Network News

X My Profile
View More Activity

The Black Hat Wireless Exploit Interview, Verbatim

I've received an overwhelming amount of hate mail from Mac enthusiasts over two previous posts on a wireless-device-driver presentation at the Black Hat hacker conference, with people accusing me of all kinds of nasty things. Rather than respond to every wild accusation under the sun, I thought it best to give readers all of the information that I have on this. I am posting here a word-for-word transcription of a taped interview I had with David Maynor of SecureWorks in his hotel room on Tuesday, Aug. 1 -- the eve of his presentation at Black Hat.

I've been asked this many times, so let me make this crystal clear: I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook -- but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in. As far as I'm aware, only one other person at the conference saw the demo the way I saw it (a Black Hat staff member whom I'm not at liberty to name); the discrepancy over the wireless card is probably the biggest reason why the Mac community was so confused and upset by my original post. I tried to clarify that in a follow-up, and am posting the contents of that interview -- verbatim -- to give the public all of the information I have about this particular exploit.

As I turned the tape on, Maynor was just beginning to demonstrate the exploit for me.

Maynor: OK, so the first step in this is we want to turn this [Windows laptop] into a wireless access point.

BK: Oh, so you do have to have it connected?

Maynor: No, this is just for the demo. This is the way we've developed the demo. If I explained it any other way, you wouldn't see anything. It would just say, "Exploit done." This way you can see the results of it.

[Maynor runs the connect-back script that leverages the flaw in the Macbook's wireless device drivers to connect back to the Windows laptop to which it was already associated.]

Maynor: So, I'm going to place a file on the desktop here on the Macbook using this machine here. What should I call it?

BK: I dunno. How about "owned"? [A text file named "owned" shows up on the Macbook desktop.] Wait, OK. Explain to me exactly what you're exploiting in here. Is it a flaw in the Macbook itself?

Maynor: Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]

BK: Oh. OK, well, then aside from this Macbook example, how many other machines have you been able to find this kind of --

Maynor: So this attack I'm showing right here doesn't work on anything but this particular Macbook. If we were looking at something else like Broadcom or Linksys or something like that, you'd have to develop a custom exploit just for that. You're asking how many other machines have been able to compromise remotely like this, right?

BK: Yes.

Maynor: There's three other ones right now, and those are all Windows-based. Wait, actually, two of them are Windows-based and the other is in a [garbled] operating system --

BK: A what?

Maynor: A free operating system, like a Linux-based operating system.

BK: I see. OK. Care to be more specific about which of the Windows ones you've been able to exploit?

Maynor: Well, on the Windows ones, one is an external card and one is an internal card.

BK: OK. So, where does the scanner come in?

Maynor: Remember how I told you that exploiting these are very, very dependent on driver version and operating system? So that the exploit you developed for one version, but if you make a minor change it doesn't work on another system? [The scanner] can tell you what chipset and driver version, so you can tailor your attacks better.

BK: But you're saying in addition to this you've found multiple problems? You're saying that in addition to this flaw [present in the Macbook drivers] there were three others that you've been able to find?

Maynor: Right.

BK: And, so I'm clear: Two of [these] were Windows-based, one Linux-based, and one of those Windows exploits is actually in a third-party external wireless card designed for Windows?

Maynor: Correct. Well, I mean, technically they're all third party. [Points to my HP Pavilion laptop] Microsoft itself -- on your HP laptop here -- Microsoft doesn't write those drivers. A third party does.

BK: I understand. So, have you got something to exploit the embedded HP drivers too? I'd love to see that.

Maynor: I dunno. Pull it out and we'll look.

[We looked and learned that my machine uses a built-in Broadcom device driver, for which Maynor and Ellch were not yet able to find an exploit. Moving on ...]

Maynor: So, the other stuff we found I'm telling you, but we're not ready to release a lot of our other findings, because one of our goals of our talks is we want to educate developers on how to find these vulnerabilities and how to integrate those methods into their development process. We've already talked to Microsoft about this --

BK: Oh? And what was their response?

Maynor: I mean, I'm really surprised by Microsoft these days. The guy -- specifically the guy giving the Vista wireless talk here -- we, [co-presenter Jon Ellch] and I talked to him about how to make fuzzers more efficient. Our goal here isn't specifically to highlight individual vulnerabilities we found, but the class of these vulnerabilities and educate people on how to fix them. So, it's cool that it's in an Apple, but the fact that we have a bug in Apple in itself isn't the coolest thing, it's just that you can then basically extrapolate that this problem is pretty much across the board. Take a look at this, if you want to see what we've been looking at lately -- we've been auditing a lot of wireless cards.

[Maynor pulls out a couple of cards, both made by Netgear. One is a WPN511, and the other a WG511T. As Maynor would later allude to, these were the cards he and Ellch used to locate and exploit the wireless device driver flaws they found.]

