Slashdot Mirror
Less Than a Minute to Hijack a MacBook's Wireless
Kadin2048 writes "As reported by Ars Technica and the Washington Post, two hackers have found an exploitable vulnerability in the wireless drivers used by Apple's MacBook. Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network, fairly close to their default state, and the exploit allows an attacker to gain "total access" -— apparently a remote root. Although the demo, performed via video at the BlackHat conference, takes aim at what one of the hackers calls the "Mac userbase aura of smugness on security," Windows users shouldn't get too smug themselves: according to the Post article, "the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS." Ultimately, it may be the attacks against embedded devices which are the most threatening, since those devices are the hardest to upgrade. Currently there have not been any reports of this vulnerability 'in the wild.'" According to this story at ITwire.com, they were able to exploit Linux and Windows machines, too. (Thanks to Josh Fink.)
Also, christ, I'd say they're being pretty responsible about it.
[insert witty comment here]
In related news, there is an article at ITWire about Intel admitting to a security flaw with their wireless technology as well. Check it out at http://www.vnunet.com/vnunet/news/2161539/intel-ad mits-centrino-wi
-- Josh
"Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
Seeing you can't be bothered reading tfa to find out that they haven't discolsed & gone to some trouble to ensure the vulnerability's details weren't leaked, I'll quote the relevant sections for you:
and:
One last quote for you (just 'cause its funny):
There are shills on slashdot. Apparently, I'm one of them.
Some of these look pretty serious, although there's not exploit circulating yet:
Intel information about affected drivers
Fixes can be found here
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
One should probably mention that they exploited 3rd party drivers and not the ones that the MacBook actually uses.
And I was joking about this on a security mailing list yesterday. I mean, come on: 3rd party drivers that nobody is using anyways because the ones you get with the system are perfectly ok? What's next? Writing the exploitable drivers yourself?
Assorted stuff I do sometimes: Lemuria.org
R'ing TFA, I found that the chipset in question is an Atheros. As a Free- and OpenBSD user, this made me feel incredibly smug since, unlike Linux, the OpenBSD driver (now ported to FreeBSD) for Atheros cards is entirely blob-free (and has undergone the same security audit as the rest of OpenBSD) and so is almost certainly not vulnerable to this attack.
I am TheRaven on Soylent News
[1] On recent versions of FreeBSD. Previous versions did include the blob.
I am TheRaven on Soylent News
MacBooks use different wireless drivers (because they have Intel wireless chips). Your Powerbook has the old Airport card; unless there's also a similar flaw in it, it's safe.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Mac users ARE arrogant
That's only becuase they use better computers.
Heh.
What about the SSL worm from a couple of years back? I had at least one linux server rooted by that at the time.
http://michaelsmith.id.au
Look for more information on the ISC Web site. Bottom line is this is not an OS issue, rather a "firmware/driver" issue.
It's not Centrino. Centrino is the name given to Intel's package of Motherboard chipset + wireless chipset + Processor. The new Apple machines don't use an Intel wireless card. They use Intel's chipset and Processor but not their wireless card. This does not make them Centrino machines.
To be specific the new Macbooks/pros use a Atheros 5006x. This is in comparison to the powerbooks that use a broadcom based card. So Apple doesn't use Centrino.
The actual video is here.
1. We claim that our "boxes" are superior because we believe that they are, and we put our money where our mouths are. "Windows fanboys" do too. Does that make YOU smug?
... when citing features of the Mac OS, because a LOT of us really do know Windows! I support Windows machines for a living, so I am certainly aware of Windows features (and bugs - oh, sorry, THOSE are features, too!). So my views on Windows is backed by first hand knowledge. Is your view of Mac OS X backed by first hand knowledge, or just wishful thinking?
2. We claim that there are no (or few) exploits in the wild BECAUSE ITS TRUE!
3. We look down our noses (at least some of us do, not all)
I don't have to justify my spending to anybody. I just buy Macs cause I really do think they are superior to boxes that run Windows. So I put my money on the line.
Apparantly, you do too. Frankly, you sound as smug and superior as you say I do. Fine, it's your money. Spend it as you like. Someday, you may see what I do in Apple's products, but if you don't, I won't take it as a stain on my manhood - or yours either...
