Less Than a Minute to Hijack a MacBook's Wireless

Kadin2048 writes "As reported by Ars Technica and the Washington Post, two hackers have found an exploitable vulnerability in the wireless drivers used by Apple's MacBook. Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network, fairly close to their default state, and the exploit allows an attacker to gain "total access" -— apparently a remote root. Although the demo, performed via video at the BlackHat conference, takes aim at what one of the hackers calls the "Mac userbase aura of smugness on security," Windows users shouldn't get too smug themselves: according to the Post article, "the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS." Ultimately, it may be the attacks against embedded devices which are the most threatening, since those devices are the hardest to upgrade. Currently there have not been any reports of this vulnerability 'in the wild.'" According to this story at ITwire.com, they were able to exploit Linux and Windows machines, too. (Thanks to Josh Fink.)

Third party wireless card?

[snackdog]

In the video he uses a third party wireless card. Are other cards, such as the built-in card, similarly vulnerable?

Re:Smug Mac users?

[rahrens]

First of all, can the hostility. This is not about yer manhood.

Second, this really isn't Apple's fault. It is the fault of their vendor that made the card and wrote the software driver for it. One of the main arguments of the "Windows fanboys" is that driver issues are not Microsoft's fault and that environment richness is one reason why they shouldn't be totally blamed for instability.

Well guess what? So that particular bug finally bit Apple. Do ya know what we'll do? Take our new wireless Mighty Mice and go to the Airport menu on the menubar and turn Airport off when we're not using it. Apple will undoubtedly issue an update to fix it any second now...

And in response to another comment made in another earlier post - Mac OS X does not enable root by default. These guys were very imprecise as to what they mean by total control. They also don't explain what they mean by "not quite default settings". So how IS the target Mac configured? Did they change the default from "ask permission before logging into open network" to "login automatically?" That makes a difference! Plus, the current user may not be logged in as an admin. Do they mean they can get admin rights even if the current user isn't? Or do they mean they can get total control of the machine under current user privileges? They really don't explain, leading me to conclude that they aren't that familiar with OS X, or aren't concerned with details, just grandstanding for headlines.

Yes, this IS a serious issue, but I'd like a few more details of how the target was configured and just what they mean regarding gained privileges, given that root is NOT even activated by default in OS X.

The technique would work on all popular OSes

[Col.+Kernel]

This is not a Mac/Windows/Linux/whatever issue. It is an OS architecture issue.

This exploit is yet another reason why drivers should be run in user space. I can't think of a popular OS that does this universally... Linux has nooks, which is not the same thing, and Vista is going to run some, but not all drivers as services instead of in the kernel. Network drivers have traditionally been run in kernel mode for the sake of performance... When is security going to trump performance as a design goal in the major OSes? Enough is enough I say...

Spin

[Kadin2048]

Well, the "spin" was really a result of the way the discoverers demonstated their findings.

The flaw was found in a number of wireless drivers; they purposely chose to demonstrate it (in their video, which I haven't been able to find on the web anywhere) using a MacBook, because of that "aura of smugness."

Apparently their biggest complaint is those Mac/PC Apple ads: "'We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,' Maynor said." (That's from the Ars article.)

So really, while the vulnerability is pretty much platform-independent, the discoverers chose to use a Mac as the demonstration platform because if its reputation for security. In terms of publicity generation, it was probably a smart move: "Hack a MacBook in 60 Seconds" is going to get them a whole lot more press than "Hack a Dell Inspiron B230 in 60 Seconds."

Security is your responsibility

[Bullfish]

Now that all the bashers have had their fun, can we acknowledge that there is no such thing as a 100% secure computer of any sort as long as it is connected to a public network. I know it is not as fun, and takes the joy out of OS/hardware parochialism but it is true. As well, the behaviour of goofy users is neither Bill's, nor Steve's nor Linus's fault and there is not much they can do about it.

I have run windows machines since 3.1 and DOS before that and never had problem. On the other hand I have shown people (relatives, friends etc) how to secure and maintain their machines and the next week I find them back to doing their own self-defeating behaviours.