Maynor: So, what we've been -- you know, I lost my train of thought. To be honest, you're not going to find a lot of people running around with that kind of caliber exploit, and that's one of the reasons we're so paranoid about it. We don't want copies of it to get out. But a lot of these cards, you can flat-out crash them. So a denial-of-service, most security researchers will generally turn their nose up at, because it's not generally that interesting, right? But in this case, it's also like VoIP [voice over Internet protocol, which facilitates Internet-based telephone calls]. If you have a DOS in Cisco VoIP, for example, you can DOS a box and make the phones stop working, and that's better than your average DOS, right? So in these cards, if you DOS them, you can blue-screen the box. Which in itself can be a nuisance.

BK: So explain to me again how it is that -- you said earlier that you put these two on the same subnet, because you wanted to be able to show the exploitation on the Mac system, right? But what if they weren't on the same subnet?

Maynor: So that demo compromises the Macbook, and allows me to log into it interactively. It's just like I'm sitting at the keyboard on the Mac. So that's possible because we're on the same IP network.

BK: I understand. But let's say this thing isn't connected to your network, and it's just broadcasting and looking for an AP?

Maynor: So at that point there's no way for a connect-back shell to work because we don't have a central communication medium, so without writing my own driver that's going to insert to like bring up the card and get the same IP address on my network, we can't do bi-way TCP communication. So, an exploit in that case would look like -- you would exploit that Macbook, and you would put something on it like a bot. But this wireless exploit is an exploitable flaw and it's in the wireless IP stack.

BK: OK, so in that case, the machine would be exploited and you would have it connect up to your IRC channel of choice or something like that?

Maynor: Exactly. It's just like any other exploit, but the only difference is the communications medium in which that exploit gets delivered. And this could just as easily be a proximity attack -- if you have an exploit for a certain type of wireless card, and wait until they come into range -- and then using fingerprinting software, determine what kind of wireless card they have and what driver, if they, say, come into the coffee shop and are using a card and firmware that you have an exploit for you could attack them.

BK: What do you say to people who are going to look at this tomorrow and go, "Yeah, but I mean, these guys haven't released all that information about their attacks, it might have been something that they put together in some sort of test environment that's not going to work in the wild or in a real-life exploit situation"? I'm just trying to play devil's advocate here.

Maynor: No, no, no. I understand that. I can appreciate that. Look, I'm not going to go break into a bunch of machines with this exploit out in the wild to make sure it works. I can make it work and make it work in a test environment. And if I can make it work in a test environment -- spending the amount of time I have -- someone who is getting paid to do this, or because they just want the exploit, could spend three times as much time and then make it work in a robust environment. But this is a time game. We found these bugs, and now we're moving on to other stuff. This isn't something that I'm going to spend like four years researching. This is a problem we found that we can help people fix it. This is the same argument that people had with heap overflows. I mean, heap overflows were originally thought of to be not very reliable, they wouldn't be great exploits, things like that.

BK: But they're some of the best types of exploits out there that you could find, right?

Maynor: They are now, because people spent time making them far more reliable. I mean, to be honest, this exploit has a lot of shortcomings. It's not perfect. But it's also designed to be used in a demo and test environment. It's not weaponized and I'm not going to go running around trying to exploit things in the wild. It's designed to be run in a test environment. If someone wants to spend more time, I have no doubt it can be made more reliable.

BK: So what interaction have you had with the various OEMs and device driver people?

Maynor: We talked to Apple today, as I mentioned earlier. We also talked to Microsoft. We're actually hoping to talk to more of the vendors at the show. It's hard to chase down some of the contacts. To be honest, do you think that D-Link or SMC's first priority is a year-old device driver?

BK: No, but it might be if they sold 20 million of these flawed devices.

Maynor: Right, so the point of this whole talk is: These are methodologies you can integrate into testing environment, so that when we get to adding in new stuff like 802.11N and Wimax, stuff like this is going to become a lot more dangerous and important because these standards are going to cover a lot more geographical area. So right now, this exploit pretty much has a range of whatever 802.11B has. So these device drivers -- we've had [802.11] A, B and G, now moving to N and Wimax is on the horizon, and the driver code quality is not getting much better. And it's because people are under a ship date crunch. They want to get this working, they reuse code as much as possible, and some of that code has problems. No one is really auditing these things for security. Microsoft would be a bad example, because they actually do this. Ask any of these third-party device-driver authors whether they fuzz any of their drivers -- they don't. You want to hit the low-hanging fruit first. You'll find a lot of DOS conditions, but to find stuff that you can use for remotely exploitable conditions, you've got to spend a lot of time on it.

BK: So, again, you're looking at four altogether --

Maynor: Yeah, four remotely exploitable wireless-device driver flaws, including this MacBook one. Yes, this is one and there are three others. We've tried to spread it out pretty evenly, and not spend any more time on one particular vendor. Because, as I said, we're not trying to point out specific flaws --

BK: But you're not going to talk about specific manufacturers of these cards?

