Slashdot Mirror
Less Than a Minute to Hijack a MacBook's Wireless
Kadin2048 writes "As reported by Ars Technica and the Washington Post, two hackers have found an exploitable vulnerability in the wireless drivers used by Apple's MacBook. Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network, fairly close to their default state, and the exploit allows an attacker to gain "total access" -— apparently a remote root. Although the demo, performed via video at the BlackHat conference, takes aim at what one of the hackers calls the "Mac userbase aura of smugness on security," Windows users shouldn't get too smug themselves: according to the Post article, "the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS." Ultimately, it may be the attacks against embedded devices which are the most threatening, since those devices are the hardest to upgrade. Currently there have not been any reports of this vulnerability 'in the wild.'" According to this story at ITwire.com, they were able to exploit Linux and Windows machines, too. (Thanks to Josh Fink.)
And in the background we hear 1000 Mac users screaming in horror...
"Oh boy"
My Powerbooks is safe. Apple is so much more secure than ^.#$ pwned u n00b wahaha
There are shills on slashdot. Apparently, I'm one of them.
Does this exploit run on Linu......
never mind.
My reality has been shattered. Macintosh computers have been found to be less than perfect! Time to install WinXP.
- i'll get me coat! -
Why Centrino, Apple? Wasn't the existing Airport hardware, a known quantity, good enough?
Theory and practice are the same in theory, but different in practice.
Also, christ, I'd say they're being pretty responsible about it.
[insert witty comment here]
In related news, there is an article at ITWire about Intel admitting to a security flaw with their wireless technology as well. Check it out at http://www.vnunet.com/vnunet/news/2161539/intel-ad mits-centrino-wi
-- Josh
"Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
This exploit is OS independent. How is this in any way indicative of Mac user smugness? Are they so smug that they made Windows and Linux boxes explotable too?
In the video he uses a third party wireless card. Are other cards, such as the built-in card, similarly vulnerable?
I pretend to know more than I really do by mooching off google and wikipedia.
Even more disturbing, IMO, is the suggestion in the article that Microsoft will become the ultimate arbiter of device driver safety in Vista, by preventing device drivers from being loaded that they haven't checked out and approved.... because we all know that Microsoft are the experts when it comes to detecting and correcting software vulnerabilities.
Seeing you can't be bothered reading tfa to find out that they haven't discolsed & gone to some trouble to ensure the vulnerability's details weren't leaked, I'll quote the relevant sections for you:
and:
One last quote for you (just 'cause its funny):
There are shills on slashdot. Apparently, I'm one of them.
From hearsay, there was a third party wireless device used which was hacked into; at least this has been reported in the Ars comments and elsewhere. Who would use this in everyday life (yes, I know exceptions etc.; but it is the "Apple security flaw" discussion right here).
If the flaws are in Apple's drivers, why did they need to plug a 3rd party card into the MacBook? What user would ever plug a 3rd party redundant wireless card into their computer? Presumably, if they could hack Apple's drivers they wouldn't need the other card. All this video shows is a 3rd party wireless card with crappy drivers.
When Mac OS is no OpenBSD, but its comparable to every other operating system in terms of security. People don't use Macs for security, well the average ones anyway. There is a misconseption that they are more secure, but even if apple was the least secure OS (os9 anyone), they are still easy to use and full of features. Macs are about what you can do and not how can you do it. In this case, you can do a remote root exploit! The difference is that apple will patch it as soon as they can just as linux developers tend to do. Microsoft would put it off to magic update day.
I should explain the os9 comment. Classic didn't have a serious permissions model so anyone could do anything with it. There were few remote holes since there were only a few possible services in later releases. (web sharing, afp, usb printer sharing)
MidnightBSD: The BSD for Everyone
I would imagine this would make linux vulnerable via a ndiswrapper and windows driver setup given the driver you use is closed source making you more at risk. If this is incentive to no longer "put up with" a ndiswrapper solution, then make sure you buy a open source supported wireless card.
-- Cheer, Cheer, The Red and the White.
Some of these look pretty serious, although there's not exploit circulating yet:
Intel information about affected drivers
Fixes can be found here
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
'Not publicly disclosed' here means the exact details were not given. And I'll give you that they went through some trouble to make sure people couldn't hack his presentation and get the info they need.
But they WERE given a huge helping hand here... They now know that a vulnerability exists, that it's possible on 3 different platforms, and that that it deals with wireless drivers in 'connect to anything' mode. Wow. If I had just a bit more ambition and a tad more skill, I'd be looking for that myself to have some fun with it. Anyone more skilled (and inclined) than me is already working on it. Expect to see results within a week from some blowhard that can't keep his mouth shut.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
One should probably mention that they exploited 3rd party drivers and not the ones that the MacBook actually uses.
And I was joking about this on a security mailing list yesterday. I mean, come on: 3rd party drivers that nobody is using anyways because the ones you get with the system are perfectly ok? What's next? Writing the exploitable drivers yourself?
Assorted stuff I do sometimes: Lemuria.org
Requests for testing have been sent to the guy in California who were rumoured to have gotten it running though.
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
The difference in capability between the Macbook Pro and the Powerbook is enough to convince me that Apple made the right decision. I can only sit and stare at a spinning beachball for so long.
Slashdot - where whining about luck is the new way to make the world you want.
Well, this argument, being used toward Linux users or Mac users, has to stop. We all know that there has been flaws in linux kernel, Mac OS X and windows XP. They are known, thay are published and for most of them corrected. We all know there are more, waiting to be discovered.
