Wireless Macbook Security Exploit?

[backdraft]

hahaha Don't be sorry. Powerbooks not being affected by this is a good thing to me. I'm still holding tight to my PPC.

PPC FOREVER!!! Intel must die a horrible death along w/ M$!

 

[shawnce]

I'm not downloading a sh script to my mac. lol

It contains...

#! /bin/sh
echo -n "Finding channel and signal strength....."
sleep 1
echo "DONE!!"
echo -n "Preparing shellcode."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
echo "Adding connection information for remote client."
echo -n "Sending attack"
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo "."
echo "Waiting for response"
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo -n "."
echo "Got Shell"
#Note, requires public key files on remote machine to connect without password
ssh bad@192.168.1.50 'ls'
ssh bad@192.168.1.50

 

[appleguru1]

??

sleep and echos?
Is this a joke?
It must be a joke.

You caught me, it is

But, if you run it, it should mimic the video those guys put out exactly...

point being, unless I see some hard evidence that really shows this exploit is viable, I'm calling BS.

 

[jaduffy108]

Well... but at least it's not Apple's fault, because they didn't produce the driver. Therefore it's actually not a concern of Apple's but of the driver's producer's.

On the other hand Apple did include it into it's OS seemingly without testing it thorougly, and that is, of course, a concern of Apple's. So they will have to work together to get rid of that - and I'm sure they will - and I may be smug again.

###Just my two cents.... it is exactly this kind of "attitude" that make tech and Windows people want to throw up. Of course, it's Apple's concern and it SHOULD be yours. If it comes with the Mac...it's Apple responsibility...period. As an Apple user, i'm embarrassed more and more by the Apple community. Gonna have to start painting over the Apple logo on my PB.

 

[frozencarbonite]

Just thought I'd post some information that I found about this. I don't understand a lot of the technical talk but the other stuff I do.

http://www.smallworks.com/archives/00000455.htm

Very interesting read.

Also take a look at this from the same site.

http://www.smallworks.com/archives/00000456.htm

 

[wnurse]

The exploit is apparently in the device driver, and so its more of an issue with Atheros than with Apple. I mean, a vulnerability is a vulnerability, and it still needs to be fixed, but the compromised code is most likely not Apple's at least.

Many windows exploits deals with third party software.. what's your point?.
Actually, the hackers were very nice to let microsoft and apple plus the device drivers know about the problem.

Still, Apple is ultimately responsible for putting the software in their machines and in advertisements, they never say "macs are safe except for third party software". Actually, even with this, macs are a lot safer than windows but i predict the assualt is coming. It's really only a matter of time.

 

[wnurse]

I completely agree. It would be a big surprise to me that any method of connecting to an OS X Mac would allow it to be controlled without specific permissions granted by the administrator account, suggesting these guys left the account open on purpose or allowed remote access with the password known. In other words, once you access the computer you still have to get the operating system to give you permission to screw around.

On the other hand, if this exploit is actually true, it doesn't really matter who's driver is to blame: somehow they were able to subvert OS X's security. THAT would be an issue for Apple and for all of us.

All things considered, I don't believe they did what they claim they did.

Yes, it's always good to bury your head in the sand.. makes the problem goes away or even better, makes the problem non-existent. Did you read the part where they are in contact with Apple and microsoft?.. you think apple employees have time to deal with a crackpot?. I believe if this was a joke, you'd know.

 

[wnurse]

Instead of the headline reading macbook hacked in 60 seconds it should of read x vendor welcome to your lawsuit we promise it wont last 60 seconds!

The macbook was hacked in 60 seconds. Why it was hacked or whoose software was responsible is irrelevant. The macbook was HACKED, PERIOD!.
End of story.

 

[yellow]

The macbook was HACKED, PERIOD!. End of story.

Please don't promote the FUD.

It's not entirely clear what happened, or how.

And it wasn't the Macbook (nor OS X) that got hacked..

 

[JBot]

It's not entirely clear what happened, or how.

And it wasn't the Macbook (nor OS X) that got hacked..

Than what did get hacked?
The wireless card that was plugged into the macbook.

I know what youre saying, and they have made it clear, this isnt an attack on macs that allowed this hack. any machine is supposedly open to be 'hacked.'

 

[gwangung]

Than what did get hacked?
The wireless card that was plugged into the macbook.

I know what youre saying, and they have made it clear, this isnt an attack on macs that allowed this hack. any machine is supposedly open to be 'hacked.'

Yeah, but their presentation was extremely poor. If it was to show that ANY system could be hacked, why choose a set up that is EXTREMELY improbable and unlikely? It weakens their case and encourages folks to dismiss them.

 

[JBot]

Yeah, but their presentation was extremely poor. If it was to show that ANY system could be hacked, why choose a set up that is EXTREMELY improbable and unlikely? It weakens their case and encourages folks to dismiss them.

How come it is extremely imporbable and unlikely?
They presented there script against a mac because the mac strives on the claim that they are the safest pc out there.
They said in there interview they targeted the mac because they hate the commercials.

Explain how that makes there presentation poor.

 

[yellow]

Why did they use a 3rd party USB wireless card then?

Do we really need to rehash all this?

What they put forth as a hack is fishy. There's a lot of missing information.
They could have hung it off a bar of soap with linux installed on it and done the same exploit. Because they hate soap and think linux is for girls.

It's just FUDtardery.

 

[yellow]

It's just FUDtardery.

And apparently now they admit that it was bull-****.

http://www.tuaw.com/2006/08/18/secureworks-admits-to-falsifying-macbook-wireless-hack/

 

[kugino]

And apparently now they admit that it was bull-****.

http://www.tuaw.com/2006/08/18/secureworks-admits-to-falsifying-macbook-wireless-hack/

yeah, using a third-party card AND driver software. stuff that 99.9% of macbook owners would never use anyway...if their goal was to show THAT a macbook could be hacked, they did show it. but they did not show that a macbook being used in a normal way using macbook drivers and hardware can be hacked. pretty piss-poor, IMO.

 

[gekko513]

And apparently now they admit that it was bull-****.

http://www.tuaw.com/2006/08/18/secureworks-admits-to-falsifying-macbook-wireless-hack/

Now, isn't that something. What a great way of proving the 'Get a Mac' commercials wrong. If anything, the myth that Macs are invulnerable is strengthened when they make up lies and are caught.

 

[benthewraith]

And apparently now they admit that it was bull-****.

http://www.tuaw.com/2006/08/18/secureworks-admits-to-falsifying-macbook-wireless-hack/

Busted. Boy do I hate to be those guys.

 

[plinden]

I don't see this mentioned here, but Apple have told MacWorld - my bolding:

“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld. “To the contrary, the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac–a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

 

[gekko513]

Busted. Boy do I hate to be those guys.

Yeah, in the beginning I had some respect for what they did, because some parts of the Mac community needs to get some perspective, but now they just look pathetic.

 

[hulugu]

The macbook was hacked in 60 seconds. Why it was hacked or whoose software was responsible is irrelevant. The macbook was HACKED, PERIOD!.
End of story.

That the MacBook was hacked using a third-party card and third-party drivers isn't irrelevant, it's the whole point.

There's an important difference between standard configuration and this set-up which makes it so much easier for the MacBook to be hacked. Your cheerleading aside, no Mac is hack-proof, but there's a big difference between breaking a lock and opening it because someone left the keys in the door.

 

[hulugu]

How come it is extremely imporbable and unlikely?
They presented there script against a mac because the mac strives on the claim that they are the safest pc out there.
They said in there interview they targeted the mac because they hate the commercials.

Explain how that makes there presentation poor.

Simply put, by presenting the hack with a MacBook they made it appear as though the MacBook had a fatal flaw that was inherent to the system and they were poor at presenting this flaw as a problem with a particular third-party wireless card.
The addition of their complaining about the commercial made they appear as though they had a vendetta and a bias which security researchers should avoid. The flaw should have been presented with a multitude of systems, including the Mac, to show how the flaw affected Windows and the Mac, and they should have been more clear about the addition of a third-party USB wireless device as well as their tweaking of OSX's settings.
They went for a flashy presentation and got fried by it.