Maynor: We're not going to be shaming the driver makers --

BK: Well, so then what is significance of these cards here [pointing to the external Netgear cards Maynor pulled out of his bag a few minutes ago]?

Maynor: These network cards are Atheros-based and allow you to do raw packet injection. You can't do that on most cards. We had to build our own custom kernel. It's just real reliable for you to do raw packet injection. You can't do that with another card, because the attack is based on building these wireless control packages yourself -- and cards like that want to do it for you. That's one of the things manufacturers count on. It's like, well, OK, if you implement the specs properly, I shouldn't have to worry about things over here on our side. The problem is you get stuff that you never intended to see on the wire.

BK: So what you've found is going to create some pretty serious waves. Once you point it out, people are going to start looking at it.

Maynor: Well, that's that goal, really. But it's like, how do you tell a secret without telling the wrong people? You have to tell everyone at once.

[Maynor's phone rings, and my tape runs out of space, shutting itself off. I have another interview scheduled a few minutes later, and the interview between Maynor and me ends shortly after he gets off the telephone.]

On Saturday, Maynor and Ellch gave their talk a second time at DefCon, after which they posted a few PowerPoint slides responding to some of the questions they'd heard from Mac users.

By Brian Krebs  |  August 15, 2006; 1:33 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Spammers Exploiting Newly Detailed Windows Flaw
Next: Cross-Site Scripting Flaws Abound

Comments

All I want to know is this: Are you going to show proof that a Macbook can be exploited without a card or not?

I certainly hope you're not interpreting this as hate mail. It isn't. I readily accept there *could* be a vulnerability. But if you are going to assert something, you *must* provide proof. Until then, this is rumor at best, and sensationalism at worst.

Posted by: Steven Fisher | August 15, 2006 3:47 PM | Report abuse

I have to say that these comments were made on research that was a work in progress. I think alot of the confusion surrounding this will be addressed when the affected vendor releases a patch and we can publicly detail what the vulnerbility is.

Please do not jump to conclusions as the out of the box Macbook or its users are affected.

In response to alot of this confusion we will be demoing this exploit live at Toorcon.

Posted by: David Maynor | August 15, 2006 3:50 PM | Report abuse

Brian,

I am glad that you are putting out additional information on this story. No doubt you received a lot of hate mail, but I also believe that several people posted very legitimate questions that do not deserve to be relegated to the "hate mail" category.

There are still unanswered questions.

First, in your original article, you said that the flawed Apple drivers were written by Atheros. Here, however, it sounds like the Atheros-based cards are instead on the machine that is doing the attacking because they allow "raw packet injection," whatever that is.

It appears that Apple uses Atheros-based cards on the new Intel Macs, not previous PowerPC-based machines. I believe those used Broadcom chipsets, so they probably aren't vulnerable. That's worth mentioning.

Second, I take you for your word that you personally saw the MacBook drivers attacked. I think, however, that if you look at the way the article was written, you bear a good deal of responsibility for the confusion on this matter.

In your first article, you wrote "The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system."

Of course, the video shows a third-party card. Not off to a good start.

Then, in your follow-up, you wrote that "he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported. . . I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable."

If you saw the attack personally, why didn't you just say so right here? What you actually wrote looks instead like you are taking their word for it. It wasn't until today that you said you saw it.

Posted by: Thor | August 15, 2006 3:53 PM | Report abuse

Dear David Maynor,

Thanks for posting here. Please clarify this for us: in the case of the Mac with the third-party card in the video, does the machine have to be joined to the wireless access point created by the attacking machine?

Did you set up the MacBook to automatically join the network created by the attacking machine? Normally, one would get a dialog asking whether the user wants to join a particular network?

If you can't answer these questions here, please do so at the new demo that you mention.

Thanks.

Posted by: Thor | August 15, 2006 3:58 PM | Report abuse

What does this mean?
"Please do not jump to conclusions as the out of the box Macbook or its users are affected."

Does that mean that the out of the box Macbook IS affected (as written), or is NOT affected (as it sounds like you might mean)?

Posted by: Bill | August 15, 2006 4:19 PM | Report abuse

It occurs to me that a really easy way for these drivers to get secured really fast would be to open the source in a way consistent with OpenBSD. This way, Theo and company could go through and find and report potential issues.

Posted by: foQ | August 15, 2006 4:20 PM | Report abuse

BEATING DEAD HORSE, seems like rehashing the same story in hopes of more page views.


Posted by: Tim | August 15, 2006 4:40 PM | Report abuse

Broken Record... how is any of this new?
Broken Record... how is any of this new?
Broken Record... how is any of this new?