BUT, and you'll notice this is a capital 'but', I have never seen a worm propagate across linux computers (I don't know for macs, I'm not a user of these). I mean, in the 98 era, windows computers were plagued with these. In the pre-SP1 era too. I have never seen a *single* self-propagating thingie for linux. The first one to do such a feat would get a lot of credit in the "scene" (if such a thing still exists). I, for one, believe that the security design of the OS is not stranger to this clean record.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
"I just need another minute to get into the mainframe! Just give me one more minute! Where's the van?"
MacBooks use different wireless drivers (because they have Intel wireless chips). Your Powerbook has the old Airport card; unless there's also a similar flaw in it, it's safe.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
...and people still wonder why we say "open-source is better."
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Two important facts: Nobody has actually seen an active exploit; there is only a video available. Quite obviously anyone can hack into a Macintosh if it is prepared in the right way, for example by turning file sharing on and allowing everyone in the world access. More important, the video should a Macintosh notebook with an external wireless card. Now how many Macs have an external wireless card? For several years, all the notebooks have been shipping with built-in wireless connection, including the one in the video.
I would suspect that the problem is that a wireless connection can be created without knowledge of the user, and a user who has a Macintosh that was made vulnerable but should be safe because it has no network connection would unexpectedly be unsafe.
What about the SSL worm from a couple of years back? I had at least one linux server rooted by that at the time.
http://michaelsmith.id.au
Um... Intel? It makes sense that now the CPU hardware is Intel... that the /other/ hardware is, well, also Intel. And I'm sure you know Centrino is Intel's technology...
"For everything, there's Rupees. For everything else... there's Master Sword."
This actually proves the case for ONLY open source drivers on Linux, and integrated with the kernel. If the h/w vendor wants to support established protocols and differentiate on price and quality, fine. Else, Linux is better off without such dubious vendors spoiling the brand.
And BTW, there ought to be a simple method to avoid Loadable Kernel Modules, and stick with statically linked and built ones, for reasons of security.
Linux rather be Not Yet Ready for the desktop, rather than joining the Desktop bandwagon, and becoming yet another Patch --> Update --> Service Pack --> Antivirus --> Unstable kind of a desktop OS.
If you keep throwing chairs, one day you'll break windows....
Look for more information on the ISC Web site. Bottom line is this is not an OS issue, rather a "firmware/driver" issue.
It's not Centrino. Centrino is the name given to Intel's package of Motherboard chipset + wireless chipset + Processor. The new Apple machines don't use an Intel wireless card. They use Intel's chipset and Processor but not their wireless card. This does not make them Centrino machines.
To be specific the new Macbooks/pros use a Atheros 5006x. This is in comparison to the powerbooks that use a broadcom based card. So Apple doesn't use Centrino.
Well, this is not quite an exploit you can drive a Mack truck through, but it is pretty serious. The fact is anyone who wants to make use of such exploits has already been working on it, and this might prove to be another piece in the puzzle they've been working through. There are no doubt hardware hackers who've thought of this, and the only useful bit to them is that they can use it to attack multiple platforms.
GetOuttaMySpace - The Anti-Social Network
"they have a VIDEO!!! to prove it and they are going to show it, uh, someplace."
In theory you have a point, but
it wasn't "someplace" but Black Hat US 2006.
The actual video is here.
MySQL, Apache, SSL (including ssh) and many other products were prone to viruses (or virii) and many worms were released for those, infecting millions of servers (both *bsd and linux) in the past. Now the fact that you use your linux as a desktop does not mean any other use of the OS wasn't exploited. You're just firewalling correctly and not installing MySQL...
Of Code And Men
Ah! I knew I would learn new thing by making such a risky assumption :-) Well, now we can make statistics, there are 25% of linux servers out there and 3% of desktop machines (according to wikipedia, itself citing IDC). What portion of the pests do we get ?
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
They did this with a third party wi-fi card and third party drives. MacBooks do not ship with these cards . Apple do not sell these cards. The MacBook "Airport" wi-fi is not open to this attack. This is completely bogus. Just a cheap way for them to get attention saying that they've "Hacked the MacBook" Whoop-de-doo. No story here.
In other news, America's security open to attack with thousands of illegal immigrants cross the borders every day.
Reading the TFA, it actually seems that it was not the "MacBook's Wireless" that was hijacked, but rather an external card plugged into a MacBook. By that standard, I may as well run around and declare "Less Than a Minute to Hijack a Power/i/Book/G3/G4's Wireless". Granted that would be FUD, and a sensationalist headline that doesn't accurately reflect the story, but I could do it....
Yes, some Mac users are smug (myself sometimes included), but in this case, one side is guilty of being "smug" and the other of spreading FUD. Take your pick.
-maz
The real litigious bastards...
In other news Apple have moved to make Macbook pros safer. ;)
dnuof eruc rof aixelsid
What are you doing with the other hand?
"I've got more toys than Teruhisa Kitahara."
Maybe It's worth mentioning that instead of the internal airport device they cracked an external USB Wireless Device attached to the MacBook which is IMHO not "fairly close to their default state". (Although that does not tell us anything about the security of the MacBook's airport)
My God people do some research. These guys used a 3rd party card because they don't want to reveal what hardware is vulnerable. As for operating systems, the one (and only) reason they chose to use a Mac was for shock value. Windows and Linux are both vulnerable, though if there are any exploits you can bet good money they'll be on Windows and not Mac OSX or Linux.
This is disgusting. No matter how many stories you run about Mac OSX and how it "really isn't secure" two facts will remain:
1) It's more secure than Windows. There are both less flaws and less exploits. It doesn't matter why, it's still true and, most likely, it will remain true for a long time to come. It's difficult to prove which has less flaws because neither is open source, but I think all of you, no matter how devoted to Microsoft you are, know deep down what would happen if both systems went open source tomorrow. It's very easy to prove which has less exploits, and it makes no difference whether that's because of less flaws, a different user base, a smaller user base, or some combination of the three because the net effect is a safer OS. Even if you disagree with the statement that OS X has less flaws on the basis that you believe it is secretly harboring more crappy code than Windows my second argument still holds.
2) There are almost never any malicious programs of any kind spread among Mac OS X users, unless you count people sharing copies of Windows XP to be installed with BootCamp. This may change in the future, but I doubt it.
Haiku for you!
FUD tag on this story in 3..2..1... oh no wait - this is it.slashdot.org not apple.slashdot.org - maybe it will pan out differently; - this Apple exploit was on the front page for starters which strangely never happens with exploits listed in the apple section for some reason...
You may notice that one of the guys was in CS grad school. He's presenting results at a conference. His academic credibility is on the line.
Not actually demonstrating your methods while presenting them at a conference is pretty common in other disciplines where it's really hard to lug around an X-ray diffractometer or the New Guinea Urungwi tribe. In CS it's different, but I think the risk of interception is a pretty good excuse.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
The safest computer known to humankind; has wireless support and great security features.
The ppp-powerbook!
http://en.wikipedia.org/wiki/P-P-P-Powerbook
This is not a Mac/Windows/Linux/whatever issue. It is an OS architecture issue.
This exploit is yet another reason why drivers should be run in user space. I can't think of a popular OS that does this universally... Linux has nooks, which is not the same thing, and Vista is going to run some, but not all drivers as services instead of in the kernel. Network drivers have traditionally been run in kernel mode for the sake of performance... When is security going to trump performance as a design goal in the major OSes? Enough is enough I say...
Well, the "spin" was really a result of the way the discoverers demonstated their findings.
The flaw was found in a number of wireless drivers; they purposely chose to demonstrate it (in their video, which I haven't been able to find on the web anywhere) using a MacBook, because of that "aura of smugness."
Apparently their biggest complaint is those Mac/PC Apple ads: "'We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,' Maynor said." (That's from the Ars article.)
So really, while the vulnerability is pretty much platform-independent, the discoverers chose to use a Mac as the demonstration platform because if its reputation for security. In terms of publicity generation, it was probably a smart move: "Hack a MacBook in 60 Seconds" is going to get them a whole lot more press than "Hack a Dell Inspiron B230 in 60 Seconds."
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
First, the very FIRST worm was a worm that propogated on a flaw in sendmail. Second, you must consider that a worm doesn't have to propogate on 10% of machines just once. every time it spreads, less than 10% of it's targets are acceptable. this has an exponential limitation on the spread of the worm, not a linear one. If you had chosen any type of problem other than worms, your statement would have been valid. (trojans, standard ride-along viruses, spyware, adware). those are valid things to point to, but not worms.
Expect to see plenty of post below, with this exact attitude. Many will begin by saying "This is not a virus" or noting you need proximity to take advantage of this flaw.
Don't exepct all Mac users to be as dumb as the Apple marketing people who started playing the "Macs are more secure than...." card without checking with the nerds in Apple's development division first. If they had bothered to do so they would probably have been told that is not a good idea. That whole Get a Mac ad campaign acutally makes me wonder how it got past people like Steve Jobs who should know better than to approve ads some of whome will utlimately end up embarrasing Apple. This flaw is only news because securityflaws have become so common in Windows that people have stopped wasting energy and time paying any attention to their exact nature when they are announced and go directly to downloading the 30 Mb+ patchcluster from update.microsoft.com and just for once OS.X has a similar flaw. That doesn't happen all that often but when it does it's news.
Only to idiots, are orders laws.
-- Henning von Tresckow
Maybe the switch to Intel wasn't such a good idea. It seems that while it has allowed me to run Windows on my Mac, it has exposed this abilitly to every Tom, Dick and Harry, too. And Apple scrapped Airport for the Intel wireless chipset why?
"fairly close to their default state" -- two problems with this
1) This exploit isn't based on the drivers that Apple ships -- they're third party
2) Even if they weren't, default state versus non-default can make a huge difference depending on what is changed. OpenBSD (secure by default) can be made as insecure as any other OS if you stray too far from the defaults
But according to Maynor and Ellch, this attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. It is, they said, enough for a vulnerable machine to have its wireless card active for such an attack to be successful. That's a trivial demand, given that most wireless devices embedded in laptops these days are switched on by default and are configured to continuously seek out available wireless networks.
I'm a bit of a n00b when it comes to wireless networks, but isn't this the type of thing that can be protected against by having some sort of network encryption or password protection, etc.? The same that is warned about when you set up a wireless network--you have to make sure to change the default password to keep people getting on your network--you would protect yourself from any network you connect to from taking a peek at your hard drive? And then it sounds like this same exploit is doable on ANY machine with a wireless connection that continually "pings" around looking for networks, so why pick on the MAC?
Is this really such a big deal (except to those who don't do anything security-wise with their computer)?
