? Unfortunately not after this.

Posted by: Jonathan | August 3, 2006 2:58 PM | Report abuse

"Can someone, please, tell me what is that likelihood? I'd think it would be much more likely that someone would just steal the unattended MacBook."

The likelihood? I'm trying to remember the last time I was in a Wi-Fi hotspot when I DIDN'T check out the computers nearby. I'd say the likelihood is probably somewhere in the neighborhood of 100%.

Posted by: Dan D. | August 3, 2006 3:00 PM | Report abuse

I too question the story given that they had to do something no user of that machine would do, connect and use a third party USB wireless adapter. The machine comes with AirPort built in. If AirPort is similarly vulnerable, show us that exploit, maybe it is true but it's just too fishy that they went out of their way not to show it.

I will have to see it to believe it and I am not buying the reason given for not showing it. If true, then a wiser thing to do would have been to show it on a commonly used set up and then list the other systems where it is known to exist, including the MacBook. But this looks very fishy that the system they chose to use as their example required them to jump through hoops just to be able to demonstrate the exploit.

However what about older Powerbooks pre-Airport like the G3s? Those users are likely to use third party cards and could be vulnerable. I was one of those users until last fall. I am sure there are others out there.

Is it the fault of the OS maker or of the driver? I lean towards the former, but it would probably be an almost impossible task.

Posted by: Mike | August 3, 2006 3:02 PM | Report abuse

Mr. Krebs, you should read John Gruber's blog Daring Fireball. He pretty much owns your sorry behind.

http://daringfireball.net/2006/08/krebs_followup

PS - His readership levels are pretty high, so no, he isn't some dime-a-dozen blogger. Have a nice day.

Posted by: Liar | August 3, 2006 3:03 PM | Report abuse

How utterly disengenious of you Brian:

"Again, the whole point of this story was not to pick on Macs"

If that's the case, then why title your article "Hijacking a Macbook in 60 Seconds or Less"???

Hopefully your next "followup" will patch up your credibility.

Posted by: Krebs publicity machine | August 3, 2006 3:08 PM | Report abuse

First, my bona fides. I've been a Mac addict since 1986, a programmer since 1996, a full-time developer since 2003, and can get pretty defensive when someone puts down my platform of choice...though not in this case. Watch the video, see the files on the user's Desktop created and trashed, and you too will say, "Uh oh, that can't be good".

It appears from the video that Maynor only had user level access. So, if someone used this exploit, then they could delete all of the user files of the individual who was logged into the MacBook at the time that it connected to the access point. Beyond that, the issue of permissions kicks in. It also appears that password recovery of the user under attack was not possible. So, locked user account prefs, such as changing the user's password, appear to inaccessible.

I do not believe that one can initiate root-level access on OS X unless one has previously done so with NetInfo Manager, but I don't know this to an absolute certainty. Without root-level access, no, the command "rm -fr /" could not have been executed.

Still, it sucks that we Mac users have to cheer ourselves up by saying that, well, at least Maynor didn't get root-level access or couldn't access the user's password. I know I feel better.

I would have preferred to see this exploit used against Apple's own internal Airport WiFi card. I don't know if it would have been equally trivial to gain access to the target MacBook or not, but I would rather know than not know.

An interesting question is what would happen if a user tried to log in if, after having been attacked, all of their directory files had been deleted, but not the system files? I might try this out on my old iBook and see what happens. Fun for all.

As for those writing that Maynor and Ellch are putting one over on us, I don't know either of these folks or their work, but I think that is a bit over the top. Maynor and Ellch are finishing grad school and, yes, they may be making a mountain out of a mole hill in hopes of getting good job offers or contracts for their company, but there is clearly a security issue here that Apple needs to address.

As for Krebs dishonesty, as "Journalism Critic" wrote, first I doubt he knows Krebs and is therefore unable to say whether Krebs is dishonest or not. I take people at face value as roughly honest unless they give me cause for thinking otherwise; Krebs hasn't done that in this case. What I do not like is someone using an anonymous name, such as in "Journalism Critic" to make a libelous statement--that's cowardly, plain and simple.

Look, as a loyal and loving Mac user, this sucks. I hope Apple plugs this up soon, like yesterday. Kudos to Maynor and Ellch for a good hack.

Posted by: Jim Hillhouse | August 3, 2006 3:11 PM | Report abuse

Yes, the attack is driver-level, but does the resulting compromised security result in root- or user-level privileges?

I realize my initial post was unclear, so let me put it this way: Could he successfully execute "rm -fr /" from the shell he had gained access to?

Posted by: Chris | August 3, 2006 3:13 PM | Report abuse

John Johnson, you *finally* you understand why there are no known exploits for the Mac (compared to thousands for Windows):

USA Today's articles proves that Apple patches its software more quickly, and at a far greater rate than its competitors thus securing that no EXPLOITS can be written to take advantage of these holes.

Thanks for posting that, John!

Posted by: Johnson Finally Gets It | August 3, 2006 3:14 PM | Report abuse

"If that's the case, then why title your article "Hijacking a Macbook in 60 Seconds or Less"???"

Maybe it's because they hijacked a Macbook in 60 seconds or less? Just a guess...

Posted by: Aaron | August 3, 2006 3:16 PM | Report abuse

"Could he successfully execute "rm -fr /" from the shell he had gained access to?"

