Wireless Macbook Security Exploit?

[matznentosh]

I think they are using the "we don't want this to get out into the wild" thing as a scam. If you do it in person people might actually ask questions like 1) Why not use the built in wireless card? ('cause we're not good enough to hack that) 2) What are the security settings on the Mac? (everything open and enabled, making it childs play to "hack" in 3) Why would anyone ever use a USB external wifi-card with a MacBook? (They wouldn't - this is about as hypothetical a "hacK" as there ahs ever been).

I completely agree. It would be a big surprise to me that any method of connecting to an OS X Mac would allow it to be controlled without specific permissions granted by the administrator account, suggesting these guys left the account open on purpose or allowed remote access with the password known. In other words, once you access the computer you still have to get the operating system to give you permission to screw around.

On the other hand, if this exploit is actually true, it doesn't really matter who's driver is to blame: somehow they were able to subvert OS X's security. THAT would be an issue for Apple and for all of us.

All things considered, I don't believe they did what they claim they did.

 

[ChrisA]

I completely agree. It would be a big surprise to me that any method of connecting to an OS X Mac would allow it to be controlled without specific permissions granted by the administrator account, suggesting these guys left the account open on purpose .

No, the way this works is to effectly by-pas all that. All buffer overflow "hacks" do this.

What you do is send a poorly formatted, out of spec network packet. The driver reads the packet which is oversized and places it in memory. The packet being over sized over writes some of the driver code. Some of this over written code is an entry point to the driver. So the next time that entry point is called the hackers code is executed. One you are able to incert your own code into the Kernel all that "permissions stuff" is moot because you have effectiviely loaded your own operating system code over top of Mac OS. In a real-world exploit the little bit of code in the first oversized packet would contain a loader that would read following packets.

This kind os hack is very, very hard to do. and very easy to patch the driver so it can't happen. In fact any code review should have caught it. Kind of proves that whoever wrote the wireles driver didn't bother with a peer review code walkthrough.

 

[edoates]

No, the way this works is to effectly by-pas all that. All buffer overflow "hacks" do this.

What you do is send a poorly formatted, out of spec network packet. The driver reads the packet which is oversized and places it in memory. The packet being over sized over writes some of the driver code. Some of this over written code is an entry point to the driver. So the next time that entry point is called the hackers code is executed. .

Some of this points out the wisdom of the IBM AS400 design: code and data were separately tagged entities. It was not possible to execute "data," nor was it possible to tag "data" as "code" without OS intervention; even drivers could not do this since the tagging was a hardware function and drivers ran at a different security level. Of course, the machine was exceedingly slow, but it was an interesting hardware/software design decision to tag all contents of memory.

 

[sparkleytone]

There's no use whining. It makes our community look bad and doesn't do anything positive. These things happen and vulnerabilities exist. Its not about who's driver it is or if its part of the OS. Its about how quickly Apple responds, how they respond, and the vulnerability being fixed.

 

[deconai]

But wait! Doesn't Apple's miniscule market-share mean that hackers won't target Macs because there is nothing to be gained? Better off targeting the 95% of Windows-running machines out there? I think this story proves again that the "security through obscurity" argument is just a myth.

Well, going on national TV and basically challenging the hacker community doesn't really qualify as obscure, now does it?

 

[yellow]

OK, so their inital aim was implicitly to get in-the-face of smug Mac users. And then Apple "leans" on them, so they go all nicey-nice and 'decide' to a USB wifi card instead? Doesn't this seem slightly odd to anyone else?

 

[yellow]

Well, going on national TV and basically challenging the hacker community doesn't really qualify as obscure, now does it?

People keep mentioning this.. does anyone have a link to the add that specifically challenges hackers?

 

[deconai]

People keep mentioning this.. does anyone have a link to the add that specifically challenges hackers?

No, not a direct challenge. I'm sorry, I was using hyperbole to drive a point home. Apple's not obscure anymore. Even though they control a small portion of the total PC market, I'm seeing more Apple commercials on TV and online than I ever have. They're extremely high visibility now.