Someone found an exploit. Whoop-de-do. There will always be exploits found for all systems that people can screw with. There is almost always a way to secure against it. Almost always a large group of users ignores what is good for them and their machines and gets burned. Frankly, the platform matters less when it comes to these things than the user's behaviour.

Re:Smug Mac users?

[Shanep]

Hmmmmn, while I agree that openBSDs security is superior to linux's in almost every way, I've never really understood the POV of someone who feels superior for using an O/S (Theo has the right to be smug tho')

I think a little smugness could be allowed, when a lot of people just put up with the wrong way of doing things, or put up with being trodden on by vendors, when the vendors should be at OUR mercy when it comes to their success. A few people (the smug) demand things be done right, securely and openly and then a few people (blind Linux fanboys, not to be confused with reasonable Linux users) put Theo down for standing up for what he beleives is right.

Now that blobs are showing how bad they can be, I think Theo and the people who support his stance, can be forgiven for being a little smug, especially when some people were putting him and his ideals on this matter down.

Wake me when it's trivial and about the mac.

[jpellino]

So these guys take a third party USB wireless card,
on a MacBook of unknown status,
connecting to a specially scripted AP,
and get owner privileges.

Cuz this happens any time you use a Mac.

Oh, and thanks guys for the admonition about proper testing. We'll have to write that one down.
And for pointing out that wireless means there are no wires and you can sit in other chairs.

Attacking the wrong people

[YAN3D]

These two "hackers" seem quite sheepish and frustrated. Why are they attacking the Mac user-base when it's not the users that are the problem?

One 'hacker' claims,

We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,

Users? Why is he picking on users here? The people featured in these ads are ACTORS hired by the marketing and advertising departmens of Apple. Nothing at all to do with the user base.

"Mac userbase aura of smugness on security,"

I don't think the 'smugness aura' is generated by the user base. It's apple's marketing and PR that make claims of being secure and virus free. Do they really think that an average user would come up with something sercurity related on their own? No, they just regurgitate what they hear from these ads.

Maybe some day these guys will grow up socially and learn how to pick their battles. They are attacking the people that they should be trying to win over. They should instead of bringing the fight to the faceless corporations.

Re:3rd party

Apple 'leaned heavily' on the presenters to make them use a different card.

Ignoring the fact that nobody knows what "leaned heavily" means, I think perhaps these folks have something against Apple. Quoth TFA:

"...if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something..."

Brain Krebs is an idiot

From the original article by Brian Krebs:

The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system.

This is false. He is either didn't see the video and was relying on the word of Maynor and Ellch or he does not know the difference between a third party wireless card and a built in airport card.

From Brain Krebs subsequent article trying to explain the discrepancy:

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers.

This is completely inconsistent with what the original article said and is also inconsistent with these quotes from the "leaned on":

Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"

Krebs is an idiot or is still taking the word of a source that has already lied to him once. This is not journalism's finest moment.

Re:the Bottom Line

[ummit]

As long as you are connected to a network, you are not safe.

Sadly true, though it's just as true that as long as you're alive on planet Earth, you're not safe, either.

Get off this whole "my OS is more secure than your OS" crap.

But, um, some OS'es *are* more secure than others.

Realize that you are vulnerable and take the correct steps to protect yourself.

I'm curious to know what "correct steps" you have in mind.

If it's "use an antivirus scanner", that's a retarded or at least suboptimal strategy, because antivirus scanners are of course imperfect (they'll never make you perfectly safe, either), and at any rate all they do is patch over the fact that an OS that needs them has a fundamentally flawed security model.

If it's "disable all the services you're not using", that's a pretty retarded strategy, too, because they should have been turned off by default, and the advice should really be phrased "don't enable anything you're not using."

For me, one of the biggest "correct steps" is, "use OS'es that take security seriously and have a decent security model". So of course I don't use Microsoft OS'es. I'm sorry if that's an example of the "my OS is more secure than your OS" crap, but really: it's at least as valid a strategy as "use an antivirus scanner".