On CBS.com: Enter for Chance to Tour Hollywood Set
BNET Business Network:
BNET
TechRepublic
ZDNet

September 23rd, 2006

Apple patches Wi-Fi but refuses to give researchers credit

Posted by George Ou @ 5:42 am

Categories: Defcon2006, Hardware, Mobile/Wireless, Networking, News, Security, ~Events~

Tags:

[UPDATE 9/25/2006: The word "due" was dropped from the title because it is now disputed by Apple.  Apple has issued a strong denial that anything useful was given to them and responded to this blog in detail.]

After all the controversy, it turns out that there really are critical vulnerabilities in Apple's Wi-Fi drivers that affect Intel and PowerPC based Macs described in three separate CVEs.  After more than six weeks of Apple's spin that strongly implied there was no Wi-Fi vulnerability and six weeks of conspiracy theories that this whole thing was a fabricated stunt to garner attention for some fake security researchers, Apple released three critical patches before next week's Toorcon event where security researchers David Maynor and Jon Ellch are planning to release details on the Apple Wi-Fi exploit and more.

The controversy started around the original report from Brian Krebs "Hijacking a Macbook in 60 seconds" who reported from Black Hat 2006 on August 2nd about security researchers David Maynor and Jon Ellch.  The Mac press balked at Krebs' claim that this was a Macbook being hacked because the official demo given at Black Hat 2006 only pertained to third party drivers and hardware.  But Krebs stood his ground and clarified that he wasn't talking about the "official" on-the-record demo, but rather the private demo he got from David Maynor and even released a word-for-word audio transcript.  Krebs insisted that he witnessed a hack on a stock Macbook with no third party devices plugged in.

The story had gone dormant for 2 weeks until August 17 when an orchestrated* assault launched against David Maynor and Jon Ellch that accused SecureWorks (company David Maynor works for) of changing their story.  Jim Dalrymple of MacWorld called the research a misrepresentation and other IDG publications followed.  Blogger David Chartier even declared that "SecureWorks admits to falsifying MacBook wireless hack" and Digg amplified the bogus stories on a grand scale.  Frank Hayes of ComputerWorld even referred to Maynor and Ellch as "quack hackers" (Frank Hayes is an honorable man and apologized).  The problem is that none of these publications did any basic research because SecureWorks NEVER changed their story, never misrepresented, and never admitted falsifying the MacBook wireless hack.  The original video had clearly stated within the first 20 seconds that the demo pertained to third party drivers and hardware yet we have not seen a single correction from any of these publications.

As a result of the faulty reporting, tens of thousands of websites have declared Maynor and Ellch as frauds.  Some conspiracy websites even popped up and claimed the original SecureWorks video demo was a "magic show".  Anyone who defended Maynor and Ellch in the media was equally attacked by these fanatics.  The list of defenders was thin and included myself, Brian Krebs, and Rich Mogull.  I provided one of the most vigorous defenses of Maynor and Ellch and received a ton of heat over it.  A blog site dedicated to attacking Brian Krebs was created and one of the more vulgar Mac blogs refers to me as the security b****.   Even with the confirmation of the Apple Wi-Fi exploit, these sites continue their attack.

Apple was very careful to spin the news Thursday when they spoke to reporters about the patch.  According to CNET reporter Joris Evers "Apple's security patches are not related to the Black Hat presentation, a company representative told CNET News.com on Thursday".  Many of the critics have taken this to mean that these patches aren't the ones Maynor revealed to Brian Krebs at Black Hat and that it doesn't vindicate them.  But if we examine the comments from Apple closely, it's technically a true statement because the official demo given at Black Hat pertained specifically to third party hardware and drivers but it has nothing do with whether SecureWorks and David Maynor informed Apple of a vulnerability or not.

When pushed to clarify the issue, Apple would only say to Joris Evers "In August, SecureWorks approached Apple with a potential flaw that they felt could affect wireless drivers on Macs …  They did not supply us with any information to allow us to identify a specific problem, so we initiated an internal audit".  I approached Apple to clarify the issue and asked the following questions regardless of what Apple defined as "evidence".

  • Did SecureWorks ever disclose any Wi-Fi vulnerabilities to Apple?
  • Did SecureWorks ever disclose the packet captures of the malicious payload used to trigger said vulnerabilities?
  • Did SecureWorks ever provide driver disassemblies pertaining to said Wi-Fi vulnerabilities?
  • Did SecureWorks ever provide crash dumps pertaining to said Wi-Fi vulnerabilities?
  • Did SecureWorks ever point to the location of the vulnerable code of said Wi-Fi vulnerabilities?
  • Do any of the current patches released by Apple match any of the characteristics of the information provided by SecureWorks?

So far, I have yet to receive any reply from Apple.  These questions are critical because any competent researcher or engineer would be able to replicate an attack if given all of the above information and even the packet captures alone should have been enough.  When I had previously contacted Apple's Lynn Fox, she would only vaguely answer my questions but refused to say anything on the record.  Furthermore, Apple is playing this off as a "preemptive" effort to strengthen Apple's wireless drivers "found internally" with no credit given to SecureWorks, Maynor, or Ellch.  But the timing of this patch release is awfully coincidental with next week's Toorcon event.

Speaking of Apple driver vulnerabilities, I had accurately pin pointed the driver issue last month when I reported on Atheros' non-role in this whole affair.  As I stated, Atheros was not responsible for this issue since the flaw exists above the I/O kit in the upper-layer driver code of Mac OS X which is identical to the code in FreeBSD.  A critical remote exploit FreeBSD flaw was found back in November 2005 and an official CVE was issued in January.  One critic (the one who called the SecureWorks video demo a "magic show") claimed this was preposterous because the MacBook Pro was shipped in February 2006 and surely Apple would have patched something that was known for three months.  Apple spokesperson Lynn Fox went as far as denying any risk with the FreeBSD vulnerability to Brian Krebs.