Forrest for Trees, Everyone...
Device Drivers [categorically] tend to be exploitable and need to be better tested. Questions like - Which Driver? or Which Vendor? or Which OS? completely miss this point. There will be 1..n which are exploitable. Don't lose the message in the details. This has been well and repeatedly covered.

Broken Record... how is any of this new?
Broken Record... how is any of this new?
Broken Record... how is any of this new?

Posted by: Broken Record | August 15, 2006 5:59 PM | Report abuse

Aid, you don't know what you're talking about. Drivers are proprietary code written by hardware vendors that cannot be open-sourced by Apple for legal reasons.

It would be fantastic if David Maynor would stop making incoherent/cryptic comments and release a simple statement regarding the vulnerability and whether or not the MacBook/MBP is vulnerable with the built-in wireless card (Atheros chipset). Who is the vendor he refers to above? Atheros? Someone else? Why refuse to at least name the vulnerable VENDOR!?

Until then I will have to assume the comments made by Brian Krebs (who probably doesn't know the truth of the matter) that the MacBook is vulnerable out-of-the-box are not credible.

I know that the attack shown is totally plausible, of course, I'm perfectly familiar with device driver exploits. But all I've been hearing from the David Maynor camp since BH is vagaries and uncertainty. Nobody wants to wait until September to hear more information about this vulnerability. I don't care if your "goal here isn't specifically to highlight individual vulnerabilities we found;" if you found vulnerabilities, and then discussed them publicly, we (the security community) deserve more information.

Posted by: Bill | August 16, 2006 2:43 AM | Report abuse

"BK: Oh, so you do have to have it connected?

Maynor: No, this is just for the demo. This is the way we've developed the demo. If I explained it any other way, you wouldn't see anything. It would just say, "Exploit done." This way you can see the results of it."

This makes no sense. How can you say that you wouldn't see anything? How can Brian not ask a followup here? If you can get shell, you certainly would see something. You would see the exploit in action. How would this be seen as nothing? I'm confused.

Posted by: James Bailey | August 16, 2006 2:33 PM | Report abuse

I'm totally non-technical...but I'm not sure if this transcript does anything to address the root-level vs. user-level access issue that many Mac folks questioned, quite apart from the 3rd party card issue?

It also seems odd that - given all the apparent lengths to use a 3rd party card and not the built-in wireless & so disguise an Apple vulnerability - so much of this reporting (even the initial story?) gave up the fact that, yes, this was a Macbook issue, not just a 3rd party hardware one.

Posted by: ba | August 16, 2006 2:45 PM | Report abuse

I find it somewhat amusing that so many folks are afraid of realizing that the apple software has flaws, just like all other software out there. People seem to be looking for any reason to find a way to deny this.

Whether written by a third party of not, it's compiled into the kernel, and it's there. It's a device driver, it has access to everything with little if any security restriction.

And, it's "wireless"... So, while the concept of feeding malformed input to a server daemon or other software has existed for such a long time, it's time we realize that the same thing can be done to a device driver. And with wireless, it just creates an easy vector to feed this input to.

after all, there is A LOT of communication that occurs between your wireless card and the access point, or possibly any available access point broadcasting it's availability that could possible slip some input to the wireless card driver that would overflow a some memory buffers in the stack.

Apple's probably an easier target because of the ubiqitousness of a certain driver on any version of there OS making them easier to find targets. This being due to the fact that they don't have the range of selection of cards and drivers that can be found with PC / windows. Although the same vulnerabilities probably exist, vendors don't rewite driver code from scratch for every OS, they just port and recompile.

Posted by: osteridge | August 16, 2006 5:53 PM | Report abuse

James Bailey,

I think the implication was that he could insert code onto the laptop when it is not connected to an AP but that they only have proof-of-concept code that doesn't actually do anything (and apparently no plans to spend more time developing other code). I could be totally wrong, but that's my impression after reading the transcript.

Posted by: none | August 17, 2006 8:40 AM | Report abuse

I see a lot of fear in some of these responses. What people dont realize is that _anything_ can be hacked.

The only way to guarantee security is through encryption.

Posted by: Dude | August 17, 2006 8:51 AM | Report abuse

One simple question that needs to be answered. Were there any security changes made to the MacBook besides the default settings of the machine? Was Remote Login enabled? Was a secure password used on the user account? Is the user an admin user, or a standard user?

These are simple questions that would determine the risk level of this particular exploit.

Posted by: bjojade | August 17, 2006 11:35 AM | Report abuse

The SecureWorks site:
http://www.secureworks.com/newsandevents/blackhatcoverage.html

now contains this information:

This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available.

Posted by: Anonymous | August 17, 2006 12:16 PM | Report abuse

None,

Again, that explanation defies logic. If you can exploit a device driver, it is running in kernel space. You have root automatically. Getting a shell from there should be trivial. Either you can inject code or you can't.