Watch the video. It answers your question.

Posted by: Tim Lemki | August 3, 2006 3:18 PM | Report abuse

Wow, nothing like a bunch of mac diehards who get all upset when someone tells them their macs "might" be exploitable. funny.

Posted by: Nate | August 3, 2006 3:27 PM | Report abuse

OS which is mostly used by PC users will be the main target for attackers. That dosen't mean that less popular OSs are completely secure. Attackers aren't interested those OSs. Maximum damage is their objective.

Mac users should try to understand this fact.

Posted by: Hasan | August 3, 2006 3:39 PM | Report abuse

Tim Lemki: I've watched the video twice, once before posting any comments, and once after reading your comment, in case I missed something. Maynor says the exploit gives "complete interactive access," but leaves out buzzwords like "root," "superuser," etc. He successfully creates files and deletes on the current user's desktop, and deletes a file the user has created, but that doesn't answer my question.

Posted by: Chris | August 3, 2006 3:40 PM | Report abuse

Way to stick by your article Brian. People really should read the whole thing before jumping on the "Oh no he's bashing my Mac!" conclusion.

Tsk Tsk to all you blindly obsessed people.


-owner of both a Mactel and a WinAMD

Posted by: Mike French | August 3, 2006 3:52 PM | Report abuse

Windows exploits are more common because there are more Windows based systems than any other.

Posted by: John Smith | August 3, 2006 4:12 PM | Report abuse

Golly, someone at Dell must be looking at sales projections again; the FUD machine is in high gear.

Daring Fireball lays it all out: http://daringfireball.net/2006/08/krebs_followup

Why aren't the obvious questions being answered? Could it be that the author is purposely avoiding them? Gee. You hardly ever see PC reviewers lying about Macs do ya? Right.

Posted by: M. Douglas Wray | August 3, 2006 4:44 PM | Report abuse

Mac users don't get into a tizzy over an exploit, they get into a tizzy over fuzzy (at best) facts.

Posted by: Shantyman | August 3, 2006 4:52 PM | Report abuse

The problem - and where it's your responsibility as a journalist to report accurately, and not sensationally - is to make the story "about" the Mac.

The hackers clearly told you that this was not a Mac-specific exploit, yet you played up the Mac angle.

I'd expect this on CNet, but not from the Washington Post.

Posted by: Michael | August 3, 2006 5:05 PM | Report abuse

What a crummy article describing a crummy test. There are more holes in both than in a package of Swiss cheese.

The "bias" of the security experts was obvious as the took pains to show a MacBook, and the headline touts Macs, not PCs.

The Mac needed a 3rd party external USB wireless card (not likely to happen).

The Mac needed to connect purposefully to the hacker's wireless network via the shell terminal (not likely to happen).

Only local access was obtained, not root. You can do the same create file, create folder, delete same from your own Mac terminal. It's hardly magic.

This is an exploit, for sure. But it's a very unlikely scenario and certainly not worthy of all the hype.

Shame on the so-called journalist for not doing his job. Shame on the "hackers" for obfuscating the facts and hyping the whole deal beyond legitimate concern.

Tera Patricks
Mac360

Posted by: Tera Patricks | August 3, 2006 5:14 PM | Report abuse

There is not one shred of proof the "hackers" didn't know the admin password ahead of time. None. Zip. Zilch. Nada.

I propose a new test - they may place their PC laptop anywhere they want and connect via Wi-Fi, and I will travel to an undisclosed location somewhere in America and supply the "hackers" with the IP address of the Wi-Fi connected MacBook. I will leave the MacBook stock except I get to pick the alphanumeric admin password. At the appointed time, digital video will record the event with no cuts, and no breaks. Just one raw, unedited live feed. The proof will then be in the pudding, so to speak

But there is still one angle these "hackers" don't mention and the reporter didn't bother to find out and report - if you boot from a MacBook restore disk, you can reset the admin password, and have total access to the MacBook with not one "hacking" skill needed. Thus has it always been since the Mac OS X beta. Anyone can get into _ANY_ Mac this way.

It doesn't take a rocket scientist to get into a Mac if you have local access, so this "hack" is a non-event until the "hackers" prove otherwise with a live demonstration not under their control.

Posted by: Buster | August 3, 2006 5:31 PM | Report abuse

I'd say that the headlines have been inappropriate at a few publications. A few other publications have adequately focused their headlines on the wireless vulnerability without focusing attention on any one particular computer maker. I think that ultimately is what people took offense at. Such headlines are not just irresponsible, but they misinform naive users.

That is not to say that Apple, like everyone else, will have a security challenge - but the impression of the headlines is in fact that this is unique to the MacBook, and for naive users, that is like telling them to buy a Windows PC. And that is not only an inaccurate picture of the overall security issues, but it's not even accurate with regard to this particular vulnerability.

Nonetheless, it is fair to say that the vulnerability was demonstrated on a MacBook and to report the other details. Absent the sensationalist and inaccurate headlines, it's a very good and important story.

Posted by: MacHack | August 3, 2006 5:47 PM | Report abuse

Tera Patricks:

You are trying to come off as you know what you are talking about but you are a total moron. He didn't connect to the access point via a shell. That is where he launched the exploit from. And mr knows every f'ng thing, what priv does a driver run as? Not the user.

Take your asshat off. Thank you.

