Hackers Expose 'Critical' Wi-Fi Driver Flaw

On Fri, 04 Aug 2006 16:30:25 GMT, snipped-for-privacy@earthlink.net (Neill Massello) wrote in :

That depends on whether or not more information is being provided to affected organizations, as claimed. Thus far there hasn't been any suggestion that it hasn't, so I think this criticism is, at the very least. premature. ;) The recent massive Intel security patch also lends credibility to the claims.

Reply to
John Navas
Loading thread data ...

On Fri, 04 Aug 2006 09:46:34 -0700, Jeff Liebermann wrote in :

I suspect there's more going on here than meets the eye. A big problem in security is getting vendors to pay proper attention. My guess is that these guys got fed up with the lack of concern, and decided to build a fire under them with this public presentation. If so (or something like that), my own opinion is, "Bravo!"

I'm frankly sick and tired of vendors _knowingly_ shipping badly flawed products. It's the major reason I largely dropped out of beta testing

-- I have a long list of _major_ bugs I found as a beta tester that were left unfixed in released products (which I'm unable to disclose due to NDAs).

Follow-up to the Macbook Post

I'd like to respond to the people who commented on yesterday's post about the video's depiction of the use of a third-party wireless card on the Macbook. I spent more than an hour with Dave Maynor watching this exploit in action and peppering him with questions about it.

During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in Macbook drivers. But he also admitted that the same flaws were resident in the default Macbook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported.

I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.

To all of the commenters who complained about why this demo was not shown live, I refer you back to the text of the blog post, which pointed out the dangers inherent in showing this type of exploit live to a room overflowing with curious hackers who would like nothing more than to capture a copy of the exploit wirelessly and experiment with it.

Again, the whole point of this story was not to pick on Macs, but to point to a security issue that affects multiple operating systems and one that is long overdue for some serious code review by the companies that OEMs rely upon to produce this software.

As always, thanks for all the comments. Keep them coming.

-- Brian Krebs

Probably because the MacBookPro has Airport functionality built into it.

I can think of a number of legitimate reasons. Why assume otherwise?

Panic is never a good idea. Nonetheless I'm now concerned about the Atheros wireless device in my own notebook computer, and even more for ones I've deployed for clients and friends, since that was reportedly the hardware used in the demo.

I've always turned off my own wireless when not needed, not only for security, but also for power saving and less annoyance. (I like how easy that is with a ThinkPad, one of the reasons I use and recommend them.) However, I really can't expect all my clients and friends to do so.

Until this is all sorted out, I've decided to:

  1. Monitor updates and security for clients and friends even move carefully than usual.
  2. Use Wireless Client Bridges instead of integrated wireless adapters as much as possible.
Reply to
John Navas

John Navas hath wroth:

I might agree with your analysis if they had previously even hinted that there was a problem in one of the security mailing lists. Whether the motivation was getting the attention of the vendors or simple publicity, they are certainly guilty of grandstanding.

Good idea. Let's attach a government mandated warning label to wireless routers.

DEPT of HOME SECURITY WARNING This device contains firmware known to the government as being potentially hazardous to your data security. The manufacturer does not warrant against contageous infections unless a concienciously applied program of updates and fixes are applied for the duration of the product lifetime.

Ditto. I busted my ass playing beta tester for various products, where the vendor largely ignored my findings.

Liebermann's Axiom: Features and functions get added faster than bugs get fixed eventually resulting in a bloated buggy mess.

How could Apple lean on them unless Apple was considering hiring them to get involved in repairing their security problem (or image)?

Naw. Stealing the disks and cdroms is easier.

They could have just as easily used an Airport or Airport Express.

I can't think of any reason that a client driver exploit would require an active connection to function. Perhaps I'm missing something here. However, since the actual details of the exploit have not been released, I'll leave this point to conjecture.

Reply to
Jeff Liebermann

On Sat, 05 Aug 2006 10:52:56 -0700, Jeff Liebermann wrote in :

There's nothing sacred about security mailing lists, which are actually controversial. I personally think it's sufficient and reasonable to contact companies directly, as they apparently did.

I personally think the public is at least as well-served by the publicity.

Pressure can of course be applied in other ways. Apple is known to be quite litigious, for example.

But not as much fun.

Not necessarily. The MacBook is much easier to program.

Reply to
John Navas

Dan Rather stood by his whilst being shown the door because it had be discredited. NBC stood by the exploding gas tanks in the trucks report whilst it was being shown they (sorta like in this case) were using a non-Ford part.. AKA model rocket engines.. to make their point. It remains not a fact because as he mentioned:

I also thought that "admitted" was a rather interesting choice of words in this case. Sounds like M&E said it was their fault. M&E may have said or suggested, but hardly admitted.

Reply to
Kurt Ullman

Yeah but why just lean on them about Airport and let them use a MacBook unimpeded. If I was Apple, I would "defend" both vigorously or if threatening legal action on only one, it makes no sense to threaten about Airport and let them beat up on MB.

Reply to
Kurt Ullman

On Sat, 05 Aug 2006 18:49:55 GMT, Kurt Ullman wrote in :

Presumably because Apple couldn't have much to say when the exploit is demonstrated against a non-Apple product, even when an Apple computer is used in the demonstration. I think that was a cool way to make the point with relative safety.

