Hacker Publishes Notorious Apple Wi-Fi Attack

inkslinger77 writes "It's been about a year since David Maynor claimed to have found a way to take over a Mac using a flaw in a Wireless driver. He's now published his work for public scrutiny. Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility."

This WASN'T an "Apple WiFi hack"!

[daveschroeder]

Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux!

That's the whole point of why people took issue with this, and it's still being perpetuated here!

The way it was presented, even if Maynor didn't intend it as such, especially in all of the press coverage - first IT press, then mainstream, CNN, hundreds of local papers via AP, you name it - was that it was an "Apple" WiFi hack only, and that anyone could easily and quickly completely take over your MacBook remotely.

The stories just got repeated and regurgitated over and over, even though it was a flaw that affected a lot more than Apple; indeed, the most interesting thing about the vulnerability was its universal nature and applications!

Also, in the initial reports, Maynor and Ellch hid the brand and vendor of external wireless adapter they used for the demo because of, according to them, "responsible disclosure", but then had no problems saying the exploit worked identically on a stock MacBook. So if it was important to hide the brand of the wireless adapter they used for the demo, why was it not equally important to hide the fact that the chipset in a MacBook was vulnerable? How is it fair for this to appear as an exploit affecting only Apple, appearing under headlines like "MacBook hacked in 30 seconds - remotely via wireless!"

Given that Mac users apparently needed to have "lit cigarettes stuck in their eyes" - and whether that was a joke or not, I don't see how that's professional coming from someone who is a "security researcher" presenting findings under the guise of what purports to be a professional security outfit - it appeared that the choice to use a MacBook for the demo and the ensuing firestorm of publicity was done exactly for that reason.

Would this have been news if they had used a Dell or Lenovo laptop running Windows or Linux, even if they also still said that this affected multiple platforms, including Mac OS X?

Re:This WASN'T an "Apple WiFi hack"!

[squiggleslash]

You know Dave, I'm really disappointed in this reaction and the reaction of most others in the Mac community on this news.

To address your point first: The hack was an Apple WiFi hack. It was presented that way because that was the news. The fact one could use the same exploit as a basis of a means to hack other operating systems was really not news - Windows is hackable, everyone knows that, and even GNU/Linux doesn't have a reputation for being invulnerable. Meanwhile Mac OS X, the operating system with the second highest mindshare, was promoted by most of its supporters, including at times Apple, has being free of the viruses and malware that plague Windows, and suddenly Maynor found there was a massive hole in that. So what was news was that this hack affected that operating system. To claim otherwise would be like to claim news that a thirty floor building suddenly being underwater in the middle of New Orleans is not a story, because the same flood affected all the single floor buildings surrounding it.

More importantly though, the Mac community spent an enormous amount of time trying to destroy Maynor's credibility, including misrepresenting his video and claiming there was no such bug, and that he was lying when he claimed to be unable to reveal the hack due to an NDA. It would be nice to see people who fed into that smear campaign at least acknowledge that the chief allegations against Maynor et al were wrong: he really did have an exploit, it was serious, he was unable to give details out due to an NDA, you may not understand the reasons why he presented it the way he did but there really is no evidence whatsoever of dishonesty on his part. He really does deserve an apology.

Re:This WASN'T an "Apple WiFi hack"!

[daveschroeder]

squigglesquash,

I'm not apologizing for the behavior of the Mac fanboys afterward, and I already said that in one of my other posts.

But the very initial coverage stated that other WiFi drivers for similar chipsets on other platforms were already proven vulnerable. This wasn't some pie-in-the-sky theoretical claim; it was specifically stated that drivers Linux and Windows WERE vulnerable to the SAME exploit mechanism, and that the MacBook was chosen to just show that "Macs can be vulnerable too".

FUDing the story they way they did was wrong, but the damage was already done. If this were on Windows or Linux, this NEVER would have gotten picked up in the mainstream press. I say "mainstream" because that is an important distinction. The story was covered with none of the technical nuance or accuracy required, and left MILLIONS more people with the impression, even if only in passing, that "MacBooks" could be owned wirelessly in 30 seconds. Not any laptop. Not Windows. Not Linux. Just MacBooks.

If you can tell me how that's fair to Apple or how that helps Apple users, I'd appreciate it.

Also, I will say that the FUD reaction from the fanboy crowd did NOT help Apple users, and in fact did lasting damage to the Mac security situation. But if you can explain to me how the coverage, or saying that smug Mac users need lit cigarettes jammed in their eyes, or making it appear that the vulnerability ONLY affected MacBooks, or hiding the third party wireless card they used in the initial demo because of "responsible disclosure", but then immediately turning around and saying the integrated wireless in a MacBook was identically vulnerable - if you can explain to me how any of those "helped" the Mac community, I'd appreciate it.

Re:This WASN'T an "Apple WiFi hack"!