Posted by: Asshat Hater | August 3, 2006 6:09 PM | Report abuse

Mr Krebs;

If you fail to post one or both of my earlier posts regarding my observations regarding the video, it will prove that your article is just blatant anti-Apple publicity!

Posted by: rahrens | August 3, 2006 6:37 PM | Report abuse

So? Did Maynor and Ellch turn off the default airport setting to ask for confirmation before joining an unknown open Wi-Fi network? Brian, I think you owe it to your readers to respond to Gruber who's calling you out. Were you possibly caught up in the moment of an OS X exploit and got hacked yourself?

Posted by: DL Byron | August 3, 2006 7:18 PM | Report abuse

It is bad journalism. It feels like manipulation. The shown video does not support your conclusions at all.

Posted by: grrrr | August 3, 2006 8:02 PM | Report abuse

I think this is FUD. He connected to the DELL from the MAC, first! then he ran the exploit...

Easy when you have access to the target's keyboard.

Posted by: rahrens | August 3, 2006 8:12 PM | Report abuse

macs suck....Baaawwaahhhhhh ha ha ha

Posted by: bgaaates | August 3, 2006 8:13 PM | Report abuse

"security fix" my aunt fanny.
this is nothing more than hype and rumormongering.
thanks brian, one less "security" site I need to keep up with.

Posted by: Chris_B | August 3, 2006 8:17 PM | Report abuse

Amusing way to deal with wifi thieves. The machine runs squid with a trivial redirector that downloads images, uses mogrify to turn them upside down and serves them out of it's local webserver. http://www.ex-parrot.com/~pete/upside-down-ternet.html

Posted by: linuxrules | August 3, 2006 8:21 PM | Report abuse

The singling out of the mac crowd. Their vehement denials and attacks. The inaccuracies passed off by the "skilled" users as facts. None of these are anything new.

Lets set some facts straight.

1. It IS, in fact, common for full disclosure to NOT occur until after vendors have been notified and given a chance to release a patch. That has been SOP since the mid 90s. After vendors have been notified and given a chance to respond, the decision to go full disclosure or not is made. To claim otherwise is to simply display ignorance.

2. While you "savvy" mac fans may claim "root is disabled", that's only a high level abstraction. Stop talking like you know and take a look around the code, you'd be shocked at just how much software checks to see if UID/EUID == 0, which means "root."

3. Any code executing in the same context as a device driver is executing with high enough priviledges to do whatever the hell it wants, without needing any kind of a password at all. It operates at a lower level than "users" and "passwords."

None of the above corrections, or the original incorrect statements, has anything to do with the validity of the claims made in the article, or the veracity of the video. The vulnerability might exist, or it might not.

Trying to "correct" the article with even more inaccuracies and incorrect data is just idiotic though.

Every time you post without thinking, baby jesus clubs a baby seal.

Posted by: Rebel without a shoe | August 3, 2006 8:27 PM | Report abuse

Dear Asshat Hater:

Why do you come off as such an asshat yourself? Cool down, since it is not clear you know what you are talking about either.

If you watch the video, he first creates a wireless access point by running a script on the Dell. Then, he goes over to the Mac, saying that he is going to join the Mac to the wireless network just created. Instead of doing what a Mac user usually would do to join a network (click on the Airport icon in the menu bar and choose an available network), however, he goes to the terminal and starts typing. This is what Tera is talking about.

There, he types "bash" to get the bash shell. Then, he types "ifconfig" to get the current network setttings. He then looks at the output and says that the Mac has indeed picked up an IP address from the Dell. So, the Mac must have been set to connect automatically to any open wireless access point, which is not the default setting. Normally you get a dialog window asking you if you want to join a particular wireless network.

So, technically, you are right. he did not use the shell to make the Mac connect. Tera's interpretation is entirely understandable, however, given the unusual way in which the Mac was joined to the network. Calling someone a moron for that is really unfair.

Come off it.

Posted by: Thor | August 3, 2006 8:31 PM | Report abuse

I watched the video that Jon "Johnny Cache" Ellch and David Maynor put together to demonstrate a wireless driver exploit and aside from the obvious dig against Apple and the Mac (it wasn't necessary to use the MacBook to prove their point) there are questions, as the demonstration appears to be significantly flawed or contrived.
The authors claim "according to Maynor and Ellch, this attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. It is, they said, enough for a vulnerable machine to have its wireless card active for such an attack to be successful."
This assertion is not proved by the demonstration in the video. If their assertion as quoted is true why was it necessary to explicitly connect to the attacking access point PC? Shouldn't the fact that the Mac was on and had an active wireless connection been enough at they claimed?
Also why was the connection made through the Terminal and not through Internet Connect or the Wireless Menu Item which is how most users connect to wireless networks?
Also their are questions regarding the set up of the MacBook used. Were any of the options in the Sharing preference pane of System preferences enabled? It is unlikely that an outside computer could connect if Remote Login is disabled, as it is by default.
Some have claimed that the exploit installs a rootkit. How could that have occurred without knowing, in advance, the username and password for an admin account on the MacBook? In order to install software in Mac OS X an admin user must first authenticate.
For the exploit to manage privilege escalation it would need to suss out the information for at least on user account on the MacBook, again difficult if not impossible without knowing the account information in advance.
Others have commented on the use of a third party card, which indicates, usually, that third party drivers are installed and used when the card is connected. Is the flaw that is supposed to be demonstrated specifically in the third party drivers or the native OS X Airport drivers? This is also not demonstrated by the video and the original article is unclear, while your follow up article does state "...the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable." Again this is not proved in the video.
So what was the point? If the authors truly wanted to present a balanced and well rounded demonstration, why was so much information left out? Not for security reasons. The questions above can be answered without revealing how to take advantage of this exploit.

