Slashdot Mirror
Less Than a Minute to Hijack a MacBook's Wireless
Kadin2048 writes "As reported by Ars Technica and the Washington Post, two hackers have found an exploitable vulnerability in the wireless drivers used by Apple's MacBook. Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network, fairly close to their default state, and the exploit allows an attacker to gain "total access" -— apparently a remote root. Although the demo, performed via video at the BlackHat conference, takes aim at what one of the hackers calls the "Mac userbase aura of smugness on security," Windows users shouldn't get too smug themselves: according to the Post article, "the two have found at least two similar flaws in device drivers for wireless cards either designed for or embedded in machines running the Windows OS." Ultimately, it may be the attacks against embedded devices which are the most threatening, since those devices are the hardest to upgrade. Currently there have not been any reports of this vulnerability 'in the wild.'" According to this story at ITwire.com, they were able to exploit Linux and Windows machines, too. (Thanks to Josh Fink.)
And in the background we hear 1000 Mac users screaming in horror...
"Oh boy"
My Powerbooks is safe. Apple is so much more secure than ^.#$ pwned u n00b wahaha
There are shills on slashdot. Apparently, I'm one of them.
Does this exploit run on Linu......
never mind.
My reality has been shattered. Macintosh computers have been found to be less than perfect! Time to install WinXP.
- i'll get me coat! -
Also, christ, I'd say they're being pretty responsible about it.
[insert witty comment here]
In related news, there is an article at ITWire about Intel admitting to a security flaw with their wireless technology as well. Check it out at http://www.vnunet.com/vnunet/news/2161539/intel-ad mits-centrino-wi
-- Josh
"Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
This exploit is OS independent. How is this in any way indicative of Mac user smugness? Are they so smug that they made Windows and Linux boxes explotable too?
In the video he uses a third party wireless card. Are other cards, such as the built-in card, similarly vulnerable?
Even more disturbing, IMO, is the suggestion in the article that Microsoft will become the ultimate arbiter of device driver safety in Vista, by preventing device drivers from being loaded that they haven't checked out and approved.... because we all know that Microsoft are the experts when it comes to detecting and correcting software vulnerabilities.
Seeing you can't be bothered reading tfa to find out that they haven't discolsed & gone to some trouble to ensure the vulnerability's details weren't leaked, I'll quote the relevant sections for you:
and:
One last quote for you (just 'cause its funny):
There are shills on slashdot. Apparently, I'm one of them.
If the flaws are in Apple's drivers, why did they need to plug a 3rd party card into the MacBook? What user would ever plug a 3rd party redundant wireless card into their computer? Presumably, if they could hack Apple's drivers they wouldn't need the other card. All this video shows is a 3rd party wireless card with crappy drivers.
Some of these look pretty serious, although there's not exploit circulating yet:
Intel information about affected drivers
Fixes can be found here
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
One should probably mention that they exploited 3rd party drivers and not the ones that the MacBook actually uses.
And I was joking about this on a security mailing list yesterday. I mean, come on: 3rd party drivers that nobody is using anyways because the ones you get with the system are perfectly ok? What's next? Writing the exploitable drivers yourself?
Assorted stuff I do sometimes: Lemuria.org
Requests for testing have been sent to the guy in California who were rumoured to have gotten it running though.
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
[1] On recent versions of FreeBSD. Previous versions did include the blob.
I am TheRaven on Soylent News
Well, this argument, being used toward Linux users or Mac users, has to stop. We all know that there has been flaws in linux kernel, Mac OS X and windows XP. They are known, thay are published and for most of them corrected. We all know there are more, waiting to be discovered.
