Apple Denies Wi-Fi Flaw, Researchers Confirm

Glenn Fleishman writes "Apple tells Macworld.com that the Wi-Fi exploit demonstrated at Black Hat 2006 in a video doesn't show a flaw in their hardware or software. A third-party USB adapter with different chips and drivers was used, and Apple says the two researchers haven't provided Apple with code or a demonstration showing a working exploit on Apple equipment. The researchers added a note at their Web site confirming that only an unnamed third-party adapter was used. This doesn't mean the researchers have no flaw to show, but rather that their nose-thumbing at Apple users who were too secure in their security was misplaced, at least at present. The researcher's claim that they were providing information to Apple now seems off-base, too."

What a relief.

[A. Bosch (858654)]

So I can go back to being "smug" now about security on my mac?

What a couple of dicks

[Doctor Memory (6336)]

And here I agreed that the Mac community was too complacent. I was hoping that this would be a rather benign wake-up call (given that it wasn't an exploit seen in the wild, and the hats were taking proper precautions to prevent it from becoming so). And now we see that they were just trying to leverage their exploit to make a (valid, but now diluted) point.

Re:What a couple of dicks

[kaan (88626)]

Furthermore, all this is going to do is bolster the view that Macs are invincible. ... Oh you say you found another new exploit or vulnerability? Psha! As if! Didn't you hear that the only "exploits" on Macs are total bullshit invented by a couple clowns who hate Steve Jobs? And dude, didn't you see that Apple commercial about "viruses"? The Mac didn't get sick at all! But the PC did!

The thing that's more concerning to me is that the tech news and media start sounding like CNN. It seems like anybody can step up and make a loud claim about something controversial, and the news sites just spread it around. Most other tech security claims are held accountable for documenting details and specifics, and being up-front about things like, "well, this only happens while using a random 3rd party wireless card, which would admitedly happen almost never on a Mac since most have built-in wireless...".

Re:Well let me join karma suicide

[Yvan256 (722131)]

I have seen people transforming from complete Intel hater to Intel zealot just after WWDC Mactel announcement.

The Pentium 4 was a POS from day one, there was no need to be an Apple / PowerPC zealot to see that. Clock-for-clock, the P3 was kicking the P4's ass.

As for Apple zealots turning into "Intel Zealots" at WWDC05, well, you have to admit the new Intel Core is quite a step-up from their previous CPUs. And the Core 2 is (again) a big step-up too.

Just because something was good/bad in the past doesn't mean it's gonna be good/bad in the future (i.e. Mac OS 9 sucked but OS X is really good, Apple used to suck with their proprietary hardware and software (ADC, Apple-specific PICT screenshots that won't even load correctly in regular programs, etc) but now they're supporting standards (DVI, USB2, Wi-Fi, Bluetooth, PDF, PNG, etc).

So was this just a lie?

[by Anonymous Coward]

Security Fix [washingtonpost.com]:

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

So some "facts" were just made up...

[gnasher719 (869701)]

We were told that all Macs are vulnerable. And not only all Macs, but also all Linux machines, and all Windows machines. It seems this was not the case. Apparently there is no exploit at all against a bog standard Macbook with built-in wireless, and that covers about 99.999 percent. Using an external card was essential to the exploit, the claimed "pressure from Apple" was just made up. Remember, these guys _did_ claim that a Macintosh with built-in wireless adapter was vulnerable, and they didn't demonstrate that because of pressure from Apple! I didn't believe it then, nobody should have ever believed it without evidence, and now they have been caught with their lies.

Shame on everyone who reported it without checking the facts.

Big surprise.

[supabeast! (84658)]

So if this report is true it means that computer security professionals are grandstanding and misstating the facts to get attention and advance their own personal agendas. I am shocked that such a thing could happen! If we can't trust computer security nerds when they present at Black Hat, how can we trust them when they release proof-of-concept code, call it virus in the wild, and then try to sell us antivirus tools to remove it? How can we trust their products for *nix operating systems?

My God - what if the computer security folks are often just full of shit?

No Surprise

[ar (109152)]

Anyone who thought about it for more than a second or two would have realised that it was never going to be a vulnerability in the default MacBook Pro hardware or drivers. If it wasn't, why would they need to introduce a third-party wireless adapter at all?

Frankly, the disclosure here was pretty amateurish. Surely they would have known that demoing the vulnerability on Apple hardware would have implicated Apple. In fact based on the "aura of smugness on security" comment it looks like they deliberately *chose* Apple hardware to be falsely implicated.

