Apple patches Wi-Fi but refuses to give researchers credit

Apple patches Wi-Fi but refuses to give researchers credit

Summary: After all the controversy, it turns out that there really are critical vulnerabilities in Apple's Wi-Fi drivers that affect Intel and PowerPC based Macs described in three separate CVEs. After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers, Apple released three critical patches before next week's Toorcon event where security researchers Brian Maynor and Jon Ellch are planning to release details on the Apple Wi-Fi exploit and more.

SHARE:
TOPICS: Apple
233

[UPDATE 9/25/2006: The word "due" was dropped from the title because it is now disputed by Apple.  Apple has issued a strong denial that anything useful was given to them and responded to this blog in detail.]

After all the controversy, it turns out that there really are critical vulnerabilities in Apple's Wi-Fi drivers that affect Intel and PowerPC based Macs described in three separate CVEs.  After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers, Apple released three critical patches before next week's Toorcon event where security researchers David Maynor and Jon Ellch are planning to release details on the Apple Wi-Fi exploit and more.

The controversy started around the original report from Brian Krebs "Hijacking a Macbook in 60 seconds" who reported from Black Hat 2006 on August 2nd about security researchers David Maynor and Jon Ellch.  The Mac press balked at Krebs' claim that this was a Macbook being hacked because the official demo given at Black Hat 2006 only pertained to third party drivers and hardware.  But Krebs stood his ground and clarified that he wasn't talking about the "official" on-the-record demo, but rather the private demo he got from David Maynor and even released a word-for-word audio transcript.  Krebs insisted that he witnessed a hack on a stock Macbook with no third party devices plugged in.

The story had gone dormant for 2 weeks until August 17 when an orchestrated* assault launched against David Maynor and Jon Ellch that accused SecureWorks (company David Maynor works for) of changing their story.  Jim Dalrymple of MacWorld called the research a misrepresentation and other IDG publications followed.  Blogger David Chartier even declared that "SecureWorks admits to falsifying MacBook wireless hack" and Digg amplified the bogus stories on a grand scale.  Frank Hayes of ComputerWorld even referred to Maynor and Ellch as "quack hackers" (Frank Hayes is an honorable man and apologized).  The problem is that none of these publications did any basic research because SecureWorks NEVER changed their story, never misrepresented, and never admitted falsifying the MacBook wireless hack.  The original video had clearly stated within the first 20 seconds that the demo pertained to third party drivers and hardware yet we have not seen a single correction from any of these publications.

As a result of the faulty reporting, tens of thousands of websites have declared Maynor and Ellch as frauds.  Some conspiracy websites even popped up and claimed the original SecureWorks video demo was a "magic show".  Anyone who defended Maynor and Ellch in the media was equally attacked by these fanatics.  The list of defenders was thin and included myself, Brian Krebs, and Rich Mogull.  I provided one of the most vigorous defenses of Maynor and Ellch and received a ton of heat over it.  A blog site dedicated to attacking Brian Krebs was created and one of the more vulgar Mac blogs refers to me as the security b****.   Even with the confirmation of the Apple Wi-Fi exploit, these sites continue their attack.

Apple was very careful to spin the news Thursday when they spoke to reporters about the patch.  According to CNET reporter Joris Evers "Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday".  Many of the critics have taken this to mean that these patches aren't the ones Maynor revealed to Brian Krebs at Black Hat and that it doesn't vindicate them.  But if we examine the comments from Apple closely, it's technically a true statement because the official demo given at Black Hat pertained specifically to third party hardware and drivers but it has nothing do with whether SecureWorks and David Maynor informed Apple of a vulnerability or not.

When pushed to clarify the issue, Apple would only say to Joris Evers "In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs ...  They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit".  I approached Apple to clarify the issue and asked the following questions regardless of what Apple defined as "evidence".

  • Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?
  • Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?
  • Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?
  • Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?
  • Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?
  • Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

So far, I have yet to receive any reply from Apple.  These questions are critical because any competent researcher or engineer would be able to replicate an attack if given all of the above information and even the packet captures alone should have been enough.  When I had previously contacted Apple's Lynn Fox, she would only vaguely answer my questions but refused to say anything on the record.  Furthermore, Apple is playing this off as a "preemptive" effort to strengthen Apple's wireless drivers "found internally" with no credit given to SecureWorks, Maynor, or Ellch.  But the timing of this patch release is awfully coincidental with next week's Toorcon event.

Speaking of Apple driver vulnerabilities, I had accurately pin pointed the driver issue last month when I reported on Atheros' non-role in this whole affair.  As I stated, Atheros was not responsible for this issue since the flaw exists above the I/O kit in the upper-layer driver code of Mac OS X which is identical to the code in FreeBSD.  A critical remote exploit FreeBSD flaw was found back in November 2005 and an official CVE was issued in January.  One critic (the one who called the SecureWorks video demo a "magic show") claimed this was preposterous because the MacBook Pro was shipped in February 2006 and surely Apple would have patched something that was known for three months.  Apple spokesperson Lynn Fox went as far as denying any risk with the FreeBSD vulnerability to Brian Krebs.

"Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products"

Now this statement has come back to haunt Apple.  Ironically, I had accidentally stumbled upon this when I asked Maynor and Ellch in my video interview if the Wi-Fi vulnerability was anything "like" the FreeBSD hack back in January.  I could have sworn I got a funny reaction from Maynor and Ellch but I figured they only reacted that way because not many people knew about the FreeBSD flaw.  Little did I know at the time that I had actually stumbled upon the truth and that the Apple Wi-Fi flaw was EXACTLY like the FreeBSD flaw because it's all the same code.

So where do we go from here?  Next week at the Toorcon security conference, Maynor and Ellch will present their findings on Apple to settle this once and for all.  I'll be there to cover the event and ask questions.  If anyone in the audience wants to ask Maynor and Ellch any questions but can't attend Toorcon, please post them in the talkback below and I'll try to get them answered for you.  I will be posting video of the interview.

* People are still demanding that I provide proof of an "orchestrated" assault.  I had originally stated that I would release the details within days but I could not get authorization from the source.  SecureWorks PR had promised to release an FAQ over a month ago but they haven't delivered anything and they seemed content to not rock the boat and allow the vicious attacks on Maynor and Ellch to go unanswered.  This information will be released next week at Toorcon as well.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

233 comments
Log in or register to join the discussion
  • thanks for following up on this

    I was wondering what happened after Apple accused the researchers of falsifying the story. This episode clearly brings out Apple's true colors.
    zzz1234567890
    • When did that happen?

      Apple never accused anyone of falsifying anything. Apple simply
      stated that no one had demonstrated a specific flaw, with
      specific code, to them. Just as simple, they stated that no exploit
      exists to the flaws they claim to have discovered in an internal
      audit.

      That would seem to make Maynor and Ellch liars, but next week
      will be the proof. Then we will find out if the patches Apple
      released match those of Maynor and Ellch's alleged "hack".

      I, for one, remain convinced we will never get the whole truth,
      and nothing but the truth, from Maynor and Ellch.
      1macgeek
      • Much Ado About Nothing

        This is tedious.
        Let it go George.
        Next topic.
        D T Schmitz
    • learn to read

      Based on their reading comprehension, you wonder if these
      windiots have virus infection in their brain.
      wacho
  • Still a Hoax

    The simple fact is this "hack" has not been demonstrated on a
    stock MacBook of which Maynor and Ellch DO NOT HAVE
    PHYSICAL CONTROL. Maynor and Ellch claim they will tell all at
    ToorCon next week. Great! I welcome it, but I also propose a
    challenge :

    12 stock MacBooks are given to people in the front row, and
    before they say a word, Maynor and Ellch will repeat their video
    demonstration but live with the 12 MacBooks, one right after the
    other.