Posted by: James Alguire | August 3, 2006 8:47 PM | Report abuse

Interesting that they didn't just plop down a laptop and hack it. Instead they bounce back and forth entering commands in each laptop.

What happens when file vault is turned on?

What happens when they don't have access to the target?

What happens when they don't set the Mac wide open prior to their test?

What happens when you don't use a USB card that has been hacked? I love the tape wrapped around it.

What happens when you turn on the firewall, turn on file vault and don't give total access to the computer? I Know, you don't get it.

Posted by: dave | August 3, 2006 10:39 PM | Report abuse

They above questions should have been asked by the reporter. Jeez, you did a horrible job of INVESTIGATIVE reporting.

Posted by: Dave | August 3, 2006 10:44 PM | Report abuse

After the (unwarranted) backlash from the Mac fanatics, I wonder if Brian is going to report on Jay Beale's Defcon presentation titled "Discovering Mac OS X Weaknesses"...

Posted by: random observer | August 3, 2006 10:47 PM | Report abuse

I'm still waiting for you to get some real proof. Honestly, video like that with side by side comparisons is easy to fake. And how about you exploit the Mac's hardware and not some 3rd party wireless device? If they say that it's possible with the MacBooks hardware let's see it!

Posted by: Barry Wheaton | August 3, 2006 11:29 PM | Report abuse

"I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable." Huh? That's not reporting, it's parroting.

Why didn't they exploit the default MacBook drivers? Their claims are wide-ranging, but they demonstrated only one thing: if one has unrestricted, undisturbed access to a MacBook they can break into it. Give me the same access to Ft. Knox and I guarantee you I will get the gold!

Why haven't they taken on one of the scores of challenges to hack a Mac in the real world? I'm thinking of the University of Wisconsin's Mac OS X Security Challenge, e.g. Thousands of attempts were made to hack that out-of-the-box Mac until the University got nervous and shut down the challenge. No, they weren't nervous about the Mac -- they had a lot of Windows boxes on the same network.

Success in such a challenge would put the fear of God in me. As it is, Maynor and Ellch have made themselves the laughing stock of the Mac community by proving that someone who has a Mac can access the system and the files on that Mac.

Posted by: davidillig.com | August 3, 2006 11:54 PM | Report abuse

After reading all the comments it seems that the Mac folks are just looking for excuses instead of realizing that they are just as vulnerable as any Windows user. Wake up and smell the coffee, your Mac is not as bullet proof as you would hope. Or maybe I should just tell you to ignore any security warning and just leave yourself vulnerable, makes wardriving that much more profitable and easy. As to the guy who says you can't add a wireless card to a mac I guess you never heard of USB wireless adapters. Just keep believing the stupid and misleading mac vs. pc commercials. kthxbye

Posted by: mac hater | August 4, 2006 12:12 AM | Report abuse

The reason the "hack" was not done live is that they couldn't pull it off reliably in a live environment... period. You're naive if you believe to the contrary. They used a third party card (probably the Intel technology that is under fire lately) because they couldn't get the Mac hardware and drivers to fail reliably... not even enough to film the demo. The really unfair statement from the two "researchers" is that this problem is "systemic"... theoretically. The truth is that most folks are not trying to "hack" the network, and millions of decent people are safely Wi-Fi(ing) with little if any problem... and those running Mac OS X, and or (name your flavor of Linux) have even less to worry about. Somebody will always be there trying to break the rules... work smart, play hard, use common sense, and have a little faith. Ok?

Posted by: Mark H. Harris Rochester, MN | August 4, 2006 12:31 AM | Report abuse

This really needs to be clear and is not. Can *Apple* hardware with *Apple* drivers be exploited or not?

Black Hat people caring about Apple leaning on them? Seriously?

My impression from watching the video that they did (See CNET) made it rather clear -- but not completely -- that you could not crack the Apple hardware with Apple drivers. Otherwise, why plug in some third party REDUNDANT (unless you want 802.11pre-n) device?

I'd really like someone to get hard facts. Oh, laughably, the anti-virus software out there has no chance of preventing an attack AFAIK as their drivers sit to the side of the other drivers. They could only attempt to block/remove any code after it's installed. Serious damage could be done without installing any code.

Posted by: Pecos Bill | August 4, 2006 12:41 AM | Report abuse

"Windows exploits are more common because there are more Windows based systems than any other."

That's not how security works. For example, the Apache web server is about 2x as popular as the IIS web server, but IIS sites get "hacked" far more often than Apache sites. While popularity is probably somewhat relevant to the level of motivation to people to attack the softwaer, the actual security of the software is what determines the number of vulnerabilities in the software that can be exploited, and the severity of the successful attacks.

Posted by: Anonymous | August 4, 2006 12:43 AM | Report abuse

Seriously, what did you guys expect from The Post? Honest, accruate journalism left this paper long ago. Deception and half-truths are a way of life and this is just another example of why the newspaper business is falling apart.