Posted by: James Bailey | August 17, 2006 5:36 PM | Report abuse

It is interesting now that both SecureWorks and Apple are saying that the demo did not use Apple's internal drivers. This directly contradicts Brian Krebs account.

Anything to say Brian?

http://www.macworld.com/news/2006/08/17/wirelesshack/index.php

http://secureworks.com/newsandevents/blackhatcoverage.html

Posted by: James Bailey | August 17, 2006 6:58 PM | Report abuse

James -- and you think that Macworld articles adds anything to this because why? You should spend a little bit of time looking at what Apple is actually claiming, and what they're not talking about here. Apple's PR people are basically pointing out exactly what I've said for the past two posts on this issue -- that Maynor et. al indeed used a third-party USB card in the video. SecureWorks is claiming that despite Apple's claims to the contrary, that the company is shipping Mac products with vulnerable wireless device drivers. What Apple has not addressed in any kind of detail is whether or not the embedded drivers in the Macbook are vulnerable. All of their response so far is aimed at the demo showed in the video publicly.

Here are the relevant bits from my last two posts (in the off chance that you somehow commented without having previously read them):

http://blog.washingtonpost.com/securityfix/2006/08/the_macbook_wireless_exploit_i.html

"Maynor: Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]"

And in this post:
http://blog.washingtonpost.com/securityfix/2006/08/followup_to_macbook_post.html

"During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported."

Posted by: Bk | August 17, 2006 8:50 PM | Report abuse

Brian,

According to MacWorld, Apple's official statement on this matter is this:

"Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple Director of Mac PR, Lynn Fox, told Macworld. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device-not the 802.11 hardware in the Mac-a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

To the SecureWorks guys: if the internal MacBook wireless is vulnerable and you still have not reported the nature of the vulnerability to Apple, then shame on you. If it is not vulnerable to your exploit, then stop being vague. State it outright!

Brian, earlier I posted that I took your word that you personally saw the exploit done using the Mac's internal wireless. I no longer believe that you saw this (though I suppose it is possible that you saw them faking it).

Now the comment you made in your first follow-up on this issue can be interpreted properly. There, you wrote, "he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable." At that point, you did not say you saw the attack done on the Mac's built-in wireless, which would have been most logical comeback.

Did you ever try to contact Apple to get comment? It does not appear that you did.

Your original article appeared all over the web. Its sensationalistic headline made a lot of waves. The first impression can never be undone fully. I think you have an obligation to keep following up on this matter and getting to the bottom of it.

We now back to the following recommendation: do not go buy an unnamed third-party wireless card and use that card instead of your MacBook's built-in wireless.

Posted by: Thor | August 17, 2006 9:01 PM | Report abuse

Brian's reponse to James shows that he just didn't get it. He said:

"What Apple has not addressed in any kind of detail is whether or not the embedded drivers in the Macbook are vulnerable. All of their response so far is aimed at the demo showed in the video publicly."

No, that is NOT all they say. Specifically, Apple says, "SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

That is incredibly important. SecureWorks has not shared or demonstrated the exploit to Apple? Really? If it exists, they better damn well show Apple the code. To me, it is incumbent on those making the charge to provide the evidence.

We have all these stories about Apple putting pressure on them to keep quiet. It is time for silly talk to stop. If the exploit exists, come out with it!

Posted by: Thor | August 17, 2006 9:19 PM | Report abuse

Apple's statement today -- which they shopped around to a bunch of reporters -- has nothing to do with the crux of SecureWorks' claim. You need to be able to parse these quotes for what they are. Apple is merely addressing the vulnerability in the third party card used in the video. And I got that admission from their press person when I spoke to that person this evening. That statement is not meant to address information called to Apple's attention regarding the drivers that Mac's products rely upon.

Again -- the third party USB wireless card they used in the video demo indeed used a THIRD PARTY driver -- not made by one affiliated with Apple. Why should they share that vulnerability information with Apple?

Posted by: Bk | August 17, 2006 9:24 PM | Report abuse

"SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

Brian, with all due respect, you can parse this sentence all you want, but there is only one interpretation.

The hardware and software Apple ships is the MacBook with its built-wireless. Apple says that SecureWorks has not demonstrated vulnerability to their kit.

The third-party wireless is just big distraction at this point. Practically nobody would use such a thing, and Apple is clearly NOT talking about third-party cards in the above-quoted sentence.

Who is lying? I want to know. Apple is saying SecureWorks has not demonstrated vulnerability to the internal wireless. SecureWorks is saying that they did show Apple. Right now, all we have are a lot of very shady, undocumented claims by SecureWorks. The burden of proof rests with them.