    What do they have to lose? If Maynor and Ellch are right, there is
    no harm because Apple has already released the patch, right? It's
    no longer irresponsible for them to release details, right?

    If Maynor and Ellch are correct, it should be child's play for them
    to take control of the MacBooks just like in the video
    demonstration. So how about it, George - Will you ask ZDNet to
    pony up a MacBook so Maynor and Ellch can offer up proof for
    us unwashed, illiterate, stupid masses?

    If you truly believe Maynor and Ellch it is not too much to ask.
    1macgeek
  • Same old claims, still no evidence

    Apple's got a patch out, shouldn't you be able to release all that secret information by now?

    ---After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers---

    Sigh. Please reference anywhere Apple claimed there were no vulnerabilities. What they said was there were no known exploits, and that's still true.

    ---Krebs insisted that he witnessed a hack on a stock Macbook with no third party devices plugged in.---

    And still, 6 weeks later, no evidence has ever been given for this claim.

    ---The story had gone dormant and until August 17 when an orchestrated* assault launched against David Maynor and Jon Ellch that SecureWorks (company David Maynor works for) changed the story. ---

    More claims with nothing to back them up. At least now you've named names, where's the smoking gun you promised us?

    ---The problem is that none of these publications did any basic research because SecureWorks NEVER changed their story, never misrepresented, and never admitted falsifying the MacBook wireless hack.---

    I thought the problem was that SecureWorks never proved what they claimed, a hack that lets you take over a stock MacBook in 60 seconds.

    ---Furthermore, Apple is playing this off as a "preemptive" effort to strengthen Apple's wireless drivers "found internally" with no credit given to SecureWorks, Maynor, or Ellch.---

    Why give them credit if they didn't supply any information?

    ---As I stated, Atheros was not responsible for this issue since the flaw exists above the I/O kit in the upper-layer driver code of Mac OS X which is identical to the code in FreeBSD---

    Technical question: why are there separate patches for machines that have Atheros cards and drivers and older machines with cards and drivers from a different manufacturer?

    ---Next week at the Toorcon security conference, Maynor and Ellch will present their findings on Apple to settle this once and for all. ---

    That sure would be nice. I'm betting we get more evasion, but we'll have to wait and see. Why all the evasion and delays from SecureWorks? Could it have something to do with the company being bought? Could the whole thing been a bad attempt at promotion for Maynor and Ellch's new book on Wifi Hacking?

    Will we ever get to know the truth?
    tic swayback
  • Egad, reading this talkback only proves...

    ...that the title of Cleopatra belongs to the Mac addicts. I have never seen such hemming and hawing trying to protect their favorite OS from unfavorable comment.

    Here's something to try now ... just wait until next week and THEN make your defense. It is kind of hard to defend something you haven't seen (or won't look at) unless you are being deliberately obtuse.

    Then all bets are off and a genuine discussion of the actual demonstration can begin. Until then, it is nothing but name calling, sticking out tongues, and "I know you are but what am I?"
    Confused by religion
    • Cleopatra?

      Sorry, I'm missing your historical reference. Was Cleopatra known for "hemming and hawing"?

      As for your suggestions, isn't the burden of proof on those who make the accusation? If we should wait until SecureWorks makes their announcement that provides definitive proof, shouldn't those making claims about exploits do the same?

      Aren't the Mac users here just asking for proof and the truth, while others are making unfounded claims and refusing to back them up?
      tic swayback
      • Yes, burden on the accuser...