Posted by: Paul | August 4, 2006 1:09 AM | Report abuse

Hacking an IIS hosted site and hacking an IIS server are 2 completely different things. Apache sites get hacked all the time, typically due to poor coding or vulnerabilities in the language, be it PHP, Perl, ASP or whatever your preference is.

Perhaps its true the apple drivers did not fail reliably and thats why they used a 3rd party driver, but the point is still made that wireless device drivers, regardless of platform, are not as secure as one would hope and not as secure as the Mac users would like to believe.

Missing the message that system security requires active participation on the part of the user and at least a basic understanding of security principles should not be overlooked or ignored just because this demo was done on a Mac and you see it as a deliberate slap in your apple-using face. There is a reason that Mac OS, Windows, *nix and any other software publishers put out security fixes regularly and it is certainly not because you are invulnerable.

Posted by: missed the point | August 4, 2006 1:11 AM | Report abuse

To Mr.Mark H. Harris .. the reason the hack was not performed live was very likely due to the 'hackers' desire to not let a 0 day vulnerability fly wirelessly around a black hat conference, and not your silly belief its unreliable.

The concept of security is obviously lost on you though seeing as you put your whole name and location on an anonymous web posting. Internet security surrenders.

Posted by: smart enough to not put my name | August 4, 2006 1:16 AM | Report abuse

Brian, you should clarify what the problem Apple has not fixed yet is. Is it the problem with the OSX vulnerability that can be exploited via flawed device drivers, which obviously was present third party or not, or is it the device driver used by Apple for Airport WiFi cards in Macbooks? Your article blames Atheros and therefore seems to suggest that the driver currently in use in Macbooks are provided by Atheros, which is no surprise, of course. However, the fact Apple leaned on those guys does not necessarily mean Apple is using the faulty driver in their products. Rather Apple could be against exposing the exploitable vulnerability of the OSX. You could have done more homework and determine whether OSX's Airport driver uses the same code as Atheros drivers or not. Otherwise, your article does no good to the PC community.

Posted by: Snappy | August 4, 2006 1:35 AM | Report abuse

PLEASE EVERYONE, follow my lead and contact the editor at letters@washpost.com. Let's inform the powers at be that this "reporter" is doing a disservice to WP's readers with his sensationalistic journalism.

Posted by: pixelbender | August 4, 2006 2:35 AM | Report abuse

Good grief. Someone attacks a Mac and it's like someone teased Mohammed or sommething.

Posted by: Ben | August 4, 2006 2:54 AM | Report abuse

Mr. Krebs,

For full disclosure, would you elaborate on the relationship between you and Mr. Maynor? There has been some talk that you both are friends, and I'm sorry to say, I think you are shunning your responsibility to fully investigate this test (regardless of which platform was used). If you're going to outsource your journelistic duties to some wanna-be hackers, without following this up with facts, then perhaps you should look for different job, maybe the gossip tabloids?

Also, what are your credentials in the computer security field? I would appreciate a honest answer to these questions. I am also following up this question with your superiors. I expect better from the Post.


Posted by: ted | August 4, 2006 3:12 AM | Report abuse

for sake of argument, lets assume that the exploit/hack is real and works as demonstrated. My opinion as to why they chose to do it on a Mac is because it is much more secure and harder to hijack than a computer running Microsoft Windows.

So the real point is IMAGINE how easy it would be to do this on any PC!

Posted by: from the Basement of the Science Building | August 4, 2006 5:53 AM | Report abuse

I expected a more professional approach by this news paper, so much for that.

Posted by: deedubya | August 4, 2006 7:22 AM | Report abuse

Brian wrote:

"Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported."

I'm sorry, but something smells here. Maynor wanted to draw attention to a Mac flaw, but not too much attention? So you and he "compromised" with Apple (who was "leaning pretty hard" (?) on Maynor) and decided to use a third-party card on a product that will never, ever require the use of a 3rd party card?

Why write an article about a Mac flaw with an incendiary headline if you don't want to draw attention to it? Seriously, what is the point of substituting an entirely useless and pointless 3rd-party card for the built-in hardware that's already there, so you can write an article about the flaw and draw attention to it - but not "too much" attention?

Finally, Brian, from your response today it sounds as if you're taking Maynor's word for it that the built-in Mac drivers are identically exploitable. But you didn't actually see that, and you apparently have just that one source. Hm.

Posted by: Tom Castle | August 4, 2006 9:15 AM | Report abuse

Hey Pixelbender:

Brian, in a very short period of time, has responded to published criticisms of his article. Like you, I feel that the response is inadequate, but this process is still in play, and Brian appears to be happy to engage in this debate and to answer questions. I assume he will answer the additional questions raised today.

Nobody is perfect, and I'm sure you've made your share of mistakes and questionable decisions in the course of your work (assuming you have a job). What, exactly, is the point of siccing his editor on him and flaming him in the letters section while he's still responding to criticism?

It sounds like you enjoy playing hall monitor, but chill for a while, bro.

Posted by: Tom Castle | August 4, 2006 9:19 AM | Report abuse

If the "whole point of this story was not to pick on Macs" how come your title is "Hijacking a Macbook in 60 Seconds or Less?" Why not something like, "Wireless Hackable in 60 Seconds"? You do show a slant especially the hackers: ""We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said."

