Is there a MacBook hack that uses its native, built-in driver and hardware, or isn't there? I have been talking to many colleagues via email about the Black Hat 2006 presentation and its precursors and aftermath. Researchers David Maynor and Jon Ellch first stated that there was an exploit on multiple platforms with multiple drivers that would allow remote attacks and potential escalation of privilege--taking over a computer--via a Wi-Fi connection. This would not require the Wi-Fi network to be connected to a network for the attack to work.
I have not, in fact, spoken to Maynor and Ellch, which may be an oversight, but when colleagues have offered to get me in touch, it has come with a proviso that I will learn non-disclosable information. I'd rather not be in that position (yet).
Part of the confusion over whether this is a real exploit against a limited set of Macintosh computers--ostensibly MacBooks and MacBook Pros with specific Apple-installed adapters and drivers--stems from the researchers' decision to record a videotape that used a third-party adapter and drivers. Since this is uncommon and they wisely didn't show or explain which adapter was in use--to avoid releasing information about the exploit before it could be patched--the demonstration was not significant.
Their statements before, during, and after the event are, however, because they stated to Brian Krebs of Security Fix and demonstrated to him that there is an exploit that works on certain Macs. I can find no other person on the record who has seen this exploit demonstrated or to whom Maynor and Ellch provide the same statements. No one has publicly admitted to having seen the mechanics of the exploit--what kind of frames? what's the sequence?--and it would be irresponsible for anyone to reveal these exploits before they were patched.
Apple has denied that any material supplied by Maynor and Ellch shows a vulnerability. (I haven't heard anything about Microsoft or other vendors, except for Atheros, which said it hasn't seen anything that can be exploited, either, but it's unclear whether Atheros received the code and exploit details from the researchers or received them and found them lacking.) They have not denied that there is a possible exploit, which is wise, because this category of exploit is certainly possible.
There appear now to be two camps of pundits and commentators following the matter.
The first camp, which George Ou is the leading member of, says that the researchers clearly stated at Black Hat 2006 that they were demonstrating a third-party hack on the video that they showed. What's confusing here is that Ou was never told directly by Maynor or Ellch that they had a native Mac exploit. Ou cites Brian Krebs and points to Krebs's transcript and other reportage on this matter. On the video of his interviews, Ou quotes a snipped in which Maynor specifically states that they are not showing an Apple exploit. Ou can't get more out of Maynor at this point, he writes, about the Apple issue.
Ou believes there is an orchestrated attempt to discredit Maynor and Ellch. Brian Krebs at Security Fix stated on Aug. 3 that Apple had leaned on the researchers to not "make this an issue" about the Macintosh drivers. I'm not sure I can buy that. Rather, I think Apple released a press release that specifically has a point in time mentioned: nothing Apple has seen to date shows a native exploit, and the exploit demonstrating was using third-party equipment.
Rich Mogull, a computer security expert, is also a member of this camp, in that--as he writes on his personal blog on security issues--that Maynor and Ellch will "emerge with their reputations intact." He also says they've been trying to do the right thing from the start. He can't speak directly to all the issues as he's under nondisclosure (as is George Ou) with the researchers. However, he's pretty strongly implying that Maynor and Ellch were generally avoiding talking about the Apple exploit they mention to Krebs.
The other camp now believes there is no such native Mac exploit, and is stating it pretty unequivocally. Jon Gruber of Daring Fireball sends out this Molotov cocktail today. Here's his stance in a nutshell, but read the whole article: "...[W]e know that if Maynor and Ellch have identified an exploit against a stock MacBook, that they have not yet contacted Apple (or Atheros) with details about the vulnerability--which is both enormously irresponsible for ostensibly professional security researchers, and which contradicts statements they previously made to Brian Krebs that they had been in contact with Apple regarding their discoveries. Or, if they have contacted Apple, the statement issued by Appleās Lynn Fox is flat-out false and Apple has committed an enormous, almost incomprehensibly foolish mistake, because such a mendacious lie will prove far worse for Apple than divulging a Wi-Fi exploit that, if it actually exists, is surely going to come to light soon anyway. I.e. why would Apple lie about this if Maynor could call them on it?"
Gruber answers the question: Have Maynor and Ellch made contradictory or ambiguous statements that appear straightforward at first and then less and less so each time you read it. In fact, as I review statements and read Rich Mogull's post particularly, it's clear that the researchers are generally avoiding talking about a native Mac exploit. In the interview with George Ou, they talk about their third-party wireless hack. In the slides they prepared for DefCon, Gruber notes that they state, that "we are, however, doing ongoing research on the built-in card," which doesn't say, "We have an exploit," but nor does it disclaim that they have found such an exploit.
Jim Thompson, formerly of Wayport and Vivato, and currently a designer of wireless ISP-oriented gear, has posted a series of analyses of the exploit and how it might work. (Note that he does not disclaim, and neither do I, that such exploits are clearly possible.) Thompson writes in a fairy scathing manner, and Maynor tried to scathe him in return. Jim is fireproof, and he's since written even more analysis after seeing the high-resolution video of the Black Hat 2006 demonstration in which he thinks he's finding all kinds of continuity problems, red herrings, and other suspect pieces of information. (I have not seen this high-res version.) He wrote about this on Aug. 3 (general thoughts), Aug. 18 (specific details about how adapter MAC addresses don't add up, among other items), and Aug. 20 (what's up with the shell path).
(There's another camp that seems to maintain that the researchers said they were demonstrating a native Mac weakness, but instead showed a third-party adapter and driver. That is clearly not the case, although it's being used as a strawman. The Unofficial Apple Weblog took that stance, for instance, but they are misreading SecureWorks's note attached to the video demonstration. The note doesn't say there is no native Mac exploit; rather, it states that the demonstration didn't show it. Which the demonstration video never claimed.)
Where does this leave us? George Oh says that those of us reporting on this issue are judging Maynor and Ellch by a standard that other security researchers aren't held to. That Maynor and Ellch are trying to be responsible and provide the exploit to the relevant parties for them to deal with. But given that Apple and Atheros have released statements denying any problems with the specific situation the two of them say they have proven, this releases the researchers from the very high level of restraint they've shown, doesn't it?
There's one more possibility that I was just alerted to. It involves timing and accidental disclosure. I'll write more about this as soon as more is purposely disclosed.
Its clear that the larger message is lost because Maynor and Ellch decided to go after Apple because of their "smug" commercials and garner more media attention. Which brings to attention the completely ineptness of the Washington Post reporter.
To me, it doesn't look good for Apple. Folks under NDA, claiming to have talked to M&E are giving us hints that the flaw does exist.
Furthermore, it's my understanding that Windows (they borrow heavily from BSD's IP stack, no?) and other BSD varients are also susceptible.
One wonders what Theo http://www.theos.com/deraadt/ has to say.
[Editor's note: The FreeBSD stack that feeds into the Wi-Fi driver was patched some time ago; see Jim Thompson's comments on this, as he goes into some detail.--gf]
We can all be sure of several things:
* Accusations about the existence of a dangerous Wireless Macbook Driver (WMD) are being flung around at high speed.
* Failure to produce source code (of exploit or patch) is being mistaken for proof by some of the existence of the above-mentioned WMD's.
* Someone was either mistaken, irresponsible, unclear, or confused.
* The blog-o-sphere burns brightly in the dusky evening light, fueled by the heady fumes of speculations, scoops, and overdoses of poetic license.
* Lines are drawn, camps are formed, emotions run high. Someone will rename a common term to contain the word "Freedom" and not notice how silly they look.
Feel free to assign roles as you see fit. A twelve-sided die is included for your use. Or, you could wait for a real development.