Reply to
John Navas

Security researchers routinely inform "affected organizations" well in advance and delay the splashy public presentations until there's something available in the way of a fix. Going public before that usually only occurs after the exploit has already appeared in the wild or after vendors have been dragging their feet on the problem for a long time.

No informed person is denying that there could be serious security holes in wireless device drivers. The validity of this particular claim will be sorted out in time. It's not so much the content of the announcement as its timing, that bizarre demonstration, and Ellch's and Maynor's extracurricular statements that have raised questions about their motives and credibility.

Reply to
Neill Massello

Then they should have used better fuel: name some names and don't do any hand-waving during the demo.

Reply to
Neill Massello

On Sat, 05 Aug 2006 20:16:39 GMT, snipped-for-privacy@earthlink.net (Neill Massello) wrote in :

The latter may well have been the case here, but it's actually standard practice to disclose the existence of a security flaw and just withhold the details until enough time has passed for a fix (which might also have been the case here), particularly when there are ways to minimize or avoid the risk.

I respectfully disagree.

Reply to
John Navas

On Sat, 05 Aug 2006 20:16:40 GMT, snipped-for-privacy@earthlink.net (Neill Massello) wrote in :

I think they did just fine.

Reply to
John Navas

We'll have to agree to disagree on this one. I see no advantage to this. Especially when this opens up the possibility (that came about) that the Dynamic Duo would start carping about how nasty Apple was to them.

Reply to
Kurt Ullman

So does the MacBook, which was used as the target of the attack, not as the attacker or access point. But Maynor didn't use the MacBook's built-in AirPort hardware. Instead, he used a USB wireless adapter plugged in to the side of the MacBook, something that few (if any) MacBook owners would do.

So why use a MacBook at all? Because Ellch and Maynor don't like Apple's advertisements and think that Mac users are smug about security.

Reply to
Neill Massello

On Sat, 05 Aug 2006 21:07:28 GMT, snipped-for-privacy@earthlink.net (Neill Massello) wrote in :

And because the native adapter is equally vulnerable.

Reply to
John Navas

So why not use the built-in AirPort for the demo? Because Apple "leaned" on them? If so, then why state (ouside the demo) that Apple's hardware and driver also suffer from this defect? That's also an invitation to supposed retaliation by Apple's lawyers.

Reply to
Neill Massello

On Sat, 05 Aug 2006 22:01:36 GMT, snipped-for-privacy@earthlink.net (Neill Massello) wrote in :

I respectfully disagree.

Reply to
John Navas

Absolutes don't work. I've used devices with hardware checking and, has been pointed out, the overhead to use them has generally caused two problems, performance and complexity of code. Either one is a killer. Good, fast, cheap... pick two.

This isn't to say that devices with hardware involved in "protecting" memory aren't worthwhile. More that they're not the only solution. Good programming practices are still needed. It does little or no good to have a protected environment that can still be attacked and suffer performance loss because of bad programming. Good programming without hardware "help" is far more useful than shitty programming with hardware "help".

-Bill Kearney

Reply to
Bill Kearney

Between this and your responses regarding lawyers it's clear you just don't know what the f*ck you're talking about.

Reply to
Bill Kearney

On Mon, 7 Aug 2006 10:26:07 -0400 Bill Kearney wrote: |> With all due respect, such work-arounds aren't a real solution, just |> bandaids, since they can't provide real robustness -- only hardware |> checking can do that. | | Absolutes don't work. I've used devices with hardware checking and, has | been pointed out, the overhead to use them has generally caused two | problems, performance and complexity of code. Either one is a killer. | Good, fast, cheap... pick two. | | This isn't to say that devices with hardware involved in "protecting" memory | aren't worthwhile. More that they're not the only solution. Good | programming practices are still needed. It does little or no good to have a | protected environment that can still be attacked and suffer performance loss | because of bad programming. Good programming without hardware "help" is far | more useful than shitty programming with hardware "help".

Exactly. If the programmer has access to a resource, he/she can give away that access at will ... or incompetence ... or just inattentive error.

Reply to
phil-news-nospam

Macworld today (18 August 2006) quotes Lynn Fox of Apple:

"Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is," Apple Director of Mac PR, Lynn Fox, told Macworld. "To the contrary, the SecureWorks demonstration used a third party USB

802.11 device -- not the 802.11 hardware in the Mac -- a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."

The relevant SecureWorks page now contains the following:

"This video presentation at Black Hat demonstrates vulnerabilities found in wireless device drivers. Although an Apple MacBook was used as the demo platform, it was exploited through a third-party wireless device driver -- not the original wireless device driver that ships with the MacBook. As part of a responsible disclosure policy, we are not disclosing the name of the third-party wireless device driver until a patch is available."

At the time of the Black Hat conference (2 August 2006), Computerworld quoted Maynor thusly: "Apple is not the only vendor to have problems with its wireless drivers, said Maynor, who is a researcher at SecureWorks Inc."

So they won't disclose names now, but they apparently had no qualms about smearing Apple, by word and deed, when they had the eyes and ears of the technology press.

Reply to
Neill Massello

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.