You're so full of it. You're just one of those "journaLUSTs" who would sensationalize a story just to get hits.

Posted by: Jim | August 4, 2006 9:52 AM | Report abuse

Seriously, I hate those stuipid Mac ads too. They are rediculously misleading about the real comparision between OSs. Macs don't work with *everything* or I wouldn't hear Mac users whining "will it run on a mac" on the Woot forums. Macs aren't bullet proof security wise. Anyone who knows anything about security will tell you that no system is 100% secure. In fact, the arrogantness of most Mac users makes them less secure because the weakest point of any system is usually the DUMB USERS. That ad about Macs not freezing up is also false, I've managed to crash and/or freeze a few people's macbooks (locally, not remote. and ususally do to poor 3rd party software). And lastly, the one about Macs being fun??? ARE YOU SERIOUS?!? While there are thousands (millions?) of great games for the PC there are about 5 good games availible for the Mac. At leasts us Linux users can use Wine (and derivitives, aka Cedega) to play those Windows games at native speed.

Macs are NOT better with driver quality and availibility.

Macs are NOT completely secure (because the users are humans)

Macs CAN freeze and crash. (I've setup production Windows boxes with uptimes of several months)

Macs are like HELL FOR GAMERS.

Finally, iPod/iTunes sux0rz and you're all brain-dead sheep if you haven't moved on to a better device/sofware suite yet. Apple wants to strip you of your constitutional rights and you're all like *Yeah! Now I can pay three times for the same song! Awesome! And I can't even play my legally aquired FLAC or OGG files! Shaweet! And lookie, they still havent fixed the issues I've been complaining about since Gen-1 like gapless-playback!! That's so hawt! I love you Apple!!!"... That would make you even more gullible than the average Windows users. As in it takes less work for hacker/spammer/scammer to social engineer you. As in you are a paper door (you guyz like that japanese stuff) protecting the entrance to your computers.

Posted by: Penguin user | August 4, 2006 10:11 AM | Report abuse

Questions for Brian.

1) Did you actually witness these guys attack the Mac's built-in wireless? Given that there seems to be problems with all kinds of wireless drivers (such as the Centrino drivers just patched by Intel), I am willing to accept that Apple's drivers are vulnerable too, but I want to know if you just took their word for it or if you actually saw it.

2) Did you contact Apple to ask for their comment? Of course, they probably would refuse to comment, but reporters should ask and tell us what the response was.

3) Did you contact any other wifi security researchers to get their assessment of this kind of vulnerability? More than one source is a good thing.

4) Did you actually see the video yourself before you wrote your story? If you did, why did you write that the video shows them attacking the Mac's internal wireless? It seems that either you didn't actually see the video yourself or your original reporting was factually incorrect.

The sad part of all this is that the whole debate has degenerated into a discussion about just Mac security rather than wireless security in general. Causual observers might not be aware that all machines are potentially vulnerable. If Apple's drivers have a flaw, they will push out a fix through Software Update, but Windows users who bought some wireless card for their laptops may not ever get an update unless they know to look for one. Given the small marketshare of the Mac, unpatched Windows users should be getting a lot more attention.

Posted by: Thor | August 4, 2006 10:40 AM | Report abuse

The thing that get's me about this closed demonstration is that it could have been faked a million different ways. These machines were on the same IP network and I could write a bash script in 5 minutes to echo some garbage to the screen eluding to all the cool things I'm doing... and then low and behold I invoke ssh behind the scenes the the MacBook. Guess what... I can make files, delete files.... oooh, aahhh, magic.

What a pathetic story and pathetic demonstration.

Posted by: theagent | August 4, 2006 10:54 AM | Report abuse

Ben;

It isn't just that someone attacked a Mac. As a matter of fact, for me, it isn't the Mac at all.

It is the sloppy, biased, undocumented manner in which the demo was made.

No attempt was made to balance this in such a way that the OS wasn't an issue. Their comments about wanting to poke Mac users in the eye just shows their motives.

They could have set it up so they truly hacked the wireles card to establish the connection to prove it was possible. But they didn't.

They could have demonstrated performing admin or root level tasks on the "hacked" Mac, just to prove that admin or root had been obtained in the hack - but they didn't.

In fact, nothing in this demo supports what they purported to have done - successfully attacked a wireless driver to obtain elevated privileges on the target.

As a proof of a hack, this was a bust.

Posted by: rahrens | August 4, 2006 1:23 PM | Report abuse

Half of these posts seem to be coming from slobbering mad mac fanatics. Some of you are making it sound like this was Brian that disovered the vulnerability. He is only reporting what he is being given. The video shows for a fact an exploit worked against the wireless driver. It is another matter to work out the details on how this attack could be taken advantage of in the real world. A wireless driver (get root) exploit is a bad thing. It would be totally impossible for Brian to investigate every single aspect of it. Give him a break! Do your own freaking work and wipe the spit off your chin. Slobbering foolz.

Posted by: Krebs Fan | August 4, 2006 3:44 PM | Report abuse

I'd like to thank the Macinoids for
once again demonstrating the depths
of their magical thinking.