Do these guys have *any* credibility left?

Special spl0itz!

[Nijika (525558)]

I have found this amazing security flaw in OSX. If you take a specially crafted driver, and you use a specially crafted peice of hardware and insert it into the system you want to compramise, you can then compramise it remotely!

Gad Zukes!

This is almost as good as the Debian exploit I found last year. I found that if you built a specially crafted PC, and then installed a specially crafted version of Debian, it would prompt you to set the root password during the install, leaving the system open to compramise by the person installing the OS.

Next year's Black Hat conference, here I come!

Here are the unpublished details on this hack

[sjonke (457707)]

1. Take your MacBook and sit it on table
      2. Log in to the MacBook with your username and password
      3. Turn on "Remote Login" in the "Sharing" system preferences pane if it isn't already on
      4. Select your wireless network from the menu in the menubar and enter the password
      5. Write down the IP address that you see in the TCP/IP tab of the airport settings on the MacBook. You'll need it later.
      6. Take a different computer of yours and connect to the same wireless network and enter the password
      7. Bring up a terminal and type in ssh://
      8. At the login prompt enter your username and password
      9. You're in baby, have a fuckin' field day!!!

Tar and feather RESPONSIBLY

[davidwr (791652)]

Before you tar and feather someone publicly, make darn sure you don't leave the wrong impression or it will boomerang on you later.

This is true in any industry.

If these guys had made it CLEAR that they were using a NON-APPLE network device from the get-go we wouldn't be having this discussion today.

What they should have said:
"We found a wireless exploit in a major-brand wireless network device. We will be releasing the name and model number of the device after responsible notification to the vendors involved. The videotape you are watching shows this device connected to an Apple Macintosh. We have also tested a device containing the same chipset connected to a Windows-based PC and found similar problems."

Not exactly surprising

[Durandal64 (658649)]

These guys had a demonstrable bias against Apple's platform and users from the get-go. They specifically chose the MacBook because they didn't like Mac users' supposedly smug attitude about security, so they wanted to make a public example of a Mac getting 0wned. But oh wait, they used a third-party wireless device with a third-party driver, a setup that's about as common on Mac hardware as steaming shit in Antarctica. When asked why they chose this, they claimed that Apple had put pressure on them to not demonstrate the flaw with Apple hardware ... but to go ahead and tell everyone that the same flaw existed in Apple hardware anyway. Why Apple would ask them to do that is anyone's guess. This was a highly dubious claim at the least. It's not surprising at all that it turned out to be total bullshit.

With the statements from Apple, the questionable reasons given by the researchers and their ire about the Mac community in general, I think the most probable conclusion is that these guys are full of shit. What I can't understand is why they'd risk their reputations on something seemingly so petty.

Headline misleading

[Microsift (223381)]

The headline's construction is confusing (paraphrasing) Apple Denies, Researchers Confirm. Since deny and confirm are antonyms, the headline implies that the two parties, Apple and the researchers are in disagreement, which is not the case.

I have been wondering

[cyfer2000 (548592)]

I have been wondering from the beginning, if they could insert an third party wireless card into my computer, why don't they insert a OS X boot DVD and enable root on my computer? Or simply grab my computer, they can gain TOTAL control of my computer much faster.

Well, Duh

[MidKnight (19766)]

Anyone who did some passing research into the original posting [slashdot.org] could've seen that. As I said originally, these guys just did their demonstration on a Mac in order to get a publicity storm started. They certainly accomplished that, and probably raised the visibility of their security company as a result. Good for them, I guess.

This is a very real exploit... just not one that the Mac is vulnerable to unless you're using 3rd party wireless hardware. And how many Mac users do you know that use 3rd party wireless hardware? Yeah, me either.

Re:Uh... the "game's" rules are too strict

[computertheque (823940)]

When they have integrated wi-fi and the user decides on a third party usb option with questionable settings, I wouldn't say it was my fault either.

Reality

[SuperKendall (25149)]

It would not be rediculous if the device in question were something that someone were at least somewhat likley to use.

But in reality every laptop sold by Apple today ships with an Airport card, and most of the ones sold previously had one as well. What message are you really sending when you trumpet a flaw that affects 1/10 of 1% of Mac users?

The message that Mac users should be aware of possible security vulnerabilites is an excellent one but hyping a vulnerability that would simply not happen in reality was a poor vehicle to convey this message, and basically comes off as self-aggrandizing; that is to say they were far more interested in promoting themselves than warn Mac users about security flaws.

Re:Uh... the "game's" rules are too strict

[TheGreek (2403)]

It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]."

It's a good thing Apple doesn't guarantee that, then, because it would indeed be ridiculous. What they acutally said was:

"Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple Director of Mac PR, Lynn Fox, told Macworld. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device-not the 802.11 hardware in the Mac-a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

Re:Uh... the "game's" rules are too strict

[ThinkFr33ly (902481)]

Drivers typically run in kernel mode. Kernel mode simply can't be "secure". Those drivers can do anything the kernel can do, including write directly to memory (ANY memory), disk, etc.

This applies any ANY OS that allows code to be loaded into the kernel... in other words, allows kernel mode drivers.

In other news...

[Logger (9214)]

In other news today, a faulty air bag was blamed for the death of a driver in a recent accident. The auto manufacturer's safety claims for the car were obviously overblown, and their smugness is now revealed.

Update later that day: As a side note to this story, the owner of the vehicle replaced the OEM airbag with one from Orval Reddenbacker, so she could eat popcorn in case she was in an accident. We originally decided we would overlook this aspect, because we have an axe to grind with this manufacturer and to create buzz generating free advertising for our company.

Re:...or alternatively...

[jspectre (102549)]

Wouldn't say no user, but as most macs come with built in airport they rarely use 3rd party wifi adapters and drivers. Infact it's damn hard to find 3rd party wifi adapters and drivers. In any case it certainly isn't any fault of Apples if 3rd party equipment has vulnerabilities.

Re:...or alternatively...

[by Anonymous Coward]

Allow me to provide some background on one of the researchers. David Maynor has never been credited with the discovery of a vulnerability, even after several years at ISS X-Force. I have seen him present at three security conferences (two Blackhats and CANSEC) and not once have I seen him support his claims with any evidence. I am acquainted with a number of his former coworkers in the vulnerability research community and have been told by all of them not to place any stock in his caims. Based on that on the refusal to provide proof, I question this whole situation.

who are we to question?

[guet (525509)]

Yeah, so they should also trust two jokers on the internet who want to create a buzz around their presentation, and frame their demo so that it is bound to do so...? It cuts both ways.

Although we'll see nothing but speculation in this article and its comments, eventually the truth will be known, and we'll have an exploit which is documented and proven to work, or not. If Apple have a flaw, and won't admit it, that would light a fire under them wouldn't it?

Given the hackers comments :

Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook.

It sounds like they were bullshitting to try to make a splash, which they did. Till I see proof, I'm not inclined to trust either side.

Two faces of trust

[SuperKendall (25149)]

. People should ALWAYS trust what a company has to say about its own products. If Dell says there's no problem with their laptop batteries, they must be telling the truth. . right? On the same token, if Apple says that there is no problem with their wireless adapters or software, who are we to question them?

Myself, I trust the people who actually have the code to look at. In this case that would be Apple. They have done little that would lead me to think this statement was misleading.

If you blindly mistrust any company just because it is a company, you are just as badly off as if you blindy accept anythign any company says. You need to use common sense in evaluation statements from anyone.

Numbers

[SuperKendall (25149)]

Black Hat, you have a choice. You need to code a virus / worm, or develop something to take advantage of an exploit. Your goal is: Make as much money as possible. Your choices are: 1.) attack 2% of the market. 2.) Attack 6% of the market. 3.) Attack 92% of the market.

That's a poor way to look at it, and masks the situation you have with the Mac market today.

Any of those 92% of computers may vary wildly in terms of OS loaded or software used.

With the Mac you have tens of millions of computers (fourteen million registered OS X users). Lots of them are running the same software, the same browser, at the same OS rev.

Looking at the cost of renting botnets on the grey market those millions of computers represent millions of dollars of revenue, even if you crack just a percentage of them. So the question is why would someone leave that money on the table?

The answer is obvious - because it's a lot harder to hack a Mac to use in such a way. So it's not really numbers that are preventing the serious development of attacks today so much as a stronger security model. This would potentially be true even beyond the 80% marketshare point.

Basically the reason the Mac is safer today and will continue to be so even as market share climbs is the same philosophy behind avoiding being eaten by a bear - you just have to be able to run faster than the guy next to you. Windows is puffing something fierce.