Posted by: Thor | August 17, 2006 9:33 PM | Report abuse

Thor -- Is that right? Did YOU talk to Apple today, as I did? As I said, the comments they made to me were ALL about the demo that Maynor and Ellch gave in their video (Apple would not address any of the questions I had about what I saw in person). When pressed about whether Apple was disputing similar vulns reported to be present in their Macbooks, Apple said they'd have to get back to me. Their PR people said explicitly they were only prepared and briefed to talk about the demonstration shown in the video. They were not prepared to talk about whether their current code base was vulnerable.

Your last question is the main reason I have not updated the blog yet with Apple's comments. Apple claims that SecureWorks has only shown this to be a problem with 3rd party cards, which as we all know, isn't really an issue for Mac users. But they have not responded to my requests for comments on whether or not the flaws Secureworks pointed out to them as existing in the Macbooks are indeed valid or exploitable. So, right now it is a "who shot John?" game. Until Apple replies with some direct responses to my questions, the post will remain as is.

Posted by: Bk | August 17, 2006 9:55 PM | Report abuse

Brian,

Of course I didn't talk to Apple. I am responding to your point that we have to be able to parse Apple's quotes for what they are.

I agree with you that Apple is not explicitly saying that the vulnerability does not affect their internal wireless. The statement clearly DOES say, however, that SecureWorks has not shared or demonstrated any code showing that the vulnerability exists in the internal wireless drivers.

I take this to be a clear statement by Apple that SecureWorks has not gone to them, privately, and showed them any exploit affecting the internal wireless, if one indeed exists.

If Apple's statement applies only to the video, and SecureWorks has actually demonstrated to Apple that this exploit affects Apple's internal wireless, then Apple's statement is not just a carefully-worded comment. It is a lie.

Moreover, it would be stupid for Apple to issue this statement if it has been demonstrated to them that a vulnerability exists. It only sets them up for further grief and gives people a false sense of security. If the vulnerability exists, it would be far smarter to simply say that they are investigating the matter.

Taking the statement at face value. It remains possible that the vulnerability exists but that SecureWorks has not yet demonstrated it to Apple. If this is the case, then what's the hold up?

If it turns out that the vulnerability does not exist in the driver for the MacBook's internal wireless, then I sure hope everyone involved with sensationalizing this story issues a mea culpa.

Posted by: Thor | August 17, 2006 11:56 PM | Report abuse

Nice Dan Rather imitation. Yes, the demo was bogus, but the story is true. I stand by my story.

You called out Apple and Atheros, but two weeks later, they still can't reproduce it for Apple. In fact they are not claiming to be able to hack the AirPort driver at all, only the 3rd party card. (yes, I did talk to Apple today). I read Maynor's comment on this story the same way - the vulnerability will be the third party card only. Does that bother you?

The story was "Hijacking a Mac in 60 Seconds", so that level of sensationalism deserves a retraction when the reality is so much less. Maybe you should ask yourself, at what point would you stop defending this story... or maybe you already have? Now you're defending your reporting instead. Deceived Mac users everywhere deserve more than that.

Again, try Dan Rather for inspiration: "if I knew then what I know now-I would not have gone ahead with the story" ;-)

Posted by: GWMahoney | August 18, 2006 7:02 AM | Report abuse

The question here is whether the demo Brain saw is the same one from the video. Apple's statement is pretty cleverly designed to focus solely in the video and nothing else. That was my first impression read I read it, if there is nothing wrong with it with the default OS, why not just say that, why say things like "nothing regarding the video."

Maynor said in the video several times that is was a 3rd party card, so that is nothing new. What is strange is that they also say that there was no code shared with them regarding the video that uses a 3rd party card. Why would someone? This would like the equivalent of someone finding a bug in Symantec A/V then reporting it to Microsoft. They didn't make the code, they didn't ship it, how could they fix it, and why would it be their concern?

Apple also says no code has been shared with Apple that concerns them demo that affects the builtin hardware. This is a very true statement, since it was said several times that the demo does not affect builtin hardware.

The question to ask is what was shared with Apple that didn't concern the video.

Posted by: Tom | August 18, 2006 8:15 AM | Report abuse

But, Tom, if Apple knows that their internal wireless driver is vulnerable, it makes absolutely no sense for them to suddenly "shop this statement around to a bunch of reporters" (in Brian's words).

They have nothing to gain by dismissing the video if Apple's own kit is vulnerable. In fact, I think it would make them look worse. That's why I think Apple's statement is not some obfuscation.

Just take the statement at face value. There was an exploit demonstrated at Black Hat. That exploit took advantage of third-party hardware with a different chipset and a different driver. SecureWorks has not demonstrated or shared any code related to this exploit that affects the built-in wireless.

They are not denying the potential for a vulnerability. But, again, if they know of a vulnerability, why would they take the initiative to issue this statement?

The burden of proof lies with the one making the claim. As far as I am concerned, SecureWorks has not demonstrated any vulnerability to the Apple internal wireless. That's what Apple is saying and SecureWorks is not saying anything different.

