Apple patches Wi-Fi but refuses to give researchers credit

After all the controversy, it turns out that there really are critical vulnerabilities in Apple's Wi-Fi drivers that affect Intel and PowerPC based Macs described in three separate CVEs. After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers, Apple released three critical patches before next week's Toorcon event where security researchers Brian Maynor and Jon Ellch are planning to release details on the Apple Wi-Fi exploit and more.

[UPDATE 9/25/2006: The word "due" was dropped from the title because it is now disputed by Apple.  Apple has issued a strong denial that anything useful was given to them and responded to this blog in detail.]

After all the controversy, it turns out that there really are critical vulnerabilities in Apple's Wi-Fi drivers that affect Intel and PowerPC based Macs described in three separate CVEs.  After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers, Apple released three critical patches before next week's Toorcon event where security researchers David Maynor and Jon Ellch are planning to release details on the Apple Wi-Fi exploit and more.

The controversy started around the original report from Brian Krebs "Hijacking a Macbook in 60 seconds" who reported from Black Hat 2006 on August 2nd about security researchers David Maynor and Jon Ellch.  The Mac press balked at Krebs' claim that this was a Macbook being hacked because the official demo given at Black Hat 2006 only pertained to third party drivers and hardware.  But Krebs stood his ground and clarified that he wasn't talking about the "official" on-the-record demo, but rather the private demo he got from David Maynor and even released a word-for-word audio transcript.  Krebs insisted that he witnessed a hack on a stock Macbook with no third party devices plugged in.

The story had gone dormant for 2 weeks until August 17 when an orchestrated* assault launched against David Maynor and Jon Ellch that accused SecureWorks (company David Maynor works for) of changing their story.  Jim Dalrymple of MacWorld called the research a misrepresentation and other IDG publications followed.  Blogger David Chartier even declared that "SecureWorks admits to falsifying MacBook wireless hack" and Digg amplified the bogus stories on a grand scale.  Frank Hayes of ComputerWorld even referred to Maynor and Ellch as "quack hackers" (Frank Hayes is an honorable man and apologized).  The problem is that none of these publications did any basic research because SecureWorks NEVER changed their story, never misrepresented, and never admitted falsifying the MacBook wireless hack.  The original video had clearly stated within the first 20 seconds that the demo pertained to third party drivers and hardware yet we have not seen a single correction from any of these publications.

As a result of the faulty reporting, tens of thousands of websites have declared Maynor and Ellch as frauds.  Some conspiracy websites even popped up and claimed the original SecureWorks video demo was a "magic show".  Anyone who defended Maynor and Ellch in the media was equally attacked by these fanatics.  The list of defenders was thin and included myself, Brian Krebs, and Rich Mogull.  I provided one of the most vigorous defenses of Maynor and Ellch and received a ton of heat over it.  A blog site dedicated to attacking Brian Krebs was created and one of the more vulgar Mac blogs refers to me as the security b****.   Even with the confirmation of the Apple Wi-Fi exploit, these sites continue their attack.

Apple was very careful to spin the news Thursday when they spoke to reporters about the patch.  According to CNET reporter Joris Evers "Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday".  Many of the critics have taken this to mean that these patches aren't the ones Maynor revealed to Brian Krebs at Black Hat and that it doesn't vindicate them.  But if we examine the comments from Apple closely, it's technically a true statement because the official demo given at Black Hat pertained specifically to third party hardware and drivers but it has nothing do with whether SecureWorks and David Maynor informed Apple of a vulnerability or not.

When pushed to clarify the issue, Apple would only say to Joris Evers "In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs ...  They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit".  I approached Apple to clarify the issue and asked the following questions regardless of what Apple defined as "evidence".

  • Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?
  • Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?
  • Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?
  • Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?
  • Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?
  • Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

So far, I have yet to receive any reply from Apple.  These questions are critical because any competent researcher or engineer would be able to replicate an attack if given all of the above information and even the packet captures alone should have been enough.  When I had previously contacted Apple's Lynn Fox, she would only vaguely answer my questions but refused to say anything on the record.  Furthermore, Apple is playing this off as a "preemptive" effort to strengthen Apple's wireless drivers "found internally" with no credit given to SecureWorks, Maynor, or Ellch.  But the timing of this patch release is awfully coincidental with next week's Toorcon event.

Speaking of Apple driver vulnerabilities, I had accurately pin pointed the driver issue last month when I reported on Atheros' non-role in this whole affair.  As I stated, Atheros was not responsible for this issue since the flaw exists above the I/O kit in the upper-layer driver code of Mac OS X which is identical to the code in FreeBSD.  A critical remote exploit FreeBSD flaw was found back in November 2005 and an official CVE was issued in January.  One critic (the one who called the SecureWorks video demo a "magic show") claimed this was preposterous because the MacBook Pro was shipped in February 2006 and surely Apple would have patched something that was known for three months.  Apple spokesperson Lynn Fox went as far as denying any risk with the FreeBSD vulnerability to Brian Krebs.

"Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products"

Now this statement has come back to haunt Apple.  Ironically, I had accidentally stumbled upon this when I asked Maynor and Ellch in my video interview if the Wi-Fi vulnerability was anything "like" the FreeBSD hack back in January.  I could have sworn I got a funny reaction from Maynor and Ellch but I figured they only reacted that way because not many people knew about the FreeBSD flaw.  Little did I know at the time that I had actually stumbled upon the truth and that the Apple Wi-Fi flaw was EXACTLY like the FreeBSD flaw because it's all the same code.

So where do we go from here?  Next week at the Toorcon security conference, Maynor and Ellch will present their findings on Apple to settle this once and for all.  I'll be there to cover the event and ask questions.  If anyone in the audience wants to ask Maynor and Ellch any questions but can't attend Toorcon, please post them in the talkback below and I'll try to get them answered for you.  I will be posting video of the interview.

* People are still demanding that I provide proof of an "orchestrated" assault.  I had originally stated that I would release the details within days but I could not get authorization from the source.  SecureWorks PR had promised to release an FAQ over a month ago but they haven't delivered anything and they seemed content to not rock the boat and allow the vicious attacks on Maynor and Ellch to go unanswered.  This information will be released next week at Toorcon as well.