A potentially serious exploit of Mac OS X’s wireless networking hardware drivers has had a very limited demonstration. The exploit, which apparently relies on a flaw at the lowest level of the drivers’ interaction with Mac OS X’s kernel, has not yet been independently confirmed, nor has Apple released a statement on the matter. The flaw, if proven, could allow an attacker to gain root access privileges via Wi-Fi.
Researchers Jon Ellch and David Maynor found the flaw in Apple’s Intel-based Macs running Mac OS X and in PCs running Windows XP using certain Wi-Fi adapters, and presented their findings at the Black Hat USA 2006 Briefings last week. They declined to show the exploit live to avoid giving out details that could be turned into a security threat in the wild.
The researchers maintain that the flaw can affect any Wi-Fi equipped computer as noted above, regardless of whether the computer is actively connected or connecting to a network, and the exploit does not involve a rogue access point – one that attempts to fake an identity to get a connection from a client.
The videotape that the researchers showed didn’t demonstrate that. The researchers connected what appears to be a covered-up USB device to a MacBook, which is then connected to a network running on a Linux computer. They then show files being manipulated on the desktop but no other attack being carried out.
There is lively discussion at the Washington Post’s Security Fix blog about whether this is just a rigged demo or a real event, although beware the personal abuse directed at the blog’s writer, Brian Krebs. (Many are taking this attack against a MacBook personally. Surprise, surprise.)
According to two experts TidBITS has heard from, the videotape is inconclusive and could be either a staged stunt or a real exploit. Jim Thompson, a veteran Wi-Fi engineer and security expert, is dubious, and he explains why in great technical detail. Security expert Rich Mogull, research vice president at Gartner, said that the exploit is credible and that it’s possible that similar exploits on multiple platforms developed independently are already in the wild. Mogull has seen reports that a similar exploit may have been used at a recent conference that he declined to identify for security reasons. The researchers who presented at Black Hat are taking significant precautions to prevent their particular research from getting out of their grasp, he said.
Lending credence to this potential flaw was the release by Intel in July of driver updates for three of their Centrino wireless products. Notes for the release label the patch for their oldest adapter (an 802.11b-only model) as having an exploit that could allow a “malformed frame,” a packet-like chunk, to allow a hacker to gain control of a machine. Two newer adapters seem to have a severe, but less frightening flaw. Mogull said that these Intel patches show that this kind of exploit is not an unknown issue.
As noted, there is no confirmation of this exploit from anyone who has seen the actual attack carried out in person, no separate validation of the attack from third parties using different equipment and the same approach, and no public response from Apple, Intel, or Microsoft, despite the firmware patches from Intel. There is also no identified attack of this sort in the wild.
At the moment, our suggestion is not to worry. The likelihood of this flaw being exposed, becoming widespread, and threatening your particular machine over the period of time it might take Apple to issue a patch is extremely remote. The exploit also appears to be limited to Intel-based computers at the moment, making it even less of a concern for many Mac users.
We’ll update this story as details become available, but if Apple releases a security update that describes a fix for a malformed frame and you travel around with your MacBook or MacBook Pro, you should consider installing it as soon as is practical.