Posted by: Thor | August 18, 2006 10:09 AM | Report abuse

I wish I could mod up Thor's comments.

BK, Thor succinctly lays out the issue and concludes with the simple action item: what is the hold up with SecureWorks privately demonstrating the Apple software vulnerability to Apple?

SecureWorks claims the vulnerability is present in Apple's own software, but why has it only demonstrated the third party vulnerability?

Posted by: Chris W | August 18, 2006 11:27 AM | Report abuse

Brian

So, when we can expect to see the exploit using the internal Macbook wireless chip and drivers? Since Apple is already saying in public they have not been shown any demo or code of the supposed vulnerability. In direct contradiction to your assertion that Apple "leaned heavily" on Secureworks not to expose the weakness.

If you are so convinced that such a vulnerability exists, then maybe you should quickly host a demo session and have Secureworks repeat the demo. Or even better organize a mtg between Apple and Secureworks where the exploit can be demonstrated in private. And then see what Apple says.

Or are you still maintaining that Secureworks is working with Apple to fix the hole? Which Apple is denying such a thing in public. And which case, you are then saying that Apple is lying?

Or is there a big cover up by Apple and Secureworks to the whole thing now? To hide the security hole. In that case, as a responsible security reporter, shouldn't you be reporting it?

I think a more succint stand from you would be appreciated.


Posted by: Want To See Proof | August 18, 2006 11:59 AM | Report abuse

The current SecureWorks statement seems to be at http://www.secureworks.com/newsandevents/blackhatcoverage.html

Quoting from there:
Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook.

If that doesn't sound like a disclaimer of the original story...

Posted by: John Fallon | August 18, 2006 12:09 PM | Report abuse

John Fallon,

The last few comments are getting this discussion on the right focus, let's not distract. The statement on SecureWorks web site is consistent with their initial description of the demonstration. Watch the video for evidence.

However, SecureWorks also made the claim that the vulnerability exists in Apple's software too. Apple claims that SecureWorks has not demonstrated this to them.

Posted by: Chris W | August 18, 2006 12:18 PM | Report abuse

I can't BELIEVE the Post would sit still for this.

Mr. Krebs, your inability to say "I was wrong," even in the face of the "hackers'" own admission that they did not do what you still maintain they did, destroys any credibility you might have had, and harms that of the Post.

Sure, maybe they lied to you and made it look as if they hacked the native Mac drivers. All it takes is to admit that you were taken for a ride. But no, you want to muddy the waters and turn it back on the "hate mailers."

You got sucked in. You're a little humiliated after getting more readership than you've ever had before, on a sham.

Just apologize and be done with it.

Posted by: Michael | August 18, 2006 1:11 PM | Report abuse

Brian - Stop weasel wording this and admit that the flaw does not exist in the shipping Mac. You may have seen a demo, but the methodology was flawed and the exploit cannot be reproduced by anyone, not even Maynor.

Posted by: MacBoy | August 18, 2006 1:23 PM | Report abuse

I just read down further.

Wow.

I expect someone like Bill O'Reilly to be combative, but dude, you're supposed to be a journalist.

I hope the WP editorial staff is reading this comment thread.

Posted by: Michael | August 18, 2006 1:24 PM | Report abuse

Brian Krebs should be fired. Usually I don't think a journalist is guilty -- blame the editors first -- but in this case he has gone too far:

1) In his first post, not clarifying whether this exploit was just for Intel-based macs (as it appears) or ALL intel and powerpc macs.

2) In his first post, also not clarifying whether the exploit was being run over a 3rd party 802.11 card or the Apple built in Wireless. It's clear he understands the difference...in the transcript he posts how his HP uses different drivers that the exploit does not work with

3) Has anyone besides BK actually seen the exploit run on the default MacBook drivers?

4) Root or no root? Nothing in the video or in the transcript mentions whether the exploit gets to root.

5) And if you can't get to root, can you actually install a "BOT" on the machine in a MacOSX environment -- this is the essence of the actual security issue. See below for quote:

BK: So explain to me again how it is that -- you said earlier that you put these two on the same subnet, because you wanted to be able to show the exploitation on the Mac system, right? But what if they weren't on the same subnet?

Maynor: So that demo compromises the Macbook, and allows me to log into it interactively. It's just like I'm sitting at the keyboard on the Mac. So that's possible because we're on the same IP network.

BK: I understand. But let's say this thing isn't connected to your network, and it's just broadcasting and looking for an AP?

Maynor: So at that point there's no way for a connect-back shell to work because we don't have a central communication medium, so without writing my own driver that's going to insert to like bring up the card and get the same IP address on my network, we can't do bi-way TCP communication. So, an exploit in that case would look like -- you would exploit that Macbook, and you would put something on it like a bot. But this wireless exploit is an exploitable flaw and it's in the wireless IP stack.