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
They hacked a wireless driver, not the OS. Just makin' a point. And the "macheads" never claim invulnerability of the OS, just that it's far mopre secure.
I love all the PC phanbois comments on that article at Ars.
Bottom line: if you are a Windows fanatic, you must love being anally raped on a continual basis. Windows is shit. Period.
"Currently there have not been any reports of this vulnerability 'in the wild.'"
Now that its been posted on Slashdot, there will be by the end of the day.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Great, so we found a linux worm. Now somebody try to find one for OS X. I'll wait.
Oh, and the Oompa Loompa trojan doesn't count, since it required user input just to get the thing on the Mac, much less run it, and it didn't actually do anything (and if it had, it would have only affected Bonjour-connected computers, but somebody didn't code it right). In any case, not a worm.
People are screaming that because of this, Mac OS X is not secure, but I beg to differ. One model of computer hardware has a bad driver, that's all. It'll be fixed, much sooner than most other OSes, and nobody will remember this in a month. And yet years later, we still remember the ILOVEYOUs and whatnot. If anything, we forget about windows exploits because they all sort of run together.
-mrxak
Onions Will Kill You
check Security Fix:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
check Security Fix:
... )
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
( Looks like Apple was wielding a big stick
no... i have a macbook pro and used to have a powerbook g4. i get almost double the wireless range.
They didn't, the MacBook does not have Intel wireless. Just look at any disassembly pictures, it has an Airport PC Card inside.
I just bought a MacBook! It looks like there is someone attempting to standardize development of viruses to run across multiple platforms! Next thing you know, they may use Java inside the rootkit because of its famed interoperability! That massive download spike you're seeing is the loading of the latest JVM. One question - I have BOot C@mp installed and am wondering if someone can hack into that even though I'm currently not even running that OS. Now that would be sweet!
This sig donated to Pater. Long live
1. It was done on Video, not Live. Show me the code. I want to see this "OS independent" remotely exploit any Wireless card in Promiscuous AP mode.
I want to see this work on Linux, for that matter.
2. It requires your system to be setup to automatically associate with all non-password protected APs. This is not a default setting, either; and none of the Mac users I know run their systems on this setting.
People DO tend to run their systems on "Alert me to all unprotected wireless access points", but that's all.
I don't see why everyone is so willing to accept this vulnerability. Their talking about attacking Atheros drivers on Windows, Linux, and OS X, with at least three independent driver teams working on them, with the Linux one being opensource (Madwifi). Furthermore, I don't see how you would get the same three driver stacks to exhibit the same buffer overrun to root-level excutable code, particularly a locked down Linux.
It's not protecting anyone to hide this vulnerability. Releasing the information now would prove whether or not this is real, and would permit quick resolution to this problem, particularly for the MadWifi people.
Until there's more information, I don't believe it. Even if I did believe it, without any details there's no effective way for me to protect myself. If the attack requires associating with an AP, most systems are not vulnerable. If the attack simple requires scanning avaliable APs, then every system out there is vulnerable unless Wireless is entirely disabled. Either way, it's stupid not to release the details, and reeks of more "Mac's aren't safe! See! Buy Norton Antivirus for the Mac!".
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I disintegrated a car with my mind!
I have it on video!
Of course, I weakened the car's frame with a blowtorch... and the car was packed with explosives... and there was the whole "lit fuse" thing... but still! I disintegrated a car with my mind. Some anonymous guy with a video says so!
If it was a buffer overrun in the programming language C, then we humans ought to stop using C and move to safer languages; or use a C dialect which is safe, like Cyclone.
http://jwz.org/images/iProduct.gif
...
'nuff said.
yeah, I have a mac. No, I didn't buy it myself. No, I don't have an i{whatever}. I like my iBook because it runs UN*X with no tweaking required beyond initial setup. It behaves like a consumer desktop OS (read: runs MS Office for work-related junk) when I want it to, and behaves like a BSD workstation (read: transparent terms, decent package management and all the CLI and OS tools I expect a real workstation to have) when I want it to. Basically, it Just Works, which has become a major feature for me the past few years
illum oportet crescere me autem minui
Now that all the bashers have had their fun, can we acknowledge that there is no such thing as a 100% secure computer of any sort as long as it is connected to a public network. I know it is not as fun, and takes the joy out of OS/hardware parochialism but it is true. As well, the behaviour of goofy users is neither Bill's, nor Steve's nor Linus's fault and there is not much they can do about it.
I have run windows machines since 3.1 and DOS before that and never had problem. On the other hand I have shown people (relatives, friends etc) how to secure and maintain their machines and the next week I find them back to doing their own self-defeating behaviours.
Someone found an exploit. Whoop-de-do. There will always be exploits found for all systems that people can screw with. There is almost always a way to secure against it. Almost always a large group of users ignores what is good for them and their machines and gets burned. Frankly, the platform matters less when it comes to these things than the user's behaviour.
It's as thought 1000 fanboys cried out at once "We're more secure than windows" and were suddenly silenced.
Full Disclosure: I use a G5.
Assuming it's a firmware hack that pop's the kernel module in LINUX (when trying use this exploit on a LINUX system as opposed to a Mac), would the vulnerability be stopped by any of the ACL controls that RedHat/Fedora have been using?
Infoworld newsclipping on Intel releasing the patches...w irelesspatches_1.html
/ cs-010623.htm
/ cs-005905.htm
http://www.infoworld.com/article/06/08/02/HNintel
For the impatient, new drivers are here...
http://support.intel.com/support/wireless/wlan/sb
And you can double-check what adapter you've got, as long as it's an intel anyway, with the utility here...
http://support.intel.com/support/wireless/wlan/sb
Sweet - that means you can be exploited at twice the distance!
