Hacker Publishes Notorious Apple Wi-Fi Attack

inkslinger77 writes "It's been about a year since David Maynor claimed to have found a way to take over a Mac using a flaw in a Wireless driver. He's now published his work for public scrutiny. Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility."

Really good sleuthing

[BadAnalogyGuy]

What gets me most of all is how the wifi stack was able to be crashed with just data.

First he bombards the network with random packets. Then the actual packet in question may not cause a crash for up to 5 minutes. Then he tracks down which packet it was and how using the contents of that packet he can use another packet to set up a code execution exploit.

Really good work. And no cookie for Apple whose driver choked on data.

Re:An object lesson

[Anonymous Coward]

"Only open source systems like Unix.."

The naïveté of this post made me laugh! +2 Humor of Stupidity!

Author: If you didn't get that, let me explain. Traditional Unix(TM) based operating systems are notorious for being highly proprietary, and their sources closely guarded secrets. Recently, of course, some unix-like vendors such as Sun have decided to open-source those OSes, but this is the exception, not the rule.
    Let me further inform you that Apple's OS X most definitely *IS* a unix-like OS as well, being based on the Mach kernel hosting Darwin, which is a variant of BSD and thus open-source. Thus, Apple's kernel, at least, is open-sourced to a degree, though the overlying GUI, and probably the network driver involved here, are not. What you probably meant to refer to in your elitist rant was GNU/Linux, and/or BSD. To that end, vulnerabilities in both do arise occasionally, so don't think that FLOSS is a magic safe-guard against imperfect code.

Re:This WASN'T an "Apple WiFi hack"!

[GaryPatterson]

Come on, it looked pretty suspicious. He demonstrated a security hole, refused to detail it, it turns out he used a third-party WiFi card instead of the built-in card... Who would just accept that and say "well, it's a fair cop?"

Some Apple fans got a bit rabid. Not because a security flaw was found - there have been a good number of those since OS X started, and resposible disclosure has never caused users to go apeshit before - but because of the way the flaw was publicised without any real information. On top of that, he made that crack about stabbing Mac users in the eye with a pencil. What was that about? Who says these things and expects no reaction whatsoever?

Then he started saying he'd had death threats. Still haven't seen the threats and apparently they were serious enough to publicise but not enough to call the police in. I lost touch with the story when it seemed to be just poor reporting with low information content and pissy blog wars.

And now a secret NDA is up and he can talk about it. Well, good for him. It's about a year too late, but there's still publicity to be made I see.

Re:This WASN'T an "Apple WiFi hack"!

[CaymanIslandCarpedie]

he made that crack about stabbing Mac users in the eye with a pencil

Granted, I certainly think he was trying to maximize the publicity and that statement certainly set the stage for the reaction that was to come. However, at least to me (and I'd assume many others) it was the reaction which was a bit surreal and made it interesting.

And now a secret NDA is up and he can talk about it. Well, good for him. It's about a year too late

I have seen many saying the same basic thing in response to this release of information, which I find a bit strange. A bit simplified view of what happened (at least in my eyes):

David Maynor: We found a successful attack which effects Mac OS X and this deomonstration will show it to you!!!! BTW you Apple guys are losers.
Apple supporters: Give us details on the attack or you are a liar!!!!!
David Maynor: I'm legally unable to at this time.
Apple supporters: Your a dirty liar!!! I knew it!!!! My Mac isn't vulnerable!
David Maynor: It is but I really cannot talk about it right now. I've shown it in action but cannot yet release details
Apple supporters: Shut up and die you lieing maggot!!!!!
....... David Maynor: OK, I'm now legally free to discuss the details of the attack and here are all the details. Enjoy!
Apple supporters: We don't care about your stupid details! Shut up and go away!!!!

Re:This WASN'T an "Apple WiFi hack"!

[stewbacca]

Yes, it affected Apple, too, but It was a general "hack" that affected WiFi chipsets on other platforms, including non-Apple hardware, Windows, and Linux!

Considering it was a third party wireless device, it would only be logical that Macs would be the least affected by this hack, because very few Mac users (less than 1%?) would ever bypass the built in wireless for a third party solution. So this hack is more of a danger to Windows machines, which are far more likely to be sold without built-in wireless, thus requiring the user to puchase and install the device that allowed the hack in the first place. Correct me if I'm wrong, but that is my recollection of the hack.

If this guy ever hacks a MacBook's built in wireless with typical user settings, then this would be an Apple story. As it is now, it is a story about how insanely obsessed the anti-Mac crowd is with trying to break OS X and only lends further credence to Apple's claim of OS X's excellent security (good enough for the Department of Defense and the NSA, in some cases).

Re:An object lesson

[SplatMan_DK]

Only open source systems like Unix can be made reasonably secure.

Ahemm... the flaw is not platform or OS related. It is related to a specific series of Wifi chips and drivers, regardless of which OS is installed on the host computer.

This flaw can be exploited on Unix, Linux, BSD, Windows, OS X. If the Olsen-twins made an OS using the same hardware and code base for network drivers, their Olsen-twin-OS would have the same flaw as well. In fact, the wide application of this flaw is the main reason it is truly newsworthy.

I politely recommend reading the article, and studying the problem in more depth before your next post.

Re:This WASN'T an "Apple WiFi hack"!

[stewbacca]

There is no cynicism in your post, just truth. This whole conversation is wrapped up with your post. Thank you! I still don't see what's so hard to understand that this guy hacked a third party device that was plugged into a Mac that NOBODY uses anyway, so it's a non-issue. Had he hacked the stock WiFi, he'd have a point. Hell, even suggesting that the same technique WOULD work on the built-in WiFi (but without actually doing it) would have more credibility than this. It is scary that all the anti-Mac crowd has to do is get catch a wiff of the words "vulnerable" and "Mac OS X" in the same sentence to be sent into a frenzy like they always do. Get back to me when you actually have something...thanks.

Re:Correct me if I'm wrong..

[Clirion]

Actually, it looks like it was the Atheros chipset he hit. So any card that uses this chipset is at risk. MacBooks use Atheros wireless chipset. So the same exploit that works on the third party card (presumably using the Atheros chipset) works on the Macbook (using the Atheros Chipset).

When does Jon "Daringfireball" Gruber apologize?

[Argyle]

Apple cultist Jon Gruber offered a MacBook to David Maynor and Jon Ellch if the wifi hack was true [daringfireball.net].

It was true. He owes them a laptop...