Posted by: Stanley Krute | August 4, 2006 4:13 PM | Report abuse

Where are the results of "peppering" them with questions for an hour? We don't know if they got root. We don't know why they didn't demonstrate against the internal card. We don't know why they bragged about being able to hack the internal card, if they claimed they were bowing to pressure an not publicizing a vulnerability in the OSX drivers. We don't know in what way Apple pressured them. We don't know why they would choose to pay any attention to Apple's wishes in the first place.

You've got a long way to go before this qualifies as news.

Posted by: What questions? | August 4, 2006 4:48 PM | Report abuse

Posted by: Rex | August 4, 2006 9:19 PM | Report abuse

Can we at least have the model number of the third party wireless card? Anything of substance at all would be refreshing.

Posted by: James Bailey | August 5, 2006 4:56 PM | Report abuse

1) Did the hackers change the default behavior of the Mac where it asks before joining an open network? Since the exploit requires that the attacker looks like a base station I can only assume so.

2) Did the hackers have the firewall enabled or disabled for this demo?

3 Did the hackers gain root or user only access?

The video looks sensational and all but is a little short on actual information.

Posted by: Russell Skingsley | August 5, 2006 10:05 PM | Report abuse

Is there anyway to download that flash embedded video of the exploit in action ? I'm sick of it buffering all the time.

Posted by: dirtchamber | August 6, 2006 12:23 PM | Report abuse

I can't stand it... all I see is this little blue legoblock with a question mark. Perhaps one day when Macromedia releases Flash for Intel Macs I'll be able to watch this redundant video.

Where's the link to download a Quicktime or Windows Media Player version?

Posted by: flash-hater | August 9, 2006 3:14 AM | Report abuse

According to their interview with George Ou, the problem is with the 3rd party driver, NOT APPLE.

Ou: "Why would they be at fault... it would seem to me that the people that wrote the code have nothing to do with Apple"
Maynor: "Right"

Ou: "This is not an exploit on the AirPort card from Apple?"
Maynor: "No"

http://blogs.zdnet.com/Ou/?p=288

Posted by: V-Train | August 9, 2006 3:44 PM | Report abuse

So, Either the hackers lied to you Brain or you lied to us. I just watched the new interview on blogs.zdnet.com by George Ou, he is not an friend of Apple, (Real World IT) with the two "MacBook" Hackers. Right at the beginning George asks them about the internal Airport fo the MacBook. And they clearly state, that the internal Airport was not hacked and that the fault lies in the third party device driver and it is not Apples fault. I think you own us an apology for your sloppy reporting.

If I were your editor, I would fire you in a second. What esle have you made up in your blog?

Posted by: Mathias | August 9, 2006 6:10 PM | Report abuse

Did no one watch the video? Or did you all have the sound turned off while it played? Some of the questions and assertions on this post show a tendency to post without information.

Q1. Did the hackers change the default behavior of the Mac where it asks before joining an open network? Since the exploit requires that the attacker looks like a base station I can only assume so.
A1. Within the first minute of the video, the demonstrater lets you know that "for simplicity of the demo," that it was set to connect to an unauthenticated network. The attacker also states that this is not necessary, but aids in the demonstration. To quote, "Normally, for this attack to work, you do not have to have the victim associated to an access point or authenticated in any way." (occurs between about 00:00:54 and 00:00:58 seconds).

Q2. This is an unlikely exploit, since the user needs to use the Mac Unix shell.
A2. Again, did you not see the video? The Unix shell was accessed *from the attacking workstation* (notice the Mac is Black, the Dell is silver--the corner of the screen with the Unix prompt is clearly silver).

Q3. "These machines were on the same IP network and I could write a script in 5 minutes to fake this."
A3. It's no secret that they're on the same network. In the beginning of the video, the demonstrater ANNOUNCES that the Dell/attacking machines is going to act as an AP. At some point, you have to be able to route to the victim's machine; this is much easier to accomplish if you're an AP on the same network. And, if you're pretending to be an AP issuing DHCP (hoping to pick up unwitting clients), it only makes sense to issue IPs for the network you have a direct connection/route to.

Q4. What happens when they don't have access to the target?
A4. For the purposes of the demonstration, you need to have access to both. The only thing performed on the client (per the video) was an IFCONFIG to verifiy that the Mac had obtained an IP address from the Dell acting as an AP.

Q5. What happens when you turn on the firewall?
A5. From the video, we don't know the status of the firewall or filevault (on/off). If you are able to exploit something at a driver level, you may be able to perform actions as a system process or as the user whose context is currently running. One would have to know the firewall's capabilities to be able to more accurately determine the risk (packet filtering versus stateful inspection). Detailed knowledge of the exploit and the runlevel of the driver would also be needed to form a conclusion.

Q6. Why wasn't it done live? What about full disclosure?
A6. It appears that no details were disclosed. Would you give full disclosure at a security conference before vendors had issued patches? I think it's probably a good thing that it wasn't done live so that if it is for real, less trustworthy people wouldn't be able to capture the data to deconstruct the exploit ahead of a patch.

Q7. Why was the network adapter covered in (what appeared to be) a paper sleeve?
A8. I suppose it would be to show that it could have been done with any generic network adapter. I, personally, would have preferred to see specifics and the test executed with a variety network adapters, including the built-in.

While the video and subsequent documentation don't provide enough hard proof one way or the other, it should have been incumbent on the reporter to obtain further verification and details that would substantiate the claims. Reports of "peppering" the hackers with questions don't help us if we don't know what questions were asked or what answers were received.