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
First, the very FIRST worm was a worm that propogated on a flaw in sendmail. Second, you must consider that a worm doesn't have to propogate on 10% of machines just once. every time it spreads, less than 10% of it's targets are acceptable. this has an exponential limitation on the spread of the worm, not a linear one. If you had chosen any type of problem other than worms, your statement would have been valid. (trojans, standard ride-along viruses, spyware, adware). those are valid things to point to, but not worms.
check Security Fix:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
check Security Fix:
... )
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
( Looks like Apple was wielding a big stick
True, you don't need to be connected to the WAP, but you do need to be in automatic association mode, which it is not in by default unless it detects a trusted WAP.
I came, I saw, She conquered.
Next?
check my post just above yours. Post there and on several other news sites. A macbook by default is vulnurable, its just that Apple was wielding its "beat stick" and told them not to demo it on the internal wireless card.
No fix yet.
There are two possibilities here. If the testing driver is in the firmware, then it will still be present in OpenBSD. Since the firmware does not run on the host CPU, however, compromising it is only useful if you can then return something to the driver that will be executed, usually be exploiting a flaw in the driver causing it to execute arbitrary code in ring 0.
The other alternative is that this really is a driver you are talking about. In which case, it would not be present in OpenBSD, since the OpenBSD driver is a clean-room implementation and shares no code with the official driver.
And if OpenBSD has no problem and its the OS driver that needs replacing, then Apple will just take your OpenBSD driver and port it to their system, problem solved. That is why they went with BSD, they can borrow from any BSD that is out there.
I'm sorry, but that's not even remotely true. OS X uses IOKit for all device drivers, which is an Embedded C++ API. OpenBSD and FreeBSD use derivatives of the old BSD device API. It is possible to port device drivers between FreeBSD and OpenBSD relatively easily, because the API changes between the two have been small and incremental. If you try 'porting' a network driver from OpenBSD to OS X, then what you are really doing is using the OpenBSD driver as a substitute for real documentation and writing a driver from scratch. Doing this is likely to introduce bugs, since code (even good code) is a poor substitute for documentation.
I am TheRaven on Soylent News
It's exactly this attitude that will burn you guys some day soon. I am not devoted to Microsoft...I am devoted to reality. Mac userbase has been too small to care about. It's beginning to get larger. As long as you are connected to a network, you are not safe. This is true of any OS. Get off this whole "my OS is more secure than your OS" crap. There is no totally secure OS. Realize that you are vulnerable and take the correct steps to protect yourself. Don't say "well, at least I a more secure than Windows". I guarantee you that my Windows box is more secure than yours because I lock it down tight.
Support a great indie game: http://www.abaddon360.com
As I explained above, no. OS X is not 'based off BSD,' it is based on OPENSTEP, which is based on Mach with a BSD subsystem and a BSD userland. The drivers are all handled by the IOKit layer, which is new for OS X. IOKit is a set of Embedded C++ libraries and is very different to other BSD driver APIs (for one thing it's Embedded C++ not C, but the structure is also very different). At best Apple could use the OpenBSD driver as a substitute for chipset documentation and write an IOKit driver from scratch; there is not likely to be very much code that can be shared between the two.
I am TheRaven on Soylent News
The title of the article is misleading: the macbook was not hacked using its normal built-in wireless adapter and its Apple drivers. The video (http://www.washingtonpost.com/wp-dyn/content/vide o/2006/08/02/VI2006080201424.html) of the exploit *clearly* shows and explains that they are using an *external* third party wireless adapter which comes with its own wireless driver. This driver is the culpit and is succeptible to the exploit. The wireless adapter they demoes is widly used with PC laptop and the drivers on PC are similarly flawed. This demo was to show that device driver makers need to be a lot less careless and test their drivers a lot more. /" and see whether they could really do this.
One thing that is unclear in the demo is whether root access was gained. The demo shows creating, reading, and deleting files on the MacBook user's Desktop. I would have like them to do a "rm -rf
http://blogs.zdnet.com/Apple/?p=255 "Earlier today I posted a story about about two hackers from the Black Hat conference in Las Vegas and how they supposedly demonstrated how to exploit a vulnerability in Apple's wireless device driver to remotely access and control a MacBook over a network. The story was based, in part, on a blog entry by Brian Krebs at the Washington Post. As it turns out the hack described does not apply to MacBooks as it relies on third-party wireless hardware rather than the wireless cards supplied by Apple. FTA: "Maynor said the MacBook used in the demonstration was not using the wireless gear that shipped with the computer."
You don't even have to read the article this time, just look at the site. This vulnerability requires use of an aftermarket wireless card. Who is going to use an aftermarket wireless card on a MacBook with that always comes with built-in wireless?