How did Atheros get pulled in to Mac wireless-gate?

The Mac blogsphere has had a field day over the so-called "revelation" that Atheros has now come out and stated that researchers David Maynor, Jon Ellch and SecureWorks never contacted them about any security vulnerability. Some in the press have pointed to this revelation as "proof" that Maynor and Ellch are frauds. The only problem with this theory is that it is based on a fundamentally flawed assumption
Written by George Ou, Contributor

[Updated 8/29/2006 11:00PM] The Mac blogsphere has had a field day over the so-called "revelation" that Atheros has now come out and stated that researchers David Maynor, Jon Ellch and SecureWorks never contacted them about any security vulnerability.  Some in the press have pointed to this revelation as "proof" that Maynor and Ellch are frauds.  Their entire line of reasoning is that Atheros makes the wireless chipsets used in all of the Intel based Macs and therefore any flaw in the Atheros drivers would have to be disclosed to Atheros.

The accusation of problems in native Apple Macbook drivers first appeared in Brian Krebs' blog.  Brian wrote "I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable".  Those who have been calling Maynor and Ellch frauds think they've found the smoking gun that the Atheros revelation completely discredits Krebs' story.  They claim the fact that Atheros never received word from Maynor and company about any flaw proves that either Brian Krebs got the story wrong or the information that Krebs got from David Maynor is false.  The only problem with this theory is that it is based on a wrong assumption and no one in the media has pointed this out yet.

Atheros as a chipset maker sells chipsets to computer makers and wireless equipment vendors.  Atheros typically provides the reference drivers for their clients so therefore if there is a driver problem with Apple's MacBooks then it would surely be an Atheros issue right?  The answer is no.  While Atheros writes Windows reference drivers, Atheros does NOT write Linux or FreeBSD drivers.  Since Mac OS X is based on the FreeBSD kernel userland* which includes the FreeBSD drivers, Atheros does not [Update: Atheros does write a small part of the driver but a big chunk of it is the FreeBSD code***]  provide reference drivers to Apple.  In order to get Atheros chipset support on Linux, you go to an organization called MADWiFi which writes the Open Source drivers for Atheros chipsets on Linux.  FreeBSD on the other hand writes their own Atheros drivers.  So if there is a problem with the MacBook drivers, Atheros would have nothing to do with them since they don't write the MacBook drivers.

So how did Atheros get involved in this in the first place when it wasn't their mess to begin with?  David Maynor and company never stated or even hinted that there was an Atheros issue to begin with and no one ever reported any possible connection to Atheros**.  Why would Atheros reach out to the media and pour gasoline on the fire of rampant speculation and why would it coincide in timing with recent Apple PR statements to the media?  Who is fueling this assault on David Maynor and SecureWorks?

* [Updated 1] I misused the word "kernel" in this blog and should have used "userland" but that has no bearing on the substance of this blog.  To clarify this, Mac OS X is based on the MACH 3.0 kernel and the FreeBSD userland (Apple refers to them as the FreeBSD services).  The MACH 3.0 kernel is roughly 8 MBs while the FreeBSD userland in Mac OS X is a couple hundred megabytes.  Portions of the FreeBSD "userland" code such as the Atheros drivers in question are loaded by the MACH kernel which blurs the line between the userland and the kernel.  This is why people refer to the drivers living in the kernel but the actual driver code comes from the FreeBSD userland and not the MACH kernel.  Since the issue at hand is the Atheros drivers, the MACH kernel is not pertinent to this discussion.  Apple has additional information on this and here is another good reference explaining Mac OS X.

** [Updated 2]: Some point out this statement from David Maynor "These network cards are Atheros-based and allow you to do raw packet injection." made to Brian Krebs at the Black Hat convention indicate that Maynor was the one who implicated Atheros.  This is simply not true because "packet injection" refers to the wireless adapter used by the attacker's wireless adapter and not the victim's wireless adapter.  Atheros wireless adapters along with MADWiFi drivers in Linux are the instrument of choice for wireless penetration testers or hackers because of its ability to do raw packet injection.  Maynor was not talking about Atheros as the victim's wireless adapter since you don't need the ability to do raw packet injection as a remote exploit victim]

*** [Update 3 11:00PM 10/29/2006] I finally had a chance to speak with a team of people from Atheros to get verification on this issue.  Since my source swears to me that Apple uses the FreeBSD driver code to support the Atheros wireless network card in all the newer Intel-based Macs, I had to get Atheros' verification if this is true.  Right off the bat and to my surprise, Atheros tells me they write the drivers and that it is not the FreeBSD code.  I said wait: I've been told with certainty that these are the FreeBSD drivers written by Sam Leffler.  Atheros went in to a bit of history and explained that they had Sam Leffler as a contractor and initially financed the MADWiFi Linux Driver and the FreeBSD drivers for Atheros wireless chipsets.  Those drivers for Linux and FreeBSD took a life of their own and are independent of Atheros today and Sam Leffler is one of the primary contributors to both of those independent projects.  But the Atheros driver for Mac OS X is written and supported by Atheros for their chipset client Apple computers but it uses the same data and header structures as the FreeBSD drivers to maintain compatibility with the FreeBSD userland.  So this is the end of it right?  Wrong.

