Home Phone and Internet $60/mo
- Related Stories
-
Intel sends out Centrino patches
August 2, 2006 -
Apple recalls some MacBook Pro batteries
July 31, 2006 -
Does Wi-Fi security matter?
June 27, 2006 -
Intel: Driver flaws no major threat, yet
June 14, 2006 -
Microsoft bug-checking tools promise fewer crashes
May 26, 2006
An attacker could gain complete control over a laptop by sending malformed network traffic to a vulnerable computer, David Maynor, a senior researcher at security service provider SecureWorks, said in a presentation at the Black Hat security event here.
Maynor, along with researcher Jon "Johnny Cache" Ellch, showed a video of a successful attack on an Apple Computer MacBook. However, the attack is possible also on other computers, both laptops and desktops, and not just MacBooks, the researchers said.
Video: Breaking into a MacBook
Flawed Wi-Fi drivers can expose PCs
"These driver flaws are pretty common," Maynor said. Researchers are starting to find those bugs as they shift their focus from hunting for operating system flaws to exploitable errors in drivers and in applications, he said. The reason for the shift is that operating systems are becoming increasingly more secure, he added.
There is no immediate threat to the millions of laptop-toting wireless users. Maynor and Ellch are not releasing the details of their attack, and they deliberately did not show a live demonstration to prevent anyone from copying their attack.
"People who should be worrying about this are the hardware and software makers, so this doesn't make it into the mainstream," Maynor said.
Consumers should be streetwise when using their laptop by not connecting to networks they aren't sure they can trust and by disabling the wireless radio when it is not needed, Maynor said. "There is no need to run out and rip your wireless card out of your laptop, but you should take precautions," he said.
With their Black Hat talk, Maynor and Cache hope to wake up makers of buggy drivers. "We want to educate developers and hardware makers about this threat before it becomes a wide-scale issue," Maynor said. "We're not talking about something that people don't know about, but a lot of people don't know the severity."
Driver flaws have been getting more attention recently. Microsoft, for example, is readying tools for driver developers to scan their code for common vulnerabilities. According to a recent experiment by Intel flaws in driver software may be worrisome and a potentially serious threat, but there is no need for alarm yet.
To launch an attack using the Wi-Fi driver flaws, the would-be intruder needs to be within about 100 feet, or 30 meters, of its target--the typical reach of a Wi-Fi signal. However, new wireless technologies are extending this range significantly and could increase the threat, so new bugs will likely be found, Maynor said.
To facilitate an attack, the researchers found a way to remotely identify the wireless driver that a particular computer is running, Maynor said. Then malicious data traffic needs to be crafted and sent to the vulnerable PC. A flaw in the way that computer processes the data subsequently causes the compromise, he said.
Coincidentally, Intel late last week issued fixes for flaws in software that controls its popular Centrino wireless hardware. These patches are not related to the Black Hat research, Maynor said. The researchers have worked with hardware and software makers on the issue of Wi-Fi drivers, but not with Intel, he said.
Black Hat runs until Thursday.
See more CNET content tagged:
Black Hat,
researcher,
Wi-Fi,
laptop computer,
Apple MacBook
demonstration was done on a Mac, but the issue is not specific to
any operating system.
ABC News article even tried to contact Apple about it. These guys
were trying to show something.. they even admit it.
This is not even remotely related to apple.. hence the use of a third
party card.. for them to make a big deal out of using a Macbook is
pure fud on their part.. and only makes them look like tools.
fact it was an Apple, C|Net decided it would be fun to put on their
FRONT PAGE that a "macbook was hacked." Thanks alot, guys.
And what do they mean by "complete control"?
Via the command line? As a root user?
Was this a machine with no passwords enabled?
Where they able to get into specific folders and files?
Whenever someone presents this little of information
about the break-in, it usually means they are trying to
sell you something, like security software.
I'm pretty suspicious at this point without details.
Dan
say if they got root access or not.
The interesting thing is that the hole was in a *third-party*
wireless card driver. They actually plugged in a third-party
wireless card to the MacBook, which is silly since the MacBooks
all have built-in wireless. Furthermore, they don't say if the
drivers for Apple's built-in wireless are vulernable or not. So, we
don't actually know if any MacBook users are actually vulnerable
to this attack at all with the normal configuration. Needless to
say, if the regular Apple wireless driver is *not* vulnerable, this
is getting a lot of gratuitous hype.
Folks work on a laptop from home or on a business trip for example, then first thing in the morning, they take that laptop into their employers HQ, where the laptop and (or) usb flash memory plugs into the corporate intranet.
The laptop or usb drive was previously infected with a virus or trojan horse. As soon as the corporate user plugs his/her laptop or usb stick into the intranet, bingo, potentially all other corporate computers on the network can be compromised.
That way you hack a corporation by proxy, by hacking the poor security on a laptop, than trying to hack corporate security, thats going to be ten times more updated with patches and generally more sophisticated than some individual employee dudes privately owned laptop and or portable usb flash memory stick.
Funny, though, the timing and nature of this new Security-angle (driver insecurity), since the overwhelming number of REAL "Security Issues", for over a decade, has actually been directly due to BAD CODING, and REALLY-BAD CHOICES related to "embedded features" from, primarily, ONE software-company.
And, isnt it also funny that Microsoft has taken such a large-role in the "Black Hat Conference" exactly when this -new revelation- could most benefit the "Trusted Computing" elements in their floundering push to roll-out "Vista" to a, more and more, resistant-market.
And, its even stranger, to me, that this particular "security issue" is happening EXACTLY when "IT companies", and developers, are just beginning to publicly-rebel, in earnest, against the very "authorized-drivers-only security model" in Microsofts next OS, ...which, by the way, WILL allow Microsoft to control, and charge, every single "anti-virus software" producer, manufacturer of printers, video-cards, and memory-devices, ...or anybody else that produces any "device", or "product", that needs to work in the "Vista Trusted Computer environment".
But, Im sure this is all just an amazing coincidence... After-all, Microsoft has changed, ...havent they..?
This is exactly what Black Hat is all about; pick a flashy, high profile target and hit as hard as you can(or at least give that appearance).
Too bad you fanbois can't separate the lesson from how it was taught.
This seems a little fishy to me. Yeah, I can hack a lot of things
myself, especially if I can add my own hardware and know in
advance what to expect. I'm not buying this as a legit hack, sorry.
completely negated the use of the MacBook as a test subject -
no one would ever use a third-party card in a MacBook as it has
internal WiFi.
While I appreciate the message, the proof of concept provided is
useless - especially when you take into account the fact that the
test subject was directly and intentionally authenticated to the
attacking machine.
"Some people watching the video have noticed that the Macbook is using an external wireless card, rather than the built-in card. In a Washington Post interview, Cache and Maynor say Apple leaned on them to use an external card rather than the built-in card. Despite this, both contend that the internal card is identically vulnerable."
http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/
in were possible with the built-in Apple Wi-Fi card I'm sure they
would have done it that way. More glory. But they failed to provide
any real (useful) information about the target machine. Were they
logged in as a root user? Did they have file sharing enabled? Was
the software firewall enabled? They were clearly running the
Terminal shell (which the average user never opens). Just what does
it take for this exploit to work? It's hard to take this seriously
without more information.
Was the built in firewall turned on? Probably not.
Why the hell use a 3rd party card on a macbook with built-in
wifi?
Acess to a user account via a a rigged setup is not "owning" a
system. I can make an applescript that can own your system if
you lock me in a room with your mac.. doesn't mean squat.
Either this guy is an idiot.. or he thinks we all are.
I'm inclined to think that he is just a tool.
But that's just based on the evidence.
I will personally volunteer to let this tool try to get into my
system.
Don't use any any hardware that is not built by the manufactures of your OS, as you never know how many holes there are in the kernel driver.
Buy Mac OS X, use only built-in devices, or at least ones that manufactured by Apple.
Also, MS need to acquire Intell, AMD, Dell, HP, Lenovo and the rest of PC manufacturers around the world and prohibit manufacturing of MS PC clones (including Itel-based PCs from Apple).
Then driver lab testing/signing will be obsolete and hardware compatibility problem and security of the 3rd party drivers solved forever.
A third party wireless device was used...NOT THE BUILT IN WIRELESS APPLE AIRPORT.
Hmmm, how many users are going to buy a macbook pro and then decide NOT to use the built-in airport.
IF this is a legitimate exploit, then use airport. otherwise, don't use some third party device, designed for windows, and then when the OSX drivers are created in India as some vague afterthought.
In order for security threats to be percieved as real, they have to represent real life scenarios.
Do this on an Apple with Airport or a Dell with Centrino. Otherwise, shut up.
http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/
The point was simple: "There are too many device drivers out there which haven't been checked and cleansed of serious bugs which could allow a computer to be compromised". They chose to attack via a wireless driver simply because that particular device provides a remote attack ability that a wired connection (such as via a normal NIC) doesn't.
Further I'd suggest they used a third party card mainly because they found their vulnerability in the drivers for that particular card.
So why did they do this demo with a Mac instead of a Windows based machine? Probably because they read C/Net and have grown to hate the iTrolls like the rest of us. Enthusiasm for Apple and the Mac is good, very good. Blind loyalty and irrational, rabid zealotry though defines the iTroll's mindset.