[GaryPatterson]

I'd write it a little differently:

DM: We found an attack which affects OS X and demonstrated it at a security conference. Also, you Mac users deserve a lit cigarette in your eyes.
AS: Give us details or admit you're lying!
DM: No details, because someone (aside, stage whisper hey George Ou - tell everyone it's Apple) won't let me speak. Legal eagles make me go hush now.
AS: You're a dirty liar! What's all this about using a non-Apple WiFi card? This proves you engineered a fake hack!
DM: I'd love to tell you why you're all wrong, but can't because I'm being leaned on by a company I can't name. I wonder who could be doing that..? Besides, someone sent me an anonymous email with a vague threat, which proves Mac users are all rabid dogs.
AS: Put up or shut up. Admit you're lying!
DM:...

A year passes, seasons come and go, the planet traces a circle of about 450M km around the Sun, people fall in and out of love, some are born, some die, interests change and people forget the whole thing.

DM: Hey everyone! It turns out I can talk now because an NDA (won't say who with, but you can probably guess) is over! My reputation is intact because here are all the documents I've held onto for a year! But I don't care what any of you think.
AS: O... kay... Would've been nice to know this all back then, and if you played it better you may have looked less like a publicity-seeking asshat and more like a responsible researcher with real information. The flaw was real, but you never reported it to Apple, Microsoft or any other OS vendor. People suspect the NDA was with Atheros but you haven't even said this much. It's still very suspicious, and you've never accounted properly for the use of that WiFi card.

And why did he sign an NDA and then play it up for the crowds so much? He knew he couldn't talk, but he dropped hints and made veiled references. Wouldn't the right thing, the responsible thing, have been to not make lots of public statements about something he signed an NDA not to detail?

Maynor played the publicity game with a hand he couldn't reveal for a year. By the time he could show his hand, the game had ended and everyone else had left the table. We all moved on. He could've done things a lot better, but he seems to have wanted shock and awe. It still stinks, and he's in no way off the hook for the farrago that whole incident became.

Re:This WASN'T an "Apple WiFi hack"!

[Vokkyt]

David Maynor: OK, I'm now legally free to discuss the details of the attack and here are all the details. Enjoy! Apple supporters: We don't care about your stupid details! Shut up and go away!!

Okay, but that's not entirely in context. Yeah, a lot of Apple Folk aren't going to care about this anymore for one reason and one reason alone; at this point, it is irrelevant to most end users. Why? Well, the vulnerability has since been patched; the only thing that drudging something like this up does is spread more garbage about the "insecurity" of the Macbook, OS X, etc. The story, as it is and as it was, is more about OS X than the actual bug that was found in that chipset/driver. It's true; OS X may only be mentioned once, but it's THE brand name mentioned, and when it comes down to it, a lot of journalists are looking for the quickest way to attach a name to an item.

Truth be told, I doubt that many actual publications could run a full story on Maynor's findings because simply put, he's getting way too technical. A responsible publication would opt to not publish, as they really can't do much more than associate the flaw (wiFi hack) with the name (Apple). Unfortunately, we don't always have the most responsible journalists.

I think that Apple folk have some what of a right to be pissed at his presentation method. If he thinks that he needs to stick it to the Apple folk for believing that they don't need to live in constant threat of their computers being overtaken by *insert virus/malware of the week*, fine, but truthfully, at that point, releasing data and associating it with Apple is just douchebaggery and somewhat sullies the reputation of the researcher, who should theoretically be above such nonsense. (Before anyone comments, yes, calling his actions douchebaggery or using the word in general sullies my reputation, but I'm not presenting as an expert is the difference)

What Maynor has is a wonderful research project; I just wish he'd understand that he messed up a little in his choice of actions when citing Apple in specific. Demonstrating the effect on just one more laptop model (Dell D620, for example), would have made all his problems go away.

Re:This WASN'T an "Apple WiFi hack"!

[shinma]

You don't hang out on mac boards much, do you?

The whining over how "awful" the black level on the new iPod Touch is, the "I'm unimpressed," attitude every time Apple releases something, simply because the mac rumors community builds every announcement up to be the second coming... Much of the Apple Faithful are disappointed when it's only revolutionary.

Apple fanatics are vicious to Apple. They devour their god, and their bloated bellies are never full.

Re:This WASN'T an "Apple WiFi hack"!

[nine-times]

From my reading various stories at the time, I'd put the conversation more like this:

Maynor: I have this way that I can hack any Mac in 30 seconds, using stock Apple hardware and a normal install of OSX. I'm doing this because all Mac users are horrible people and morons who deserve to be tortured. By the way, I'm only going to demonstrate this using 3rd party hardware and 3d party drivers. And I won't disclose any details. And this hack also works on other platforms who have the same hardware and drivers, but let's not talk about that...

