Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

IT Blogwatch

A Daily Digest of IT Blogs from Richi Jennings

Mac exploit explodes again (and TSA toons)

10 comments

IT TOPICS:Macintosh & Apple, Mobile & Wireless, Networking, Security

Ohhh yes, it's IT Blogwatch, in which Black Hat Mac Wi-Fi bug demo-maker Johnny Cache breaks cover. Not to mention Schneier's favorite airport security cartoons...

L'Inq's Nick Farrell sums it up:

HACKER John Ellche, known in the Black Hat world as Johnny Cache, has opened a can of worms by telling the world about a Apple Wi-Fi exploit at the Black Hat and DEFCON convention last month. Ellch and co-presenter Dave Maynor went silent after the announcement and the Apple fanboys, who don't like the concept of their favourite machines having security holes, have had a field day dismissing the pair's claims as a hoax.

Ellch seems to have a gutsful of his credibility being questioned by religious loonies who base their point of view of faith in Steve Jobs rather than anything technical and has started to explain why everything went quiet.
...
In a cunning plan to avoid the black helicopters from Snapple's legal department, Ellch talks about the same exploit from the point of view of an Intel machine. Unlike Apple, the problem has been patched by Intel for a while now.

Joe Barr spotted Johnny's post:

Ellch finally broke the silence in an email to the Daily Dave security mailing list over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed over the two of them.
...
Ellch then breaks down the elements of the vulnerability and possible exploits ... notes that a crash caused this way doesn't guarantee a successful exploit ... responded to criticisms that he and Maynor have simply been "playing the media" instead of reporting an actual vulnerability and exploit

Ellch's posts start here:

As everyone has noticed by now, we haven't said anything in public about this attack yet. There are two reasons.

Secureworks absolutely insists on being exceedingly responsible and doesn't want to release any details about anything until Apple issues a patch.
...

Responding to mac bloggers isn't my idea of a good time. Nothing I could say would ever convince them.

Why am I switching the subject from Apple's bug to intel's? Because it's patched, and Secureworks has no influence over what I say regarding this one. So how does it work? There is a race condition inside the centrino driver. Unlike most straightforward ring0 exploits out there, this one is intimately related to timing.
...
Of all the comments I see, the ones that 'we played the media' make the least sense. Have you ever seen me in the news before? No. Have I ever talked to a reporter before? No. Am I doing a very good job of winning this PR smear campaign lynn fox ignited? No. If I was so deft at manipulating the media, would I be explaining myself on dailydave praying that a few technically competent people will actually get it?

[For more, check out the thread view -- start from the bottom]

Alan LeMaster:

The hubub over the Mac wireless drivers ring0 exploit refuses to settle. Everyone seems to hate Johnny Cache because either 1)MacOSX is divinely inspired and perfect in every way, and there could not possibly be anything wrong with it (even though intel centrino drivers got already patched for a vulnerability in Win32), or 2) he's an attention whore that is using this for his own personal gain (even though he's been assaulted by Apple lawyers and can't talk about the case). Amazing.

Occasionally I forget why I stopped trying to become a "hacker" 3 years ago. It is things like this that remind me.

Slashdotters discuss:

mellon: The way these things work is that when someone hacks your hardware, you get an injunction to stop them from talking about it. If they talk about it, they go to jail for contempt of court ... you might get the very strong impression that he's under an injunction of this type. It's always fun to look for bad guys in situations like this, but both Apple and Mr. "Cache" here are wearing white hats.

rbannon: I still don't see him coming clean on this one. Or maybe, like he says, people like me won't understand it anyway. In any case, I think he's really not being forthcoming with respect to what the hack entails, and maybe that's due to Apple's aggressive lawyers.

eggboard: No one sensible, including myself (over at wifinetnews.com) has asked for the code. Rather, we've asked for Maynor and Ellch to either state that they mislead Brian Krebs, that Apple lied when they stated the company wasn't presented with credible evidence, or that they have material that Krebs saw and Apple hadn't seen yet.

Cid Highwind: Is the exploit real? Who knows, I've seen video of someone cracking a Mac through a wireless driver. Then again I've also seen video of a virus written on a Mac taking down a fleet of invading alien spaceships...

nathanh: Unfortunately the majority of Mac users are an embarrassment ... Mac users make Linux fans look humble and Windows users look intelligent ... I work in the IT security industry and I'm perfectly willing to accept that this exploit is for real. The pattern of events is not abnormal ... The only difference here is that Apple users are so goddamn fanatical that they'll rabidly attack anybody who says their platform is any less than perfect ... Mac users are in for a rude shock. They've told each other their platform is secure ... But the mantra has no foundation in reality. Most Mac users ... have an undeserved complacency regarding security and it will lead to a fall.

Buffer overflow:

Around the Net

Around Computerworld

And finally... Bruce Schneier: Airport Security Cartoons

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.

Email this

Digg this

What People Are Saying

Add new comment

Most Mac blogs and websites

Submitted by Anonynimous on January 27, 2007 - 1:31 P.M.

Most Mac blogs and websites have been pretty concise in their criticism. And they've gone out of their way to stress that OS X is NOT invulnerable. All they ask is for a slither of proof Maynor and Ellche had anything approaching an "Apple Wi-Fi exploit". This many months later (6?), M&E still have shown us zilch.

Of course, to Maynor and Ellche, Mac users are all fanboys "whose eyes they would like to poke out". Great way to strike up a conversation.

Report this comment

So it's almost 2 months now

Submitted by Bob AB on September 21, 2006 - 9:05 A.M.

