Apple Issues Careful Wi-Fi Exploit Denial
Apple public relations director Lynn Fox says that the Wi-Fi exploit demonstrated by David Maynor and Jon Ellch two weeks ago in a video shown at the Black Hat 2006 conference does not represent a flaw in Apple’s software or device firmware (see “Wireless Driver Hack Could Target Macs and Windows”, 07-Aug-06). Apple told Macworld and many other media outlets that the demonstrated exploit uses a third-party wireless driver for a Wi-Fi USB adapter. Neither the driver nor the chips are the same as those used by Apple in Mac OS X on a MacBook.
Further, Fox said that Apple has received neither code nor a demonstration that shows a flaw in shipping hardware and software. The researchers have changed the message on the page at SecureWorks, the consulting site at which they provide services, to clarify that Apple code wasn’t involved in their demonstration. Chipmaker Atheros also issued a statement – to Brian Krebs at Security Fix – that their products apparently aren’t at risk, either, based on what they knew at the time that they issued that statement.
The two researchers who presented the hack say that a flaw in the way in which wireless drivers from several manufacturers hand off data to the operating system can allow exploits in which a machine can be compromised to execute arbitrary code. That arbitrary code could then allow an affected system to grant root, or system ownership, access to the computer. In July, Intel released a patch for their Centrino Wi-Fi adapters found in laptops from many manufacturers that fixes such a problem, although Maynor and Ellch said that this fix wasn’t a result of their work.
With that level of access, a cracker could install “bot” software that’s used to turn affected computers into remotely activated warriors in the spam or denial-of-service wars. Bots are now considered the biggest single problem on the Internet because millions of computers can be activated, like sleeper cells, whenever an attack is desired.
A small firestorm of responses have appeared since Apple’s denial, hinging on two factors: some writers and bloggers have been presented with information by Maynor and Ellch that is not yet in the public sphere of knowledge, and Apple’s denial of the exploit is extremely carefully crafted.
My take at the moment is that it’s highly possible that Maynor and Ellch have found a security flaw in the built-in MacBook and MacBook Pro Wi-Fi drivers that, at the point that Apple made their statement about not seeing any “evidence” of an exploit, they had not yet presented to Apple. In this scenario, Maynor and Ellch accidentally provided details to Brian Krebs before they meant to, and are remaining mum until Apple responds. We’ll see.
You can read many takes on this subject: George Ou at ZDNet (who has received private information), John Gruber at Daring Fireball (who has not), security expert Rich Mogull’s personal blog (he has been disclosed), Wi-Fi expert Jim Thompson (who tears the exploit apart limb by limb, fingernail by fingernail) and John Moltz at Crazy Apple Rumors Site (who makes stuff up).