        And right now the implication is and has been for weeks that Maynor and SecureWorks are liars and fraudsters, so I suggest if you want to start with the accusers providing some proof we start with Apple coming clean about what information SecureWorks gave them when they contacted Apple in regard to the Blackhat exploits. Apple claims although the information they were given inspired them to do an internal audit in which they discovered airport card flaws, those flaws they found are totally unrelated to the exploit Maynor told Krebs existed in the stock Apple drivers?is that what they are asking us to believe? Because so far it is not what they are saying! Apple is only claiming the patch isn?t related to the Blackhat demonstration, and of course not, that was third party hardware/drivers, and they are saying that it applies to no known exploits, which is also a safe call if Apple simply refuses to count a Blackhat type exploit on the stock drivers as a ?known exploit?. SO lets get it straight where a lot of the accusations are coming from.
        Cayble
        • Backwards again

          Actually, SecureWorks should be able to very easily produce any correspondence they may have had with Apple. They also should be able to produce time-stamped code, dumps, and details of the exploit that they allegedly found.

          You're asking Apple to prove a negative, that SecureWorks provided them no actionable information about an exploit. SecureWorks should instead be challenged to prove the positive.

          Try this: Prove that I've sent you no email accusing you of ignoring this TalkBack.
          Robert Crocker
          • Let me know the name of your solicitor...

            I will have my lawyer contact him and deliver the appropriate affidavits sworn by myself and an independent auditor who will review my email records showing I have received no such email. Additionally I will swear I have not altered any such records in any way that would eliminate or avoid evidence of you having sent me such an email.

            Lame question. I guess you have never studied law. It would be very simple for Apple to just admit what they did receive from SecureWorks and that would at least indicate if what they were supplied by SecureWorks was indeed enough for a coder to identify an exploit if one exists.
            Cayble
          • Why only hold Apple to this standard?

            Funny, neither SecureWorks nor George has offered any evidence to back up their statements. Yet you seem to let them off the hook from having to provide it, while you demand it from Apple, the accused party here. I find that odd.
            tic swayback
        • Simple question

          Who threw the first stone? Who made the original claim? That's your accuser, and that's who has to provide evidence to be considered believable.
          tic swayback
        • Baloney

          Maynor, Cache, Ou, and Krebs are the ones claiming that they can hack a Mac without third party stuff. Mac fans have been asking them to put up or shut up. Since they made the claim, they have the burden of proof.

          Furthermore, we're still waiting for evidence of this 'orchestrated series of attacks' and that Apple squashed the evidence.

          Perhaps if you conspiracy people ever come up with any facts to support your silly claims, then it might be possible for Mac fans to discuss them. Until then, there's nothing but baseless claims.
          jragosta
      • The reference to Cleopatra is about ....

        ... you being in a state of deNILE!
        ShadeTree
        • Thank you!

          I was wondering about that, as it was tied to "hemming and hawing" and that never struck me as something Cleopatra was known for.
          tic swayback
  • Why don't you ask SecureWorks?

    You can find out from your pals at SecureWorks what they say they provided. Do you mean they haven't told you already? Didn't you sign the NDA and get the super-secret inside info?

    Here is my attempt to keep you on track, as usual:

    1) CVE-2006-3507 doesn't affect the MacBook.
    2) CVE-2006-3509 depends on third party software.
    3) CVE-2006-3508 is what you will concentrate on. According to Apple it tries to improve security by "performing additional validation of wireless frames", which is done in the [b]lower[/b] driver layers. This fits their claim that they had no direction from SecureWorks.

    So, as far as you know, Maynor and Ellch are not due any credit. As far as you know, they never had any exploit for a stock MacBook.

    Sadly, what good they might have provided was their original message that wireless drivers are vulnerable in general, on many platforms. This message was completely lost when Maynor claimed an exploit that he didn't have.
    GW Mahoney
    • Double Standard

      Funny how it's suspicious when Apple doesn't answer George's questions, but it's perfectly okay when SecureWorks refuses to comment.
      tic swayback
      • SecureWorks did comment to me

        I already know their side. I want to hear what Apple has to say since they're spinning it in such a dubious way that implies the researchers get no credit.
        georgeou
        • What did they say?

          Well, they had no comment in the main ZDNet article, what did they say to you? What's their side of the story? Or is that more "secret" information?
          tic swayback