So it's almost 2 months now since the black hat demo, is it true that they can hack a Mac or the media just got dupped into publishing a publicity stunt?

Report this comment

Contrary to what a previous

Submitted by Anonymous on September 11, 2006 - 12:06 P.M.

Contrary to what a previous anonymous respondent stated, Mr. Krebs wrote in a follow-up Washington Post article to the effect that he received a private demo of the exploit from Mr. Maynor. This private demo was demonstrated directly on Apple hardware using Apple drivers. The only other person who witnessed this private demo hasn't stepped forward, and Krebs won't identify him. This private demo was entirely unlike the video that was shown publicly; as you may know, in the video, the exploit was demonstrated with a 3rd party WiFi card using 3rd party drivers.

Here is the link to Mr. Krebs' follow-up article, and here's the relevant quote:

I've been asked this many times, so let me make this crystal clear: I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook -- but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in.

(Emphasis added by me.)

Report this comment

OK, now I'm scared...

Submitted by IT Blogwatch on September 6, 2006 - 6:23 P.M.

OK, now I'm scared...

Report this comment

Hack my MAC and I will get

Submitted by Apple of my eye. on September 6, 2006 - 2:41 P.M.

Hack my MAC and I will get you back!
If you think I'm joking than take a crack
Just remember I warned you not to hack
into my world or onto my MAC
When you close your eyes or hit the sack
That will be the time that I get you back
So make your move if your hat is black
Just be ready for the sudden heart attack
That comes to those who bug my MAC

Report this comment

Much as I find these

Submitted by IT Blogwatch on September 5, 2006 - 8:30 A.M.

Much as I find these comments amusing, let's not lose sight of the fact that IT Blogwatch is just a roundup of what bloggers and other sites are saying about an IT story. The words above are the words of the bloggers, not of your humble Blogwatcher.

Why not click on the links to get to the original posts. You can usually contact the authors there.

I trust you'll also notice some measure of balance in the selection of extracts.

Still, only a week to go until Sept 12's Jobsfest, eh? ;-)

Love & kisses,
Your Humble Blogwatcher.

Report this comment

Actually, wrong comment

Submitted by Anonymous on September 5, 2006 - 8:18 A.M.

Actually, wrong comment above. Rechecked his email again: Maynor stated EXPLICITLY that the hack was NOT conducted against the Apple Airport driver at all.

Cannot be more explicit than that.

Apple Wi-Fi exploit? Then you truly are surprised wehn you get called moron by all those â€” oh gosh momma, how mean they are â€” Mac users?

Report this comment

"HACKER John Ellche, known

Submitted by Anonymous on September 5, 2006 - 8:07 A.M.

"HACKER John Ellche, known in the Black Hat world as Johnny Cache, has opened a can of worms by telling the world about a Apple Wi-Fi exploit at the Black Hat and DEFCON convention last month."

This is a BLATANT LIE. They NEVER said that. They said it is an exploit common to wireless devices using the Atheron chip and drivers. Present in most computers, all brands confounded.

They said they BELIEVE the Airport driver *could* possibly be exploitable as well.

What are you smoking: it must be VERY good.

BTW, Maynor is on a security mailing list. He never explicitly said the hack was conducted EVER on the builtin Airport card.

Your comments are totally bogus.

Report this comment

Wrong, nobody hates D Maynor

Submitted by Anonymous on September 5, 2006 - 7:49 A.M.

Wrong, nobody hates D Maynor and J Hellch because they exposed a security fault. AS in this very blog you call it Apple Wi-Fi exploit and by this you show your incompetency actually. It is a ALL COMPUTER BRANDS Wi-Fi *potential* exploit. But you - how ridiculous - still call it "Apple Wi-Fi exploit". Can idiocy be more evident than that?

Maynor et al. did NOT find a fault in Mac OS X but in wireless device drivers which supposedly are common to most computer but low and behold, instead of using ANY computer to show it they pick up a MacBook and show the issue on a third party USB wireless card. Why not the builtin Airport card then? Layers? You cannot be THAT idiot to believe it. And they have not played the gullible media? The very fact you call it Apple Wi-Fi exploit proves that they did and that media are indeed gullible (or at least so called tech expert are basically ignorant or unable to do anything but yellow journalism).

Do you think truly that this - in your own reality maybe - Apple Wi-Fi exploit means a Dell user, or a Lenovo one, or you name it is then safe against it?

Only one word: starts with M O and ends with O N . Guess.

Report this comment

Oh, now we are at the

Submitted by Anonymous on September 5, 2006 - 7:40 A.M.

Oh, now we are at the aggressive Apple layers.

Pleeeaaase. Apple can't move a layer that it makes the news of every and each folio of the planet.

The hack 99.9% of the times makes the wireless connection die. That is why on the video you saw the Airport (builtin wireless) active at the same time. It was used to keep the connection alive AND you need to be willing to connect to a bogus ISP provider.

The first wireless device with a faulty driver gets hacked, used to install a callback, it dies. The second wireless devices, already connected as the defunct first one (a USB wireless card in our case) to the same wi-fi network is then used to continue the process.

How many laptop users (not just Mac) have you seen running TWO wireless devices at the same time and use BOTH to connect to the same wi-fi network?

Report this comment

iPhone 3Gs jailbreak jeopardy: Apple pwns Dev-Team's 24kpwn

How to survive configuring and securing a wireless LAN: The final (I hope) chapter

Wi-Fi security: It's a good time to be a bad guy

How reliable is YOUR wireless network?

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

The State of PCI DSS Compliance at Organizations Today
Download this resource today!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts