The fuss caused yesterday by a video presented at Black Hat 2006 of a Wi-Fi hack is still ongoing: Some folks want to deny that the hack is possible because the researchers didn't show it live in controlled circumstances. Instead, they showed a video (available at Security Fix) that shows part of the process of owning a MacBook Pro. Unfortunately for those who want to deny the possibility of this, and despite Apple's lack of public statement on it, Intel just released driver updates a few days ago for its Centrino adapters that basically state precisely what these guys have said they uncovered as a flaw and reported to Intel, Apple, and others.
The flaw affects Windows XP and Mac OS X, although it's probably only a MacIntel problem. (I have to believe that with seven years of AirPort and three of AirPort Extreme, that this category of flaw would have been uncovered on the PowerPC side, if anyone cared.)
So my guess? It has to do with a malformed beaconing frame. Access points that are not set to closed status in which the SSID (service set identifier or the name of the network) isn't broadcast are constantly sending out frames that explain who they are. Whether connected to a network or not, Wi-Fi adapters are receiving and processing this information; it's why you see a list of Available Networks in Windows XP or have a dropdown list from the AirPort menu in Mac OS X.
A specially crafted beaconing frame is the only method I can conceive of in which a computer that is otherwise not engaged in specific behavior, such as connected to a network or connecting to one, could be attacked, and that's what the researchers claim can happen. Other thoughts?
Update: Jim Thompson details extensively what he thinks is at work, including the kinds of frames that unassociated and unauthenticated Wi-Fi cards will accept.
It's a whole lot of hype for nothing new. They are getting the victim laptop to associate to the attacker laptop, which is acting as an AP.
The malformed Beacon idea is impossible because they still have to send data between the two laptops once the victim is hijacked. Beacon frames are received by unassociated stations and the information in those Beacons are processed, but none of that information is sent above the MAC layer. Therefore, creating a new file at the application layer would be impossible.
I will give them some credit because they seem to have found something that allows the to circumvent the normal login procedure on the victim laptop. You never know, though. It's always possible that they rigged the victim laptop beforehand
The video clearly shows a black MacBook and not a MacBook Pro. The MacBook does not have an express card slot. The video seems to show an Express 34 card though I guess it could have been a huge USB WiFi adapter. Do you know if USB WiFi adapters work on OS X out of the box? Would they be seen as WiFi or ethernet? All very odd and not too convincing.
There are quite a few USB cards that work on Mac OS X. 802.11g and 802.11a/g adapters from ZyXel (unsure of the chipset) and 802.11b adapters from Linksys, Netgear and D-Link (Prism II chipset) all work on Mac OS X machines.
I believe I was wrong in what I wrote earlier about Beacon frames not being part of the attack. They certainly could be. I still am very skeptical that the attack could be carried out to the degree they carried it out (creating, modifying and deleting files at will) without an association. I just don't see why they would have used an associated station for the attack if they didn't need to.
Ok, so I was at Defcon and these guys showed the video there and did a Q & A.
No one brought up the beaconing question; although that's what I first thought of too, along with a lot of people in the room. We questioned what kind of Wireless Adapter was in the computer at question - and it was a USB Wi-Fi card so that takes care of that.
The reason they didn't do a live demo at Defcon or at Black Hat was well, according to them "because everyone in the room had sniffers running and would have captured the malformed code"
I've been thinking about this a lot - especially on the flight back home, and it must have been a beacon request....Whatever the case may be, the 100 Mb patch a few days before defcon make me think this is ligit