And as for the hacker challenge, many believe that the new commercials present a "smug" image of Apple, and one of the commercials specifically touches on the nonexistence of Mac viruses. Now I realize that this is not exactly an open invitation to challenge the OSX 20-ton gorilla, but to some hackers, this does indeed make Apple a target.

 

[kcmac]

People keep mentioning this.. does anyone have a link to the add that specifically challenges hackers?

Do you ever watch TV? Seen the latest I'm a Mac, I'm a PC Ads?

 

[yellow]

No, I don't watch TV in the summer. Reruns are lame. Reality shows are stupid. TiVo is God.

So.. when Microsoft challenges me to figure out "Where I Want To Go Today?", I should be pissed because Windows won't take me to Peoria?

 

[yellow]

So...

The statements by the "Mac"

"I'll be fine"

&

"PCs, not Macs"

Constitutes a "challenge to the hacker community"??!



Whatever.

 

[frozencarbonite]

Wireless Network Question

So do you have to be connected to an unknown network (like in a coffee shop or bookstore) for this to work?

I'm actually not in the city, so I don't have anyone around me that would be close enough to connect. Could it still work though?

 

[Aztechian]

Not just 3rd party card

The same washington post blog mentions in the next article that the default ("built-in") wireless cards in the macbook have the same flaw. So this is a bit bigger deal than a few odd people using external cards...

 

[yellow]

Let's theorize: So why didn't they use the internal card?

 

[Aztechian]

Let's theorize: So why didn't they use the internal card?

Supposedly because apple said "please, please, pretty please dont"

Edit: Or maybe it was just an offer they couldnt refuse...

 

[gauchogolfer]

OK, so their inital aim was implicitly to get in-the-face of smug Mac users. And then Apple "leans" on them, so they go all nicey-nice and 'decide' to a USB wifi card instead? Doesn't this seem slightly odd to anyone else?

It certainly strikes me as being a bit off, as well. I didn't think about it until you mentioned it, though. Seems like a pretty abrupt about-face.

 

[yellow]

Supposedly because apple said "please, please, pretty please dont"

Then how is it an 'in-your-face-you-smug-apple-using-retards'?
Why would these "blackhats" be listening to Apple, particularly when they appear to have an axe to grind?

 

[Aztechian]

Then how is it an 'in-your-face-you-smug-apple-using-retards'?
Why would these "blackhats" be listening to Apple, particularly when they appear to have an axe to grind?

yeah, I don't see how they can make their smugness quotes, and then go to apple and microsoft first before demoing. It does seem odd, since they would know that all companies involved would "pressure" them like that.

 

[dejo]

From the blog:

"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said.

With this kind of angst, why wouldn't they use the internal Airport card?

 

[yellow]

With this kinda of angst, why wouldn't they use the internal Airport card?

Exactly.

Something does not add up.

Either it's much harder to do with built-in drivers in both Windows/OS X that they want to make claim of..

 

[frozencarbonite]

So do you have to be connected to an unknown network (like in a coffee shop or bookstore) for this to work? Or do you just have to be connected to the internet via wireless?

I'm actually not in the city, so I don't have anyone around me that would be close enough to connect. Could it still work though?

Does anyone know the answer to this?

 

[appleguru1]

This is not a hack at all.. unless you have SSH ("Remote Login" in Sharing prefs) on and the attacker knows your password, they can't do crap.

Now, by all means I'd like to see proof that this hack can actually exploit a user's system without SSH on and without knowwing their password, but from what I've seen I wouldn't think so.

 

[yellow]

Does anyone know the answer to this?

There's precious little details on what the actual exploit is, so no.. I don't think anyone here knows, yet.

 

[frozencarbonite]

There's precious little details on what the actual exploit is, so no.. I don't think anyone here knows, yet.

Yeah, I bet there are no more details released on the vulnerability until a patch is released.

 

[CallMeTheArrow]

Comeback to the whole "Mac wireless hacked" story

http://www.macfixit.com/article.php?story=20060803094301394

Also see: http://www.sci-tech-today.com/story.xhtml?story_id=003000002WEF