BUT, and you'll notice this is a capital 'but', I have never seen a worm propagate across linux computers (I don't know for macs, I'm not a user of these). I mean, in the 98 era, windows computers were plagued with these. In the pre-SP1 era too. I have never seen a *single* self-propagating thingie for linux. The first one to do such a feat would get a lot of credit in the "scene" (if such a thing still exists). I, for one, believe that the security design of the OS is not stranger to this clean record.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
MacBooks use different wireless drivers (because they have Intel wireless chips). Your Powerbook has the old Airport card; unless there's also a similar flaw in it, it's safe.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Two important facts: Nobody has actually seen an active exploit; there is only a video available. Quite obviously anyone can hack into a Macintosh if it is prepared in the right way, for example by turning file sharing on and allowing everyone in the world access. More important, the video should a Macintosh notebook with an external wireless card. Now how many Macs have an external wireless card? For several years, all the notebooks have been shipping with built-in wireless connection, including the one in the video.
I would suspect that the problem is that a wireless connection can be created without knowledge of the user, and a user who has a Macintosh that was made vulnerable but should be safe because it has no network connection would unexpectedly be unsafe.
What about the SSL worm from a couple of years back? I had at least one linux server rooted by that at the time.
http://michaelsmith.id.au
Look for more information on the ISC Web site. Bottom line is this is not an OS issue, rather a "firmware/driver" issue.
It's not Centrino. Centrino is the name given to Intel's package of Motherboard chipset + wireless chipset + Processor. The new Apple machines don't use an Intel wireless card. They use Intel's chipset and Processor but not their wireless card. This does not make them Centrino machines.
To be specific the new Macbooks/pros use a Atheros 5006x. This is in comparison to the powerbooks that use a broadcom based card. So Apple doesn't use Centrino.
The actual video is here.
Maybe It's worth mentioning that instead of the internal airport device they cracked an external USB Wireless Device attached to the MacBook which is IMHO not "fairly close to their default state". (Although that does not tell us anything about the security of the MacBook's airport)
My God people do some research. These guys used a 3rd party card because they don't want to reveal what hardware is vulnerable. As for operating systems, the one (and only) reason they chose to use a Mac was for shock value. Windows and Linux are both vulnerable, though if there are any exploits you can bet good money they'll be on Windows and not Mac OSX or Linux.
This is disgusting. No matter how many stories you run about Mac OSX and how it "really isn't secure" two facts will remain:
1) It's more secure than Windows. There are both less flaws and less exploits. It doesn't matter why, it's still true and, most likely, it will remain true for a long time to come. It's difficult to prove which has less flaws because neither is open source, but I think all of you, no matter how devoted to Microsoft you are, know deep down what would happen if both systems went open source tomorrow. It's very easy to prove which has less exploits, and it makes no difference whether that's because of less flaws, a different user base, a smaller user base, or some combination of the three because the net effect is a safer OS. Even if you disagree with the statement that OS X has less flaws on the basis that you believe it is secretly harboring more crappy code than Windows my second argument still holds.
2) There are almost never any malicious programs of any kind spread among Mac OS X users, unless you count people sharing copies of Windows XP to be installed with BootCamp. This may change in the future, but I doubt it.
Haiku for you!
You may notice that one of the guys was in CS grad school. He's presenting results at a conference. His academic credibility is on the line.
Not actually demonstrating your methods while presenting them at a conference is pretty common in other disciplines where it's really hard to lug around an X-ray diffractometer or the New Guinea Urungwi tribe. In CS it's different, but I think the risk of interception is a pretty good excuse.
Any sufficiently advanced libertarian utopia is indistinguishable from government.
This is not a Mac/Windows/Linux/whatever issue. It is an OS architecture issue.
This exploit is yet another reason why drivers should be run in user space. I can't think of a popular OS that does this universally... Linux has nooks, which is not the same thing, and Vista is going to run some, but not all drivers as services instead of in the kernel. Network drivers have traditionally been run in kernel mode for the sake of performance... When is security going to trump performance as a design goal in the major OSes? Enough is enough I say...
Well, the "spin" was really a result of the way the discoverers demonstated their findings.
The flaw was found in a number of wireless drivers; they purposely chose to demonstrate it (in their video, which I haven't been able to find on the web anywhere) using a MacBook, because of that "aura of smugness."