"But this one goes to 11!"
Well the linux worm was affecting Apache. I suppose it would also work on apache on mac...
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Ok, the fact that you can connect to a wireless set to access ANY accesss point, that's nothing new. The exploit is the issue...and from what I have seen, it's not just Mac's with the issue.
Gorkman
So the delivery system is invalidated because there's no payload?
Thank god you're not in charge of security.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
check my post just above yours. Post there and on several other news sites. A macbook by default is vulnurable, its just that Apple was wielding its "beat stick" and told them not to demo it on the internal wireless card.
No fix yet.
Call me old fashioned but this is exactly why I don't use Wireless. I will stick to my Ethernet cable thank you.
Any else old fashioned and prefer to stick to Wired Ethernet over Wireless?
\
Hi, I'm a Mac I don't get viruses and you can do everything that you want with me Hi, I'm a Mac, I realize that you didn't turn me on, I've been posessed...but you still don't have a virus. Hi, I'm a Mac, what do you mean I was hijacked and someone installed a virus on me..but..but..Windows has a virus too!!
http://it.slashdot.org/comments.pl?sid=192988&cid= 15839338
Yeah, that's also why all those hacked servers always run Apache, right?
Claiming that it's only because less people use Macs is bullshit.
Actually, it's not uncommon in CompSci conferences to only present rigged demos. Most conference papers, however, are peer-reviewd before they are accepted[1]. One common question on the review forms is whether a grad student could implement the presented idea based solely on the paper.
[1] In many other disciplines it is the other way around; the conference presentation is part of the review process, and papers presented at a conference may not make it into the printed proceedings (in which case they can't be referenced and do nothing for your academic reputation).
I am TheRaven on Soylent News
Never encountered that term before.
http://en.wikipedia.org/wiki/Binary_blob
"a binary blob is an opaque binary object for which no source code is available."
i guess thats more fun than saying "precompiled binary"
I'll just use my special getting high powers one more time...
Linux Worms
Just because Apache is secure doesn't mean that the Mac is also secure.
It's a truth that more people will try & hack something more widely
used.
/ducks
[Fuck Beta]
o0t!
Well that's good to know! I wonder why it's not a problem with other airport cards, then?
It is a "Mac/Windows/Linux/whatever" issue. Those operating systems choose to use binary only drivers that can be full of obvious security holes because they were written by hardware guys who kinda know some C, instead of by experienced, security concious developers. Using the reverse engineered open source driver from openbsd completely negates this exploit, because the openbsd developers don't write shit code. Shitty code that you can't even see or change is the problem, not running device drivers in the kernel (where they belong).
The delivery system is invalidated if the thing completely fails to spread itself on its own, and if you manually download the thing yourself you still have to click through two warnings and enter an administrator password.
-mrxak
Onions Will Kill You
That isn't what I said, either. I was pointing out that obscurity does not mean that people won't try to hack you, especially since right now, writing a Mac virus gives you about a hundred times more exposure than writing a Windows virus (everyone's done that already, nobody cares anymore).
Macs are more secure than windows boxes. They aren't perfect, but you can't attribute the fact that there are no real exploits to only their market share.
I'm curious.
This "Fact" you say exists... What evidence do you have to support this fact?
Are you sure it's not merely your opinion?
Why would it change?
Apple, for all that it's putting out nice, desireable machines, is still a niche market. Why take the time and write a real in-the-wild exploit to only hit 3-4% of the market? Nobody who cares about writing successful exploits cares about proving Macs to be insecure.
Why go for a relatively undocumented OS on a small niche system when there's a massively popular, well documented OS with lots of avenues to exploit?
Chas - The one, the only.
THANK GOD!!!
Sorry, no. Not any notebook. Ones running OpenBSD are not vulnerable because they wrote an open driver rather than using a closed binary blob from the vender like other OS's like to do.
So these guys take a third party USB wireless card,
on a MacBook of unknown status,
connecting to a specially scripted AP,
and get owner privileges.
Cuz this happens any time you use a Mac.
Oh, and thanks guys for the admonition about proper testing. We'll have to write that one down.
And for pointing out that wireless means there are no wires and you can sit in other chairs.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Yes, everyone is safer with an exploit only known to the underground crackers. I guess you truly believe in what you do not know can't hurt you. For every group that comes forward with a crack, they very well may be 10 groups that have been actively exploiting this very same thing and have NOT come forward. Some people derive their excitement, fortune, and notoriety by reporting flaws and others get the same thing by using and exposing those flaws. Are you really willing to take your chances on what percentage of each exists?
Bad boys rape our young girls but Violet gives willingly.
It's easier to propagate when there are more hosts to infect. It's as simple as that. On top of that, why target x machines when you can target y machines (when xy).
Support a great indie game: http://www.abaddon360.com
Kids: PC's are owned through Windows. This is a fact. Own a PC, get hacked, this is the way it is.
Macs are so secure that A STORY about a third party wireless carded being hacked gets national-level coverage.
The PC owners rejoicing over the Mac's equivalence to their vulnerable platforms are being ridiculous. The quantifiable risk ratio between operating a Windows laptop and a MacBook is practically infinite, as there are no known virii for MacBooks, no known owning of MacBooks, no known security risks in operating a MacBook. At this point, hackers are well aware of a large installed userbase for Apple products, and certainly would attack them. If they could. Obviously they can't.