BK: OK, so in that case, the machine would be exploited and you would have it connect up to your IRC channel of choice or something like that?

Without getting to root, installing a bot is going to require you to go through a secure authentication process by the user on the Mac -- and that simple set is the only real advantage Macs have in security (besides their low numbers)

Brian Krebs should be fired.

Posted by: charlie | August 18, 2006 1:31 PM | Report abuse

Its interesting to note that they have changed their stance on wether or not MacBooks are vulnerable out of the box from Apple. They now state on their web site that the DEFAULT DRIVER from Apple on the MacBook IS NOT VULNERABLE, only the third party driver THEY INSTALLED is.

http://tinyurl.com/lw82k

jm

Posted by: Jim McMurry | August 18, 2006 1:41 PM | Report abuse

Fries or baked potatoe with that crow Mr. Krebs...

Security Firm Disclaims Mac Hack Demo

SecureWorks did a demo at the recent Black Hat conference showing how it could hack into a MacBook. Now the company has posted a disclaimer on its site to make it clear that the MacBook was modified.

By Thomas Claburn
InformationWeek

In a video presented at the Black Hat USA conference in early August, SecureWorks researcher David Maynor and Jon Ellch demonstrated hacking into a MacBook, setting off a flurry of press coverage about the insecurity of Wi-Fi-enabled computers from Apple and PC vendors.

Now it seems SecureWorks is backing away from its suggestion that MacBooks are just as vulnerable as other Wi-Fi-capable computers. The company has posted a disclaimer on its site to make it clear that the demonstration at Black Hat used a modified MacBook.

"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers," the disclaimer says. "Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver--not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."

A responsible demonstration policy would have forbidden the installation of flawed drivers to make a point.

Apple sees the clarification as vindication. "Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple spokesperson Lynn Fox said in a statement. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device " not the 802.11 hardware in the Mac " a device which uses a different chip and different software drivers than those on the Mac. To date, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

Posted by: Mel | August 18, 2006 2:16 PM | Report abuse

I would encourage all of you to write to the Washington Post Ombudsman at ombudsman@washpost.com to complain about Mr. Kreb's story on three grounds: 1) His initial dishonesty about whether the demostration was done on a specially modified Mac; 2) His shoddy reporting on whether this was a root exploit; and 3)His refusal to take back the story which has now been called into serious factual credibility.

Posted by: Arlington | August 18, 2006 3:28 PM | Report abuse

If you look at the PowerPoint that SecureWorks has posted, Krebs is going down:

Quote (from Slide 6):

I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its not, who is right?

They both are. The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in card. We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple. 

endquote

That's it: The exploit doesn't work with the built-in card. Ergo, the demostration was a sham.

Posted by: Krebs going down | August 18, 2006 3:35 PM | Report abuse

Anyone looking for the latest update on this story should check out the post I just put up at this link:

http://blog.washingtonpost.com/securityfix/2006/08/update_on_the_apple_macbook_cl.html

Posted by: Bk | August 18, 2006 4:36 PM | Report abuse

Those Netgear cards mentioned here do not have Atheros chipsets. They have PRISM chipsets from Conexant (originally created by Intersil).

Very few Wi-Fi adapters use PRISM chipsets anymore. Atheros, Broadcom and Intel are all far more prevalent. I bet this is largely a PRISM flaw.

Posted by: Ben Miller | August 21, 2006 1:37 AM | Report abuse

Exploit in the wild ;) thanks antichrist

Posted by: joe@wirelesshackers.com | August 21, 2006 12:10 PM | Report abuse

One thing to keep in mind about Mr. Krebs is that he has NO formal education in IT and as far as I can tell has had no experience working in the field. He is by no means an "expert" as you might expect. He wrote a sensational column without verifying any facts. If he was any kind of reporter he would have asked to bring a third party expert with him to the demo to verify their claims. He did not and therefore had to take the presenter's word for it.

Mr. Krebs, VERIFY WHAT YOUR SOURCES ARE TELLING YOU IS TRUE!!!!!! This is journalism 101!

Posted by: Troy | August 29, 2006 1:01 PM | Report abuse

I love hearing all you Mac worshipers freaking out because there MIGHT be a security vulnerabilty in your MacBook. So instead of taking a considered look at the article and the point the Black Hat presenters were trying to make, you all irrationally attack and insult the author. You nic pick every little point instead of facing the fact that the MacOS is not PERFECT. Neither is FreeBSD, RedHat or, believe it or not, Windows. Another news flash for you. The apps that you run on these OS also have the potential for secutity flaws. So even if you OS is as perfect as the Jesus, all the stuff you load on it may not be.

This just furthers my stereotypical belief that Macs are really cute, but not what I want to use when I have some real work to do.

Posted by: Clay | August 31, 2006 11:31 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company