Apparently their biggest complaint is those Mac/PC Apple ads: "'We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,' Maynor said." (That's from the Ars article.)
So really, while the vulnerability is pretty much platform-independent, the discoverers chose to use a Mac as the demonstration platform because if its reputation for security. In terms of publicity generation, it was probably a smart move: "Hack a MacBook in 60 Seconds" is going to get them a whole lot more press than "Hack a Dell Inspiron B230 in 60 Seconds."
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
First, the very FIRST worm was a worm that propogated on a flaw in sendmail. Second, you must consider that a worm doesn't have to propogate on 10% of machines just once. every time it spreads, less than 10% of it's targets are acceptable. this has an exponential limitation on the spread of the worm, not a linear one. If you had chosen any type of problem other than worms, your statement would have been valid. (trojans, standard ride-along viruses, spyware, adware). those are valid things to point to, but not worms.
check Security Fix:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
check Security Fix:
... )
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.
( Looks like Apple was wielding a big stick
1. It was done on Video, not Live. Show me the code. I want to see this "OS independent" remotely exploit any Wireless card in Promiscuous AP mode.
I want to see this work on Linux, for that matter.
2. It requires your system to be setup to automatically associate with all non-password protected APs. This is not a default setting, either; and none of the Mac users I know run their systems on this setting.
People DO tend to run their systems on "Alert me to all unprotected wireless access points", but that's all.
I don't see why everyone is so willing to accept this vulnerability. Their talking about attacking Atheros drivers on Windows, Linux, and OS X, with at least three independent driver teams working on them, with the Linux one being opensource (Madwifi). Furthermore, I don't see how you would get the same three driver stacks to exhibit the same buffer overrun to root-level excutable code, particularly a locked down Linux.
It's not protecting anyone to hide this vulnerability. Releasing the information now would prove whether or not this is real, and would permit quick resolution to this problem, particularly for the MadWifi people.
Until there's more information, I don't believe it. Even if I did believe it, without any details there's no effective way for me to protect myself. If the attack requires associating with an AP, most systems are not vulnerable. If the attack simple requires scanning avaliable APs, then every system out there is vulnerable unless Wireless is entirely disabled. Either way, it's stupid not to release the details, and reeks of more "Mac's aren't safe! See! Buy Norton Antivirus for the Mac!".
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
I disintegrated a car with my mind!
I have it on video!
Of course, I weakened the car's frame with a blowtorch... and the car was packed with explosives... and there was the whole "lit fuse" thing... but still! I disintegrated a car with my mind. Some anonymous guy with a video says so!
Now that all the bashers have had their fun, can we acknowledge that there is no such thing as a 100% secure computer of any sort as long as it is connected to a public network. I know it is not as fun, and takes the joy out of OS/hardware parochialism but it is true. As well, the behaviour of goofy users is neither Bill's, nor Steve's nor Linus's fault and there is not much they can do about it.
I have run windows machines since 3.1 and DOS before that and never had problem. On the other hand I have shown people (relatives, friends etc) how to secure and maintain their machines and the next week I find them back to doing their own self-defeating behaviours.
Someone found an exploit. Whoop-de-do. There will always be exploits found for all systems that people can screw with. There is almost always a way to secure against it. Almost always a large group of users ignores what is good for them and their machines and gets burned. Frankly, the platform matters less when it comes to these things than the user's behaviour.
check my post just above yours. Post there and on several other news sites. A macbook by default is vulnurable, its just that Apple was wielding its "beat stick" and told them not to demo it on the internal wireless card.
No fix yet.
Actually, it's not uncommon in CompSci conferences to only present rigged demos. Most conference papers, however, are peer-reviewd before they are accepted[1]. One common question on the review forms is whether a grad student could implement the presented idea based solely on the paper.
[1] In many other disciplines it is the other way around; the conference presentation is part of the review process, and papers presented at a conference may not make it into the printed proceedings (in which case they can't be referenced and do nothing for your academic reputation).
I am TheRaven on Soylent News
I'm curious.
This "Fact" you say exists... What evidence do you have to support this fact?
Are you sure it's not merely your opinion?
So these guys take a third party USB wireless card,
on a MacBook of unknown status,
connecting to a specially scripted AP,
and get owner privileges.
Cuz this happens any time you use a Mac.
Oh, and thanks guys for the admonition about proper testing. We'll have to write that one down.
And for pointing out that wireless means there are no wires and you can sit in other chairs.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Kids: PC's are owned through Windows. This is a fact. Own a PC, get hacked, this is the way it is.
Macs are so secure that A STORY about a third party wireless carded being hacked gets national-level coverage.
The PC owners rejoicing over the Mac's equivalence to their vulnerable platforms are being ridiculous. The quantifiable risk ratio between operating a Windows laptop and a MacBook is practically infinite, as there are no known virii for MacBooks, no known owning of MacBooks, no known security risks in operating a MacBook. At this point, hackers are well aware of a large installed userbase for Apple products, and certainly would attack them. If they could. Obviously they can't.
Silly people. Don't forget to run your virus and spyware checkers today. And back up your data, you never know when the bad guys will nail your hard drive in new and exciting ways through yet another buffer overflow in Windows.
Note that if you research the article a bit, you'll find that the "researchers" didn't hack the MacBook through the built-in wireless adaptor, they actually used a 3rd party wireless card plugged into it. They did it on a Mac just for the publicity storm they hoped it would generate (and lookie here, they were right).
So all the crap about "Oh oh, now your Mac is just as insecure as a Windows Box" is really, well, wrong.
And researchers deserves the double-quotes in my opinion; anyone with a nickname like "Jonny Cache" seems a bit silly to me in the first place.
These two "hackers" seem quite sheepish and frustrated. Why are they attacking the Mac user-base when it's not the users that are the problem?
One 'hacker' claims,We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,
Users? Why is he picking on users here? The people featured in these ads are ACTORS hired by the marketing and advertising departmens of Apple. Nothing at all to do with the user base.
"Mac userbase aura of smugness on security,"
I don't think the 'smugness aura' is generated by the user base. It's apple's marketing and PR that make claims of being secure and virus free. Do they really think that an average user would come up with something sercurity related on their own? No, they just regurgitate what they hear from these ads.
Maybe some day these guys will grow up socially and learn how to pick their battles. They are attacking the people that they should be trying to win over. They should instead of bringing the fight to the faceless corporations.
From the original article by Brian Krebs:
The video shows Ellch and Maynor targeting a specific security flaw in the Macbook's wireless "device driver," the software that allows the internal wireless card to communicate with the underlying OS X operating system.
This is false. He is either didn't see the video and was relying on the word of Maynor and Ellch or he does not know the difference between a third party wireless card and a built in airport card.
From Brain Krebs subsequent article trying to explain the discrepancy:
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers.
This is completely inconsistent with what the original article said and is also inconsistent with these quotes from the "leaned on":
Still, the presenters said they ultimately decided to run the demo against a Mac due to what Maynor called the "Mac user base aura of smugness on security."
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something,"
Krebs is an idiot or is still taking the word of a source that has already lied to him once. This is not journalism's finest moment.
http://blogs.zdnet.com/Apple/?p=255 "Earlier today I posted a story about about two hackers from the Black Hat conference in Las Vegas and how they supposedly demonstrated how to exploit a vulnerability in Apple's wireless device driver to remotely access and control a MacBook over a network. The story was based, in part, on a blog entry by Brian Krebs at the Washington Post. As it turns out the hack described does not apply to MacBooks as it relies on third-party wireless hardware rather than the wireless cards supplied by Apple. FTA: "Maynor said the MacBook used in the demonstration was not using the wireless gear that shipped with the computer."
You don't even have to read the article this time, just look at the site. This vulnerability requires use of an aftermarket wireless card. Who is going to use an aftermarket wireless card on a MacBook with that always comes with built-in wireless?