Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Denies Wi-Fi Flaw, Researchers Confirm

Posted by ryuzaki0 on from the not-as-bad-as-it-seemed dept.

Glenn Fleishman writes "Apple tells Macworld.com that the Wi-Fi exploit demonstrated at Black Hat 2006 in a video doesn't show a flaw in their hardware or software. A third-party USB adapter with different chips and drivers was used, and Apple says the two researchers haven't provided Apple with code or a demonstration showing a working exploit on Apple equipment. The researchers added a note at their Web site confirming that only an unnamed third-party adapter was used. This doesn't mean the researchers have no flaw to show, but rather that their nose-thumbing at Apple users who were too secure in their security was misplaced, at least at present. The researcher's claim that they were providing information to Apple now seems off-base, too."

15 of 267 comments (clear)

  1. What a relief. by A.+Bosch · · Score: 5, Funny

    So I can go back to being "smug" now about security on my mac?

    --
    Where there is the necessary technical skill to move mountains, there is no need for the faith that moves mountains.
    1. Re:What a relief. by Anonymous Coward · · Score: 5, Insightful

      Some how I think all this current bull shit about Mac users being "smug" about security is simple sour grapes. Linux users are similarly "smug" about security, but that is only if you define "smug" as simply stating the fact that there are certain things in place in the OS either by design or decision that make it inherently more secure out of the box. That in NO WAY means we should take any threat lightly, however stating the inherent higher security of these OS' is far from "smug" it is a simple fact. If no one likes it, then tough shit. I refuse to apologize or be meek about heightened security of my OS preference simply because windows users are pissed off because they are still struggling with exploits and viruses that should have been rendered impotent years ago.

  2. What a couple of dicks by Doctor+Memory · · Score: 5, Insightful

    And here I agreed that the Mac community was too complacent. I was hoping that this would be a rather benign wake-up call (given that it wasn't an exploit seen in the wild, and the hats were taking proper precautions to prevent it from becoming so). And now we see that they were just trying to leverage their exploit to make a (valid, but now diluted) point.

    --
    Just junk food for thought...
  3. So was this just a lie? by Anonymous Coward · · Score: 5, Informative
    Security Fix:

    During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

  4. Re:Uh... the "game's" rules are too strict by computertheque · · Score: 5, Insightful

    When they have integrated wi-fi and the user decides on a third party usb option with questionable settings, I wouldn't say it was my fault either.

  5. So some "facts" were just made up... by gnasher719 · · Score: 5, Interesting

    We were told that all Macs are vulnerable. And not only all Macs, but also all Linux machines, and all Windows machines. It seems this was not the case. Apparently there is no exploit at all against a bog standard Macbook with built-in wireless, and that covers about 99.999 percent. Using an external card was essential to the exploit, the claimed "pressure from Apple" was just made up. Remember, these guys _did_ claim that a Macintosh with built-in wireless adapter was vulnerable, and they didn't demonstrate that because of pressure from Apple! I didn't believe it then, nobody should have ever believed it without evidence, and now they have been caught with their lies.

    Shame on everyone who reported it without checking the facts.

  6. Re:Uh... the "game's" rules are too strict by TheGreek · · Score: 5, Informative
    It seems pretty ridiculous to say "We guarantee our OS is secure [unless you use hardware that wasn't made by us]."
    It's a good thing Apple doesn't guarantee that, then, because it would indeed be ridiculous. What they acutally said was:

    "Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple Director of Mac PR, Lynn Fox, told Macworld. "To the contrary, the SecureWorks demonstration used a third party USB 802.11 device-not the 802.11 hardware in the Mac-a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."
  7. No Surprise by ar · · Score: 5, Insightful

    Anyone who thought about it for more than a second or two would have realised that it was never going to be a vulnerability in the default MacBook Pro hardware or drivers. If it wasn't, why would they need to introduce a third-party wireless adapter at all?

    Frankly, the disclosure here was pretty amateurish. Surely they would have known that demoing the vulnerability on Apple hardware would have implicated Apple. In fact based on the "aura of smugness on security" comment it looks like they deliberately *chose* Apple hardware to be falsely implicated.

    Do these guys have *any* credibility left?

  8. Special spl0itz! by Nijika · · Score: 5, Funny
    I have found this amazing security flaw in OSX. If you take a specially crafted driver, and you use a specially crafted peice of hardware and insert it into the system you want to compramise, you can then compramise it remotely!

    Gad Zukes!

    This is almost as good as the Debian exploit I found last year. I found that if you built a specially crafted PC, and then installed a specially crafted version of Debian, it would prompt you to set the root password during the install, leaving the system open to compramise by the person installing the OS.

    Next year's Black Hat conference, here I come!

    --
    Luck favors the prepared, darling.
  9. In other news... by Logger · · Score: 5, Funny

    In other news today, a faulty air bag was blamed for the death of a driver in a recent accident. The auto manufacturer's safety claims for the car were obviously overblown, and their smugness is now revealed.

    Update later that day: As a side note to this story, the owner of the vehicle replaced the OEM airbag with one from Orval Reddenbacker, so she could eat popcorn in case she was in an accident. We originally decided we would overlook this aspect, because we have an axe to grind with this manufacturer and to create buzz generating free advertising for our company.

  10. who are we to question? by guet · · Score: 5, Insightful

    Yeah, so they should also trust two jokers on the internet who want to create a buzz around their presentation, and frame their demo so that it is bound to do so...? It cuts both ways.

    Although we'll see nothing but speculation in this article and its comments, eventually the truth will be known, and we'll have an exploit which is documented and proven to work, or not. If Apple have a flaw, and won't admit it, that would light a fire under them wouldn't it?

    Given the hackers comments :

    Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver - not the original wireless device driver that ships with the MacBook.

    It sounds like they were bullshitting to try to make a splash, which they did. Till I see proof, I'm not inclined to trust either side.

  11. Tar and feather RESPONSIBLY by davidwr · · Score: 5, Insightful

    Before you tar and feather someone publicly, make darn sure you don't leave the wrong impression or it will boomerang on you later.

    This is true in any industry.

    If these guys had made it CLEAR that they were using a NON-APPLE network device from the get-go we wouldn't be having this discussion today.

    What they should have said:
    "We found a wireless exploit in a major-brand wireless network device. We will be releasing the name and model number of the device after responsible notification to the vendors involved. The videotape you are watching shows this device connected to an Apple Macintosh. We have also tested a device containing the same chipset connected to a Windows-based PC and found similar problems."

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  12. Headline misleading by Microsift · · Score: 5, Insightful

    The headline's construction is confusing (paraphrasing) Apple Denies, Researchers Confirm. Since deny and confirm are antonyms, the headline implies that the two parties, Apple and the researchers are in disagreement, which is not the case.

    --
    My other sig is extremely clever...
  13. Re:...or alternatively... by Anonymous Coward · · Score: 5, Interesting

    Allow me to provide some background on one of the researchers. David Maynor has never been credited with the discovery of a vulnerability, even after several years at ISS X-Force. I have seen him present at three security conferences (two Blackhats and CANSEC) and not once have I seen him support his claims with any evidence. I am acquainted with a number of his former coworkers in the vulnerability research community and have been told by all of them not to place any stock in his caims. Based on that on the refusal to provide proof, I question this whole situation.

  14. Re:Well let me join karma suicide by NMerriam · · Score: 5, Insightful

    It depends on which Steve Jobs you want to believe. Jobs from 5 years ago spouting off about how "clock cycles aren't everything" and "IBM and Motorola chips are far superior to any Intel chips" or the Jobs of today with "Our new Intel chips make our old chips look like solid state transistors".

    I'm convinced slashot is filled with people who just enjoy not being willing to understand the simplest of things.

    The PowerPC G5 processor is an absolutely superior design to anything Intel was putting out in the 90s. I don't know of any hardware geek who disagrees, although they may disagree on real-world performance with available complete systems.

    That Intel is putting out well-designed power-efficient processors today does nothing to change the past. That IBM is uninterested in desktop computer processors NOW and is allowing the G5 to languish does nothing to diminish the fundamental superiority of the processor design, or the performance advantage it had years ago during active development.

    You may as well complain that car buyers today are just fanbois, because beack in the 60s everyone knew Japanese imports were lousy, cheap machines that barely stood up to American cars. Yet now people say Japanese cars are great and reliable -- I mean, gosh, make up your minds, guys, flip-flop much? Once something is bad or good, it has to stay that way FOREVER, Mister Whirly said so!

    --
    Recursive: Adj. See Recursive.