Silly people. Don't forget to run your virus and spyware checkers today. And back up your data, you never know when the bad guys will nail your hard drive in new and exciting ways through yet another buffer overflow in Windows.
The article doesn't specify precisely, but it does imply that the target computer must be set to automatically connect to open access points; and that it doesn't actually need to connect to be affected.
The problem with this is that neither Windows nor the Mac OS will automatically connect to unknown networks by default. Windows will prompt you that "Wireless networks have been detected," while the Mac OS will prompt you that "None of your favored networks has been detected, would you like to connect to [xxxyyyzzz]?" Neither OS makes the connection until you proactively choose to connect. This means that they are NOT "...configured to automatically connect to any available wireless network." (to quote the article.)
Yes, both OSes can be set to connect automatically, but your average end-user is not going to have the technical know-how to set this. Which, ironically, means that this exploit is more likely to affect power users. (None of my computers are set to connect automatically.)
BUT, this could potentially be gotten around. Of course, it doesn't say exactly how the exploit works; but if the attacking computer broadcasts an SSID of 'default', 'linksys', or 'actiontec', they could likely get a noticeable number of computers, just based on the fact that many user's access points use these default names, so their computers would be set up to connect to those SSIDs without confirmation.
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Not what was said and you know it.
The exact wording was "XXX doesn't count because it doesn't do anything", not "XXX doesn't count as it's almost impossible to execute".
Even taking your point into account, if the delivery system has the distinct possibility of someone (even an idiot) being able to accidentally trigger it, as was the case, it's still an attack vector and still needs to be taken into consideration.
Again, and again, and again: "There's no such thing as a secure system".
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
The point here is that they had already reported it to the developers of the products affected. Announcing it to the world only allowed them to get their jollies. It didn't make any computers any safer. It did, however, give valuable insight for hackers that had not yet got around to exploiting that issue.
I don't deny that it is likely others had already figured this out. I do not deny that 'security through obscurity' gives a very false sense of security. I'm only saying this:
If I have a hidden safe in my house and I look rich, people will think that maybe I have something valuable in my house and someone will probably try for it eventually. But if I post a notice that that my hidden safe in my house has a vulnerability, thieves that would never have considered my house as a target will now, and those who already considered it a target will want to act quickly. And if I told that that the vulnerability showed up only under certain circumstances, and named those circumstances, they are even more likely to find the problem before I get my security company to fix it.
Tell everyone my safe HAD a vulnerability, but it's fixed... That gets the same good attention and none of the bad.
In short: They spoke too early. They should have waited until the devs had a chance to patch the flaw. If the devs hadn't fixed it in a reasonable amount of time, then it's time to go public and make sure they have a reason to fix it. That time hadn't come.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I don't think that there's ever been any really good clarification on exactly what you need to do to be vulnerable. In one of the articles, the original Washington Post blog post, it says:I'm not sure I'd draw the conclusion from that either way, that you have to connect or that you just have to be broadcasting an SSID.
Even if you do have to connect, it's still a fairly severe vulnerability (although less so than if you just have to have the radio turned on) because people aren't used to the idea that connecting to a network can compromise their computer. Compromise the information you send over it, sure; but actually hose your system, just by virtue of establishing the connection, with your computer fully firewalled? I'm relatively paranoid and I've never really considered that possibility until now. At the least, some new and much more severe warnings than the current "untrusted network, do you want to connect?" messages would have to be presented to the user.
Plus, even if you have to connect, it doesn't seem like it would be very hard for an attacker to pose themselves as a legitimate AP. Let's say you go and sit in a webcafe somewhere and change your SSID to "TMobile" -- the same SSID used by TMobile Wireless Hotspots. There's no way for a user to know whether they're connecting to the legitimate access point, or the one that's going to fuck them up. Particularly if you use a wireless card that's been modified to transmit at a higher-than-legal power, an attacker could just spoof a legit AP's SSID and MAC address, and just transmit on the same channel and overpower it. I can think of a lot of ways to get people to connect to an access point, and not all of them are trivial to work around. How do you verify if an access point is legitimate when everything you know about it can be spoofed, and when in order to get any more information, you have to connect and give it an opportunity to compromise your system? Just telling people not to connect to untrusted AP's is not a solution, because unless you're in a Faraday cage with a single AP that you set up yourself, all APs have to be treated as untrusted until you log in and verify cryptographically that it's the one you think you're connecting to. (Via some sort of robust authentication.)
I think it's important not to blow this discovery out of proportion, but I think there's a certain tendency to understate things, and try to minimize them. That's dangerous, and shouldn't be done -- this is a pretty serious problem and people need to be aware of that, so that enough pressure is put on the manufacturers to fix them, and more importantly, fix the processes that led to the creation of the structural vulnerabilities in the first place.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Note that if you research the article a bit, you'll find that the "researchers" didn't hack the MacBook through the built-in wireless adaptor, they actually used a 3rd party wireless card plugged into it. They did it on a Mac just for the publicity storm they hoped it would generate (and lookie here, they were right).
So all the crap about "Oh oh, now your Mac is just as insecure as a Windows Box" is really, well, wrong.
And researchers deserves the double-quotes in my opinion; anyone with a nickname like "Jonny Cache" seems a bit silly to me in the first place.
These two "hackers" seem quite sheepish and frustrated. Why are they attacking the Mac user-base when it's not the users that are the problem?
One 'hacker' claims,We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,
Users? Why is he picking on users here? The people featured in these ads are ACTORS hired by the marketing and advertising departmens of Apple. Nothing at all to do with the user base.
"Mac userbase aura of smugness on security,"
I don't think the 'smugness aura' is generated by the user base. It's apple's marketing and PR that make claims of being secure and virus free. Do they really think that an average user would come up with something sercurity related on their own? No, they just regurgitate what they hear from these ads.
Maybe some day these guys will grow up socially and learn how to pick their battles. They are attacking the people that they should be trying to win over. They should instead of bringing the fight to the faceless corporations.
The "Apple" segment of Slashdot is full of a bunch of stories promoted by bitter Windows/Linux clowns, who don't like the Mac and never will. It's a certain amount of fun to engage with them, and a learning experience for anyone interested in group pathology, but it's profoundly uninteresting to anyone not in the lynch mob.
I use a Windows machine at work. It's okay, you know? Clunky, boring, and at times purposely obscure, but it's okay. I prefer my home Mac, and now that it has a relatively secure UNIX and a processor that will put us on the same starting line as anyone else, I'm looking forward to the plethora of products that will be coming out soon. I'm not interested in being eviscerated for this choice, any more than Linux and Windows users should be put through this juvenile treatment.
This was a set-up, purposely not done with the Apple drivers and chipset, which does NOT have this weakness. Okay, so a lot of people find Apple users smug, and they wanted to tweak us. Okay, fair enough. It is a weakness for any computer when the third-party drivers are developed ad hoc, rushing towards a hardware release date. Bugs develop too easily. Could something be done by Microsoft, Apple, etc., to standardize drivers in some way, so that a different scanner developer, for instance, could just plug in some variables for the new machine and be done with it? Maybe that's naive; or maybe it's something the industry should do, relative to every external device that needs a driver?
Now that's what we might be talking about, rather than looking for a chance to heap scorn on this side or the other.
If the devs hadn't fixed it in a reasonable amount of time, then it's time to go public and make sure they have a reason to fix it. That time hadn't come.
That is a major issue and who determines how much time it enough. Maybe these guys at the presentation know the information is already out there in other circles? Maybe some vendors are refusing to work with them and blew them off or are not even acknowledging a problem exists. Maybe another wireless chip had the same problem and it was fixed. Maybe they were going to release it 6 months ago but waited until now. I don't know, do you? You are just hearing about this today but what would you consider a good time frame or what significant trigger would you consider accepable for the information to finally reach you? I believe we have way to little information and details to determine what a reasonable amount of time is. General information on wireless technology flaws (802, bluetooth, iR etc) does float around in security circles so the concept is not new at all.
Bad boys rape our young girls but Violet gives willingly.
The 3 people on Earth who run OpenBSD on their laptop with a wireless card will be thrilled.
"Nobody who cares about writing successful exploits cares about proving Macs to be insecure."
Um....wouldn't someone out there like to have the bragging rights to say that they were the first to write a successful remote exploit?
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
From the original article by Brian Krebs:
The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system.
This is false. He is either didn't see the video and was relying on the word of Maynor and Ellch or he does not know the difference between a third party wireless card and a built in airport card.
From Brain Krebs subsequent article trying to explain the discrepancy:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers.
This is completely inconsistent with what the original article said and is also inconsistent with these quotes from the "leaned on":
Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"
Krebs is an idiot or is still taking the word of a source that has already lied to him once. This is not journalism's finest moment.
Reminds me of This quote
Posting to slashdot obviously, doh!
I'm not trying to say that there's such thing as a secure system. But if you look at the facts, a Mac OS X user can be as carefree as they like from Day One. There's just no threats out there. The reasons for this can be debated forever, I don't want to go into that argument. But there is simply no malware out there. If there was, you and I both know it'd be huge front-page news.
The best people can come up with is to attach a third-party wireless device to a computer that comes with so-far-unexploitable wireless capabilities out of the box. It's silly. It's a problem that's infinitely more likely to affect a non-Mac user because the affected hardware is intended for non-Mac customers whose computers didn't come with that capability built-in. Even still, it's a lot more likely this "problem" will be fixed on the Mac faster than a windows computer.
Should Mac users be more worried? Probably. Should they think they're completely immune? No. But right now they have no reason to think that they aren't, because currently, nothing can touch them unless they install BootCamp and boot into windows.
-mrxak
Onions Will Kill You
http://blogs.zdnet.com/Apple/?p=255 "Earlier today I posted a story about about two hackers from the Black Hat conference in Las Vegas and how they supposedly demonstrated how to exploit a vulnerability in Apple's wireless device driver to remotely access and control a MacBook over a network. The story was based, in part, on a blog entry by Brian Krebs at the Washington Post. As it turns out the hack described does not apply to MacBooks as it relies on third-party wireless hardware rather than the wireless cards supplied by Apple. FTA: "Maynor said the MacBook used in the demonstration was not using the wireless gear that shipped with the computer."
Daring Fireball has an interesting article on this. As it stands, it is unclear whether the actual internal MacBook wifi card (you know, the one everyone who owns a MacBook uses) is vulnerable as they used a third-party card for their demo, despite of the fact that all MacBooks come with an internal wifi card.
You don't even have to read the article this time, just look at the site. This vulnerability requires use of an aftermarket wireless card. Who is going to use an aftermarket wireless card on a MacBook with that always comes with built-in wireless?
colds
Cognitive dissonance kicking in yet, MacFans?
