Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Black Hat Wi-Fi Exploit

Posted by ryuzaki0 on from the plot-thickens dept.

Joe Barr writes to tell us that while many have heard that an Apple was exploited in order to install a rootkit at the recent BlackHat security conference, most people don't know the details of how it works. This is no mistake, it seems that the researchers who demonstrated the flaw were intentionally vague. Some theorize that this is in response to the real or perceived threat of legal action similar to the situation with previous Blackhat presenter, Michael Lynn.

12 of 129 comments (clear)

  1. This seems a bit misleading... by DarkShadeChaos · · Score: 5, Insightful

    The current exploit was intentionally vague so that attackers would not have the upper-hand. The previous researcher mentioned was arrested for something prior to his presentation; I do not correlate the actions together.

    --
    The machine unmakes the man. Now that the machine is so perfect, the engineer is nobody. -Ralph Waldo Emerson
    1. Re:This seems a bit misleading... by Anonymous Coward · · Score: 5, Insightful

      The current exploit was intentionally vague so that attackers would not have the upper-hand.

      Making the details vague, especially by not telling which card to avoid using, makes the users unable to do anything to prevent being victims. That very much GIVES the attackers the upper hand.

      Without knowledge, the users are defenseless. Heck, I have a laptop here with a built in wifi-card. So does everyone else in the office. If I knew the card was a risk, putting in a different card would make me safe. But as it is, the built in one could be safe and the one I would put in instead could be the risk. Heck, I don't even know if disabling the card through software solves anything. If the exploit really works on any OS, it doesn't sound like a software problem, but a hardware/firmware problem.

      The only thing being protected by not informing the users is the image of the manufacturer.

  2. Flogging a dead Story by bananaendian · · Score: 5, Insightful

    ScuttleMonkey writes to tell us that apparently the 'plot-thickens' as some guy somewhere emailed that some people are 'theorizing' alternate motives for the Blackhats keeping wraps on their so-called 'exploit' (that they tried unsuccessfully to smear a OSX security with).

    There is no new substance. This bone has been gnawed clean already. Sounds more like some people are making excuses for something...

    --
    www.tribalnetworks.org - helping tribal people around the world to own their own means of high-tech communications
    1. Re:Flogging a dead Story by ErikTheRed · · Score: 4, Insightful

      Exactly. Let's see: lots of invective, mix in some conspiracy theories, and season with exactly zero facts. The article is nothing but a troll.

      --

      Help save the critically endangered Blue Iguana
    2. Re:Flogging a dead Story by und0 · · Score: 3, Insightful

      I don't understand, in the advisor and Intel page they talk about drivers, specifically windos drivers. I've looked around but found nothing about updated firmware, so could this still be really used as a cross platform exploit?

  3. Well That's a Biased Article by logicnazi · · Score: 4, Insightful

    Now I'm a big fan of a policy of eventual public disclosure of exploits. The behavior of many big companies have shown that without the pressure of public knowledge of an exploit they will drag their heels about fixing the exploit. However, it is undoubtable that publicly making availible details of an exploit without giving vendors a chance to create a patch increases the number of attackers who are able to execute attacks against that vendor's customers.

    Now there are reasonable people who believe this increased danger is pretty much always offset by the benefits of public knowledge of the risk, i.e., a vulnerability you know about is sufficently less risky to justify disclosure. However it is disgustingly biased and misleading to not even acknowledge that some people and companies might reasonably believe total public disclosure harms the end customers. This is especially true when we are talking about the difference between revealing the existance of the exploit and revealing info that might enable someone to copy the exploit.

    Moreover, I didn't see the slightest evidence that it was outside pressure that caused this pair not to reveal the details. The tone of this cnet article seems to imply they made the choice themselves to be responsible which seems totally reasonable.

    Also I don't understand who would put this pressure on them unless it is the network card manufacturer. Macs, linux and windows machines are supposedly all affected so no one company would take a PR hit relative to others. Unlike the case with the cisco vulnerability.

    Yes it's true that vendors tend to be biased toward maintaining their good name. Just like real people they tend to be biased toward the answers that help them out but this is hardly dastardly. True I think they sometimes go to far and chill free speech and harm security research but this seems fairly rare and I see no reason to believe it is happening here.

    --

    If you liked this thought maybe you would find my blog nice too:

  4. The real problem by phantomfive · · Score: 2, Insightful

    A lot of people have posted so far saying, "It's OK that they didn't reveal the exploit, because it protects people from hackers until the fix is out." Which is probably true for the most part.

    However, these guys have given almost no information about the hack, making it impossible to protect yourself. Does your wireless card have problems? Do all wireless cards have problems? What can you do to protect yourself? Should you avoid using wireless at all? Is it a remote hack that can actually somehow enable the wireless card (through a secret back door or something)? We don't know. And by keeping these details secret, companies are hurting end users.

    It is good to let the company create a fix before the exploit is released, but it is also good to give the user enough information to defend himself.

    --
    Qxe4
  5. Re:Still fishy... by thegrassyknowl · · Score: 4, Insightful
    And, one thing I still miss out of this.. What sharing service needs to be active? It's one thing to connect to the WiFi on a computer.. But some service has to be active for file system access.. SMB? AFP? SSH?? Given the use of 3rd party WiFi hardware, and the default config of MacOS X to have all sharing services turned off.. Does this work when a Laptop is already connected to a network? Um, what are we really looking at here? Allot of questions, with very little info..

    This is not a simple matter of exploiting a serivce. The machine might does not even need any publicly accessible services for this attack to be effective.

    We all know that wireless cards require soft firmware and drivers in the OS these days. The point is that it's possible to exploit the drivers with specially crafted packets and make the OS run arbitrary code that it thinks is the Wireless driver.

    Running code at the level of the OS brings with it full control over the machine. The OS trusts the drivers 100% on almost every system I've used. This means your newly running code can take full control of the machine, and probably even download more code, sniff on you, etc.

    It should be possible to exploit this attack even if the machine is connected to a trusted network. All you need to do is send it packets on that network (or pretend to be on that network).

    The demo might have been vague, but it still points out some serious flaws with wireless systems on modern operating systems - anyone can send you packets and the OS trusts the software processing those packets 100%...

    --
    I drink to make other people interesting!
  6. WHO has theorized? by Rogerborg · · Score: 3, Insightful

    Some have theorized that if you don't quote your sources, then you're just full of shit.

    --
    If you were blocking sigs, you wouldn't have to read this.
  7. Re:Equal opportunity sploit by k2r · · Score: 2, Insightful

    > exploit was at the card driver level

    Yep, and we still haven't been told which card driver they installed.

    That it wasn't the one Apple provided should be obvious - they would have used the buildin Apple Wireless, then.

    k2r

  8. Occam's razor by gnasher719 · · Score: 4, Insightful

    What is more likely: (A) A vulnerability exists in at least two WiFi implementations (some external card, and Apple's internal Airport), which allows to compromise systems independent of which operating system is running, or (B) two guys who want their fifteen minutes of fame doctor a video, claiming that they can crack any Mac with WiFi within 60 seconds, conveniently being so vague that nobody can verify or refute their claim, adding in a bit of conspiracy theory (pressure from Apple) on top of it?

  9. Re:Was it root by dodobh · · Score: 2, Insightful

    A driver level exploit gives you ring 0. Who cares abot shells when you 0wn the kernel itself?

    --
    I can throw myself at the ground, and miss.