Maynor's intent:
http://blog.washingtonpost.com/securityfix/2006/08/
hijacking_a_macbook_in_60_seco_1.html
He's quoted as having some type of grudge with Apple, and I'm
guessing he deliberately rigged this test to his advantage to
prove a point.
For the record, I work with both platforms, and I would be
writing this same comment whether it was with an Apple or a PC.
His method is flawed and he's just trying to invoke controversy,
which he as succeeded at. I think he's a real doing a real
disservice to the security community.
Dell. But wait, that would make the Macbook look better, and he
wouldn't want to do that.
Apple Notebooks ALL have Wi-FI BUILT IN, so you do not need a third party Wi-Fi card.
CARD / DRIVERS are not secure. Mac OSX + Airport Wi-Fi are encrypted secure wireless protocols.
Bad Form C|NOT!
Total FUD BS to smear Apple just before their WWDC & keynote announcements.
I did see on another site that they installed a full rootkit on the Macbook so the vulnerability is extremely serious even if the Macbook ultimately turns out to be completely safe against this attack when it's using it's own built in wireless.
In short, the fact that the compromise was made using a third party card neither convicts nor exonerates the Macbook. These researchers are taking great care to not make enough details available that the bad guys can use them before the vendors have time to fix their drivers.
You are WAY TOO sensitive about the Apple laptop being the victim. For the presentation, the laptop could've been a Linux-based machine (assuming of course that they could've gotten the wireless drivers to [i]actually work[/i] with their particular victim distro).
"Some people watching the video have noticed that the Macbook is using an external wireless card, rather than the built-in card. In a Washington Post interview, Cache and Maynor say Apple leaned on them to use an external card rather than the built-in card. Despite this, both contend that the internal card is identically vulnerable."
So while its great to love a company and its products, being closes minded and lashing out for no reason just shows ignorance.
Link for the entire article, which includes a link the washington post interview:
http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/
(these computers are called "Macs" in popular usage, not "Apples")
by theft or other means and substitutes a third-party wireless card
for my built-in AirPort card, they can hack my Mac? Anyone
surprised by this? Why didn't they hack a real-world Mac across the
Internet?
Give me unrestricted and undisturbed access to Ft. Knox and I
guarantee you I'll get away with the gold!
First, he says the target doesn't need to be asociated with an AP.
Then he attaches the target to the Dell FROM THE TARGET! And leaves the shell open on the target...
Then he creates a few files, then deletes them.
Show me where he even _claims_ to have obtained root or admin on the target, much less proves that he has!
Any script kiddie can attack and control a target that voluntarily attaches to your laptop - especially if you have access to the keyboard!
Repeat this demo by attacking and establishing a wireless connection to a target machine with the settings on default, and the curent user logged in as user, and prove to me that you can do it without access to the target's keyboard, and gain elevated privileges on the target by performing admin or root level tasks.
Then I'll believe it.
They attach it in the beginning in order to compromise the
machine. It is a hoax that an Apple could be hacked like that.
Why is this even on CNet?
- It doesn't matter what card it was
-
by Andrew J Glina
August 4, 2006 8:33 PM PDT
- Apple fanboys seem to think that MacOS X is immune to driver flaws due it superior design. This demonstrates otherwise.
-
Reply to this comment
-
-
- Yes, it does.
-
by Thrudheim
August 5, 2006 11:52 AM PDT
- "Fanboy" is an overused, tiresome pejorative. Can we debate
-
View
reply
-
See all 40 Comments >>this issue without the name calling?
You set up a straw man so that you can knock it down. Show me
one post anywhere where a Mac fan actually said, or even
implied, that Mac OS X is immune to driver flaws.
Nobody disputes that this is a significant and serious security
hole *if* Apple's internal wireless driver is vulerable to the
exploit. At this point, however, we have only the word of these
two guys, and their video left a lot of questions unanswered.
It matters if it is a third-party card because it gives us an
important indication of how many people might be affected.
Since all Apple laptops made in the past year come with internal
wireless, and others who add wireless almost surely use Apple's
Airport card, it might be that only a tiny segment of Mac users is
affected. We just don't know yet.
Take it to the extreme. Suppose I write a wireless driver for
myself, and it is riddled with security holes. My machine is ripe
for the taking. Is that serious security matter too?
That said, my assumption is that Apple's internal wireless is
vulnerable. I just think that a lot of stories, like the Washington
Post's security blog, really hyped the Mac angle and,
unfortunately, were wrong about what the video actually
showed.
You know, it's goofy. Recently, a million Windows users who
vistied MySpace may have been infected with spyware, but this
story has gotten far more attention.