Having just viewed the video, I am struck by one thing.
Before starting the attack, he set up the Dell as an AP. Then he went to the Mac AND CONNECTED TO THE DELL FROM THE MAC!!!
He didn't launch the attack from the Dell without having connected to it from the Mac, using a shell he created on the Mac, FROM THE MAC KEYBOARD!
This is bullshit. Anybody with minimal hacking experience can attack a machine that has voluntarily connected to their own.
THIS IS NOT AN AUTHENTIC VULNERABILITY! It is an attack launched on a Mac in order to garner publicity.
If this had been an actual dangerous condition, he could have initiated the connection from the DELL, created the shell, and deleted system level files from the Mac to prove he had admin or root level permissions.
This he did NOT do. He simply created a few files on the Mac (one of which was a TEXT file he called "password" to create a false feeling of a security issue, and then deleted the files, any of which could be done with simple user level permissions.
I repeat, this is BS.
He did not prove admin or root permissions had been obtained, and never stated that he had.
All the connections were started FROM the MAC!!
Sorry, this is just a publicity stunt.
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
As long as you are connected to a network, you are not safe. This is true of any OS.
It's also true that there is crime everywhere you go, and that you are not completely safe anywhere you live. But I'd still rather live in ... hmm .. just about any 'peaceful suburb' than, say, Harlem.
Your flawed FUD argument is that "no platform is 100% safe therefore you might as well use any platform". But like crime, security is approximately quantified and expressed best as a probability, not a binary "yes" or "no".
I'll get more worried if these two "hackers" will prove that they can connect to my Mac WITHOUT ACCESS TO MY KEYBOARD. They claim that there is no need to associate the target with an AP, but then proceed to do just that. Since they had previously connected to the Dell through an open Terminal shell (which was left open), connecting to the shell wasn't a particularly difficult thing to do from the attacking Dell, which, by the way, turns out to be the AP the Mac didn't have to be associated with. ?????
I repeat - any script kiddie can access a laptop they have physical access to!
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
Thanks
Quit spewing shit.
Just where in the kernel source tree is this binary blob?
Right, it's not there. You can gloat about having a driver, but not about being more secure. If anything, Linux is more secure. You might have a vulnerable driver, but Linux certainly does not!
These cards have processors, ROMs, etc. Yes, they run code, and they control DMA engines.
Think for a moment here. Suppose an out-of-spec packet lets the attacker control the DMA engine. The attacker could write to any location in physical memory.
Not even OpenBSD is immune to such an attack, no matter how perfect the code may be.
Ah, rigged demos.
:-)
I presented a paper at HCC a few years ago about a web UI framework for developing web-based diagram editors. My powerpoint included screenshots for what happened after every click in the user interface, so I could "click" on a button and the next screenshot, showing the result of that click, would appear.
It was obvious from their comments later that a number of people did not realise this was not a live demo, but merely a powerpoint presentation loaded off a USB memory stick
Pretend that something especially witty is here. Thanks.
You people are just stupid. The macbooks pro's all use the same broadcom base wireless chipsets found in ALL Airport Extreme cards. This exploit is on an Atheros based add-on card, not the onboard Airport Extreme. Learn to read.
Stupid?....Unable to read? Or is the problem believing everything you read?
1. MacBook Pros have Atheros built in (not hacked in the video).
2. The add-on card is almost certainly not Atheros.
Those are my principles. If you don't like them I have others. -Groucho Marx
But if you read the follow-up, it doesn't have to be with a third-party wireless card. It's also a fault with the default wireless capabilities. See here.
I mean, I don't mind Mac users thinking they're invulnerable, it's no skin off my nose at all, because I know that I am vulnerable and I take those precautions. But not having a defense plan just because you don't think there's anything to defend against is naive, and the moment that something does happen that can exploit all these unprotected boxes then that's when the trouble will begin.
Apple aren't helping themselves via their own personal mantra of "Mac's don't get viruses", because when a Mac virus does arrive (it's inevitable for the reasons I stated) they'll be liable for all the data that people will lose.
"It does not do to leave a live dragon out of your calculations, if you live near him." - Tolkien
Omg. Was it too hard to STFW before posting?
Let's get drunk and delete production data!
Oh good, you mean now when I go into a cafe and see 25 people on white macbooks, I can listen in? Why does this sound really boring????
Two BlackHats - who have reputations at stake - claim that there is a vulnerability in any OS due to poorly written network device drivers. They proceed to demonstrate the vulnerability using a specific setup on video. Assuming the flaw does exist, what is the reason for using the third party wireless adaptor? My guess is that the drivers for that adaptor are more reliably cracked than the drivers for the specific chipset used in the on-board wireless adaptor.
Since the same company writes the shame shoddy code for the Windows, Mac OS X and other OS drivers for that card, you'd expect the same flaws to be present, especially since all those platforms use the same machine code. The lowest level of the driver could be using exactly the same machine code, and the exploit was carefully crafted to clobber the stack with a specific set of instructions that only work reliably when using that USB WiFi adaptor on that particular MacBook.
The contrived nature of the presentation doesn't mean this is a fraud.
The proof of concept exploit could simply be extremely dependent on factors which they didn't have time to adapt for, before presenting at the BlackHat conference.
So accept the fact that these guys claim there is a flaw, and hope to goodness that the drivers get fixed before someone else writes a more reliable exploit.