Wi-Fi Exploit Precursor Published One Year Later
Security researcher David Maynor has published a long, technically detailed report in the online publication Uninformed, in which he describes how he accidentally came across and then learned to exploit a weakness in the Mac OS X 10.4.6 Wi-Fi drivers on an Intel-based MacBook in mid-2006.
Maynor and his colleague Jon “Johnny Cache” Ellch caused a furor in August 2006 when they appeared to reveal the weakness as a zero-day exploit – an exploit in which the details are known before a company is informed or a product patched – just before a presentation at the Black Hat security conference. You can read the history of the whole affair in “To the Maynor Born: Cache and Crash.”
Maynor alleges in passing here, and in public and private elsewhere, that his then-employer SecureWorks along with Apple’s press relations department prevented clarification of his and Ellch’s initial statements to the Washington Post’s Brian Krebs. This seems now, in part, due to the fact that they told Krebs more than they meant to, and then attempted to backpedal. This has never been fully clarified. From August 2006 to February 2007, statements of all sorts were made, recanted, decanted, partially explained, and fully obfuscated.
The report released by Maynor, described as the first of three, details the process by which he delved into Mac OS X’s innards to find precisely how to trigger the flaw and then deliver a payload, but it doesn’t describe or include code that would allow the replication of a remote exploit. That is apparently to come. (An interesting sidenote: Maynor found the flaw when his MacBook suffered a kernel panic while he was probing Wi-Fi adapters on non-Apple computers, an odd occurrence that caused him to investigate further.)
The steps are too technically involved for me to follow, and I hope that some other security researcher will install Mac OS X 10.4.6 on a clean MacBook or other vulnerable system, and attempt to replicate Maynor’s process. Maynor and Ellch have never provided publicly verifiable proof to an independent third party of this exploit, but there is also little reason to believe that they did not have such an exploit in hand. (Maynor provided demonstrations to some number of other individuals, but none of those people was allowed to or chose to describe what they saw in public.)
Maynor remains bogged down in proving that Apple PR misled the public and hung him out to dry. I’ve been unable to uncover any evidence of this, which isn’t proof that it doesn’t exist. By avoiding any public and verifiable proof of their exploit, Maynor and Ellch have relied on trust, which isn’t part of the usual methodology involved in security research.
Apple patched a number of wireless defects in September 2006, and this exploit apparently disappeared with it. Apple declined to credit Maynor and Ellch, stating that an internal security audit discovered the flaws. Email that Maynor displayed during a February 2007 presentation seemed to show that he had sent some information to Apple, which was acknowledged, but he was unable to show email messages that he alleges had the full proof of duplicity because his former employer wouldn’t allow him to (or, at least, he believed he didn’t have the right to show them).
John Gruber sums up this year-later disclosure quite admirably at Daring Fireball, as always: “A serious claim must be backed by proof of some sort. Maynor and Ellch’s claims last year were made with no proof other than a suspicious demonstration on video. That’s the root of every dispute and problem that followed.” (John also notes Maynor’s proud display of semi-automatic weapons in a photo on his current firm’s blog.)
I have watched Apple’s behavior closely since August 2006 to see how they would handle additional disclosures of severe flaws in Mac OS X that weren’t brought to the company before being announced to the general public (with or without the enabling details to exploit the flaw). In every case I’m aware of, Apple credited the source and generally quickly released patches, even with the Month of Apple Bugs that I wrote about in “MoAB is My Washpot” (2007-02-19).
One could argue that Apple has changed their tune, or, conversely, that they have been singing the same song all along. Without the details, I like to accept the melody, not the counterpoint, because my own experience with Apple, even when I vehemently disagree with their policies, design, or product choices, hasn’t led me to a circumstance in which I felt I was being lied to or misled, or where I later discovered a contradiction. In contrast, when I have reported problems with AirPort software, they have taken it seriously, and even made improvements (not based on my critique alone) in later products and firmware updates.
Maynor started his own consulting firm with partner Robert Graham several months ago called Errata Security. He and Graham have released several interesting programs which – through the revelation of poor security models in common systems and at popular Web sites – could improve overall individual privacy on the Internet. See “Sidejack Attack Jimmies Open Gmail, Other Services” (2007-08-27), for one example.
Others have accused Maynor and Ellch of various behaviors, including flat-out fabrication. I haven’t thought for months that either of them was anything but genuine. Which is why it makes it increasingly frustrating that they simply couldn’t prove with a real demonstration that what they have asserted is true, is true.