Imagine going to a Starbucks and pretending to be an AP. Someone (Windows, Mac, apparently makes no difference in the exploit described here) detects that an AP is available, and it requires no authentication or other security. It would appear that the user has discovered "free" wireless access. I have a feeling that a lot of people would jump at the possibility to tap into a "free" wireless hotspot at a coffee shop and disable whatever security measures they would need to take advantage of it.

In that case, both social engineering and largely poor understanding of security principles opens up a window into everything imagineable that might be stored on a laptop--from corporate espionage, identity theft, or even the ability to install trojans/zombies to make these victimized devices a vector for some other attack. I think the bottom line is that if it IS real, then there certainly could be severe ramifications. It definitely should make everyone take inventory of their configrations and make sure that unnecessary services and devices are disabled.

There shouldn't be a Mac/Linux/Windows argument here. Frequently hardware can be used on multiple platforms. The vendor-supplied drivers could be written by the same team developers for every platform, meaning that the same mistakes could be made in each environment. In a way, I think that it's good to show that Apple's products can be suceptible to attacks--it raises the general awareness that there are people out there intending to do you harm, regardless of your platform. As a high tide raises all boats, I think a possible security vulnerability such as this should be of concern to everyone.

Posted by: Frustrated with Zealots | August 15, 2006 4:27 PM | Report abuse

How about a follow-up to your follow-up?

http://www.macworld.co.uk/news/index.cfm?RSS&NewsID=15605

Posted by: David Chartier | August 18, 2006 12:16 PM | Report abuse

Can we expect a retraction from you??

Security Firm Disclaims Mac Hack Demo


SecureWorks did a demo at the recent Black Hat conference showing how it could hack into a MacBook. Now the company has posted a disclaimer on its site to make it clear that the MacBook was modified.


By Thomas Claburn
InformationWeek

Aug 17, 2006 06:55 PM

In a video presented at the Black Hat USA conference in early August, SecureWorks researcher David Maynor and Jon Ellch demonstrated hacking into a MacBook, setting off a flurry of press coverage about the insecurity of Wi-Fi-enabled computers from Apple and PC vendors.

Now it seems SecureWorks is backing away from its suggestion that MacBooks are just as vulnerable as other Wi-Fi-capable computers. The company has posted a disclaimer on its site to make it clear that the demonstration at Black Hat used a modified MacBook.

"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers," the disclaimer says. "Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver--not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."

A responsible demonstration policy would have forbidden the installation of flawed drivers to make a point.

Apple sees the clarification as vindication. "Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple spokesperson Lynn Fox said in a statement. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device " not the 802.11 hardware in the Mac " a device which uses a different chip and different software drivers than those on the Mac. To date, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

Posted by: Mel | August 18, 2006 2:11 PM | Report abuse

Well, Mr. Krebs, are you still "standing" by your report, or are you now "standing" in front of the sink, trying to remove considerable amounts of egg from your face? Please see if you're not sure what I'm talking about.

Posted by: Joe | August 18, 2006 2:51 PM | Report abuse

the URL was apparently removed from my last post, so here it is again: "www.smallworks.com/archives/00000455.htm"

Posted by: Joe | August 18, 2006 2:56 PM | Report abuse

Brain, I appreciate that taking these guys to task for hoodwinking you (the rest of us) might have cut you off from a source for future new stories....but dude sticking by your story at this point is lame.

I'm sure you know Maynor is quoted as trying to make a point because "Mac users are smug" about security. He was trying to make a point, and sucked you in a bit to help him.

If your buddy "Krebs Fan" is correct that "It would be totally impossible for Brian to investigate every single aspect of it." then all the more reason to hold people giving you information to a high standard.

In this case you clearly aren't

Posted by: Brook | August 18, 2006 9:36 PM | Report abuse

Brian,
If you have an ounce of integrity left, which I doubt, you must retract all your shoddy reporting on this issue. For further illumination just check John Gruber's latest post:

http://daringfireball.net/2006/08/curious_case

Have a nice day.

Posted by: Pablo Mardones | August 21, 2006 6:26 PM | Report abuse

""Again, the whole point of this story was not to pick on Macs..", well why not Brian. Are you afraid to pick on macs? Don't back down to the smug mac users who have the false sense of security. Security by obscurity is at its end for mac users and it's time to point that out."


I'm getting really tired of this crap. Vista has 1/50 the users of OSX - and there are Vista viruses. BeOS has viruses. AmigaOS has viruses. Why doesn't OS X?

Or look at it this way - Windows suffers billions of dollars in damages every year due to viruses. OS X has suffered exactly zero. Even after taking into account the 30:1 market share difference, that doesn't add up.
 
Note that no one in their right mind would claim that OS X will never have a virus. But as of today, there are none. Zero. Zip. Nada. If you want a secure computer, OS X is the best choice. Period.

Posted by: Joe | August 24, 2006 4:59 PM | Report abuse

I know "I/O Kit" (OSX driver framework, look it up). I call: fraud.

Posted by: JC | September 5, 2006 11:49 AM | Report abuse

If they really CAN do it....why don't they prove it and win an nice new macbook??? WHY? Coz it's BS!

http://daringfireball.net/2006/09/challenge_update

Posted by: MJ | September 6, 2006 5:11 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company