People with any sense: Um.... WTF are you talking about. Your methods are suspicious, your comments are inflammatory, and if you're a decent security expert, you should disclose enough information so that people can fix the bug. We don't trust you.

A couple random people: This guy's an asshole and a liar.

Anti-Mac crowd: Look at all the Apple fanboys, foaming at the mouth. They're insane!!!

Maynor: I won't respond to anything people are saying, because... um... I'm not allowed to.

People with any sense: Ok, screw it. You're being useless so we'll ignore you.

Some random Mac user: You suck. Shut up and die.

Maynor: But pay attention to me!!! I'm getting death threats!!!

People with any sense: What the hell is wrong with you?.

Anti-Mac crowd: Look at all the Apple fanboys, foaming at the mouth. They're insane!!!

...Months pass...

Maynor: Ok, now I'm allowed to talk about all this, so I'll inform you all that I was disclosing a bug that was fixed a long time ago, and that has already been documented.

People with any sense: Whatever... This isn't really a story anymore.

Anti-Mac crowd: Look at all the Apple fanboys, foaming at the mouth. They're insane!!!

Re:Responsible disclosure

[shird]

Microsoft will only credit you in a bulletin if you disclose a security flaw responsibly. Don't know about other corporations, but I would've thought MS were fairly significant.

The reaction was AFTER the news coverage

[daveschroeder]

Yes, it did get a huge reaction.

That was AFTER it had already been picked up by the press, including mainstream non-IT press, under sensationalist headlines, and with no mention in the article that anything BUT Apple's new flagship portable was affected.

This was in the first two days before there was any rabid or insane reaction that anyone in any of these news outlets knew about (except for maybe Krebs at the Washington Post, who seemed determined to give this story legs at any cost).

The story ran under headlines like "New Mac laptops vulnerable" and "MacBook hacked in 30 seconds - wirelessly". The story ran not only in the traditional IT rags, which sometimes had the journalistic accuracy to also say the vulnerability could affect other hardware platforms and OSes just the same, but in national mainstream press outlets, including AP, which gets picked up by hundreds and hundreds of local news papers and other local media, and gets seen by millions more people than will ever see anything in Network World or The Register.

All at a time when more people than ever were considering a move to Mac OS X after the switch to Intel. Their only takeaway as they scanned the morning paper or caught a segment on the local morning news? That the "MacBook" can be "taken over" in "30 seconds", wirelessly, and all without you knowing. Hmm, might as well stay with Windows after all.

So yeah...as I already noted in another post, the reaction from the Mac crowd was even worse, FUDing the story into oblivion. However, the initial coverage wasn't because of that. At all. In any way, shape or form. It was because a security vulnerability affecting Macs is interpreted by many to be BIG NEWS, whether they're the kind of journalist (as a few in the IT press are) who want to trumpet negative Apple stories, or just simply some guy at AP who sees it as a unique story. NONE of the original coverage, which was the only substantive coverage and what had already caused the damage, was because of the Mac fanboy reaction. Rather, it was the opposite.

Re:Really good sleuthing

The MacBook was just chosen as a point of principle to show that Macs, too, can be vulnerable to such attacks.

But that's unpossible! Macs have cool ads, and they make fun of that PC guy who is always crashing with security problems.

So what, you say? It was bad press for Apple, and ONLY Apple. No other vendor of manufacturer got nailed by this in any substantive way. With Apple having such low marketshare, how is it fair for only Apple to be targeted in press articles about this?

Apple denied the problem existed, and threatened them - that's why this made the news. Compare this with the well-known similar flaw in some broadcom wireless chipsets (used by many vendors, including Dell & Linksys) that came out last fall. A fix came out, and the problem was solved.

How Apple handled the problem is the issue. Similar to Oracle claiming that their database is "unbreakable". Oracle is a solid product, but certainly not unreakable.

Re:So does this mean

[Cid+Highwind]

Look at the huge volume of frothing anti-Apple hate Maynor stirred up with this exploit (and the overreaction to his non-demonstration and insinuations that Apple's lawyers pressured him to shut up).

Anyone who creates a real self-propegating worm for OSX that infects end-users' machines would be revered as a god among men, or at least among Windows fanboys. The fact that a year later after Maynor's exploit and two years after the first smarmy "I'm a Mac" ad nobody has done it tell me there's more to OSX security than Windows having 90% market share.

Re:When does Jon "Daringfireball" Gruber apologize

[JoshNorton]

I see no evidence that they have fufilled any of the terms of the challenge as yet.
In any case, he set a time frame for taking the challenge that ended just over a year ago at this point.

No, this really doesn't earn them any apology from him.

Re:Really good sleuthing

[Tim+Browse]

What gets me most of all is how the wifi stack was able to be crashed with just data.

As opposed to..?

I don't know if you've been keeping up, but an awful lot of vulnerabilities are triggered by providing 'just data' to the target.