I end the call and go back to my source and I'm told again that the Mac uses the exact same identical driver code to the FreeBSD drivers.  At this point I'm completely confused because something is not adding up.  Then I recall that Atheros had mentioned Sam Leffler as a contractor leads me to wonder if Leffler also writes the Mac specific code for Atheros.  The MADWiFi code on Linux and FreeBSD was primarily written by Sam Leffler and both platforms had the same type of critical remote exploit that had to be patched.  The Linux version was patched in November 2005 and the FreeBSD version was patched this January, but the exact same type of code that was vulnerable on Linux and FreeBSD still existed on the current Intel-based Mac.  This reminds me that Apple PR spokesperson Lynn Fox claimed to Brian Krebs that SecureWorks had in fact mentioned this issue to them before Black Hat but that Apple was already aware of the issue but determined there was no problem.  Here is the snip from Brian Krebs' blog on 8/18/2006:

"Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based. In January, FreeBSD released a patch to fix the problem, which according to the accompanying advisory, related to a flaw in the way FreeBSD systems scanned for wireless networks that could be exploited to allow attackers to take complete control over the targeted machine.
I looked through the last eight months of patches from Apple and could not find any evidence that it also shipped an update to correct this flaw. Fox said she would check with Apple and get back to me. Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products.
'SecureWorks has not be able to exploit this for us,' Fox said. 'No one has been able to show us a way to exploit our internal [wireless] device drivers with that flaw.'"

I call Atheros back and left voicemail.  Within 5 minutes, the same Atheros team calls me back and I ask them the same question earlier if Mac OS X uses the same code as FreeBSD because I keep hearing it's byte-for-byte the same code.  Atheros explains it in more detail at this time and say that they are only responsible for the code up to the I/O kit used for Mac drivers.  So this explains that Atheros does write a portion of the drivers for the Intel-based Mac but not the higher layer drivers which is the code that's identical to the FreeBSD code.  But I go on to ask who actually writes these drivers and Atheros responds that a team of Engineers does it.  But since Atheros mentioned Sam Leffler was a contractor for Atheros, I asked Atheros if Sam was also on that team of Engineers that writes the drivers up to the I/O kit and I am certain I heard a yes from one of the gentleman from Atheros.  But a few minutes later when asked again for clarification if Sam Leffler was part of that Engineering team, Atheros stated they couldn't answer that.

Since there is little doubt Sam Leffler is a prominent figure on the Atheros drivers for the Linux and FreeBSD platforms and Atheros let it slip that he was on the driver Engineering team for the lower level Intel-based Mac drivers, what are the chances that he would be the lead programmer for that as well?  If so, wouldn't it be logical that Leffler uses the same or very similar type of code to write the lower-layer Intel-based Mac drivers?  That Mac-specific code would have to be tightly coupled in to Leffler's FreeBSD higher-layer driver code on the Intel-based Mac and who better to write it?

So how does this whole Atheros driver issue tie in to the whole flaming debate if a stock Intel-based Mac (all wireless models have Atheros wireless chipsets) is vulnerable or not?  Apple's Lynn Fox has pretty much admitted to Brian Krebs that Apple had looked at this FreeBSD flaw (before Maynor went to them pre-Black Hat conference) and that "Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products".  This would seem to corroborate my sources that there is identical FreeBSD driver code or else why would Apple examine the FreeBSD issue?  Apple's comments also indicate that Maynor and SecureWorks did in fact contact Apple about a flaw in a stock Apple Intel-based Mac but these statements from Apple PR spokesperson Lynn Fox would seem to contradict Lynn Fox's earlier statements in the same Brian Krebs' blog where she states:

"Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is. To date, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship. Whatever they are claiming to have found, they haven't shared it with us."

Even though David Burke says that these are not necessarily contradictory statements, I'm not sure that the public will accept this kind of fine parsing of words on the part of Apple and Lynn Fox if it turns out that there really is a flaw in the stock Mac product and all this bashing of David Maynor is unwarranted.  Since many in the Mac press, Mac blogsphere, and other websites (example 1, 2, 3) have used Fox's statements to "prove" that Maynor and SecureWorks were frauds, how would they explain themselves if it turns out Maynor really can show a wireless exploit on the stock wireless Intel-based Mac?  They would either have to admit they interpreted wrong or they would have to blame Apple and Lynn Fox's misleading statements even if Apple will try to split hairs on the word "evidence".

But Apple has already stated that they have determined that the FreeBSD wireless remote exploit flaw doesn't affect "any of the Mac products" before SecureWorks even contacted them about it.  Since this was a critical flaw that needed to be patched on Linux and FreeBSD running on Intel-based PCs, how many people would wager that this isn't exploitable on the Intel-based Mac which is also based on hundreds of megabytes of the FreeBSD userland code running identical driver code?  If there is such an exploit on the Mac, how can Apple miss such an obvious issue?  Is it possible that perhaps the exploit that runs on FreeBSD would only need to "mutate" slightly to affect the Mac product and is it possible that Maynor found that mutation?  We don't know but sooner or later this information will have to come out one way or another yet neither Apple nor Maynor is backing down.  If David Maynor had actually made the whole stock Intel-based Mac wireless exploit up, he could have easily covered himself by distancing himself from Brian Krebs' blog yet he's not doing this.  Apple on the other hand is parsing their words carefully though they seem to be feeding media speculation that Maynor's private demo to Brian Krebs about a stock Intel-based Mac wireless hack is a fraud.  But sooner or later, the truth will have to come out and someone will have some explaining to do.  If the disclosure of a vulnerability is imminent, will Apple try and offer an "update" that mitigates this issue without admitting it's a critical patch?  If they do, it would be fairly obvious. 

  • How did Atheros get pulled in to Mac wireless-gate?
  • John Gruber flames out during cross examination
  • Vicious orchestrated assault on MacBook wireless researchers
  • Editorial standards