"Fox also said Apple staff were already aware of the flaw when SecureWorks contacted them about it prior to their Black Hat presentation, and that Apple had already determined that the wireless flaw addressed in the FreeBSD patch was not exploitable on any of the Mac products"

Now this statement has come back to haunt Apple.  Ironically, I had accidentally stumbled upon this when I asked Maynor and Ellch in my video interview if the Wi-Fi vulnerability was anything "like" the FreeBSD hack back in January.  I could have sworn I got a funny reaction from Maynor and Ellch but I figured they only reacted that way because not many people knew about the FreeBSD flaw.  Little did I know at the time that I had actually stumbled upon the truth and that the Apple Wi-Fi flaw was EXACTLY like the FreeBSD flaw because it's all the same code.

So where do we go from here?  Next week at the Toorcon security conference, Maynor and Ellch will present their findings on Apple to settle this once and for all.  I'll be there to cover the event and ask questions.  If anyone in the audience wants to ask Maynor and Ellch any questions but can't attend Toorcon, please post them in the talkback below and I'll try to get them answered for you.  I will be posting video of the interview.

* People are still demanding that I provide proof of an "orchestrated" assault.  I had originally stated that I would release the details within days but I could not get authorization from the source.  SecureWorks PR had promised to release an FAQ over a month ago but they haven't delivered anything and they seemed content to not rock the boat and allow the vicious attacks on Maynor and Ellch to go unanswered.  This information will be released next week at Toorcon as well.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 233 Talkback(s)
Perhaps the most jackass comment in written history.
What are you talking about?? Pretending there is no downside to Apple lying? If Apple was caught lying there would certainly be a downside, at least to some degree. Never once, ever did I ever say t... (Read the rest)
Posted by: Cayble Posted on: 07/20/07 You are currently: a Guest | | Terms of Use
thanks for following up on this  zzz1234567890 | 09/23/06
When did that happen?  1macgeek | 09/23/06
Much Ado About Nothing  D. T. Schmitz | 09/23/06
learn to read  wacho | 09/26/06
Still a Hoax  1macgeek | 09/23/06
Same old claims, still no evidence  tic swayback | 09/23/06
Egad, reading this talkback only proves...  Confused by religion | 09/23/06
Cleopatra?  tic swayback | 09/23/06
Yes, burden on the accuser...  Cayble | 09/23/06
Backwards again  Robert Crocker | 09/24/06
Let me know the name of your solicitor...  Cayble | 09/24/06
Why only hold Apple to this standard?  tic swayback | 09/24/06
Simple question  tic swayback | 09/24/06
Baloney  jragosta | 09/26/06
The reference to Cleopatra is about ....  ShadeTree | 09/25/06
Thank you!  tic swayback | 09/25/06
Why don't you ask SecureWorks?  GW Mahoney | 09/23/06
Double Standard  tic swayback | 09/23/06
SecureWorks did comment to me  georgeou | 09/23/06
What did they say?  tic swayback | 09/24/06
I'll tell you what they said!!  NoPumpGas | 09/24/06
Spinning in a dubious way?  jragosta | 09/26/06
I know what SecureWorks says, I want to hear it from Apple  georgeou | 09/23/06
Why is it going to take a week?  zkiwi | 09/23/06
Broadcom  bkwatch | 09/23/06
No  georgeou | 09/24/06
we're in agreement about FreeBSD  bkwatch | 09/24/06
What does "next week" mean?  tic swayback | 09/24/06
it was "a few days" now "next week"  Monkey_MCSE | 09/25/06
Not really  jragosta | 09/26/06
Already done  jragosta | 09/26/06
Question to Ask at News Conference  AlbatrossPrime | 09/23/06
I'll correct you now  georgeou | 09/23/06
Huh?  zkiwi | 09/23/06
You're missing the basics  georgeou | 09/23/06
Looking for a river in Egypt are you?  zkiwi | 09/23/06
Let us see where things started and where they have gone.  Cayble | 09/24/06
That was...  zkiwi | 09/24/06
To zkiwi  Qbt | 09/24/06
Thanks Cayble! Very accurate timline of events!! NT  bka1959 | 09/25/06
Probably waiting..  jragosta | 09/26/06
so you're saying there are 2 hacks?  bkwatch | 09/23/06
I've only been saying that for nearly 2 months  georgeou | 09/23/06
OK, so there are 2 exploits....  bkwatch | 09/23/06
Responses  georgeou | 09/23/06
Uhh..beg your pardon? In english please?  Cayble | 09/24/06
Ok then  zkiwi | 09/24/06
And, yet...  jragosta | 09/26/06
Perhaps the most jackass comment in written history.  Cayble | 07/20/07
Uhh..beg your pardon? In english please?  Cayble | 09/24/06
Verbal Correction, Yes; Proof, no......................  AlbatrossPrime | 09/23/06
That's precisely what I intend to do  georgeou | 09/24/06
Looking forward to it  tic swayback | 09/24/06
One other reason  tic swayback | 09/24/06
"protect the identity of Apple"  Robert Crocker | 09/24/06
Why only a private demo?  tic swayback | 09/24/06
Krebs is the only one public  georgeou | 09/25/06
What Does That Prove?  1macgeek | 09/25/06
How frustrated are you?  tic swayback | 09/25/06
No misundertanding  Robert Crocker | 09/24/06
Evidence?  jragosta | 09/26/06
Ludicrous!  scottythebody | 09/27/06
Its time for Apple to get real transparent  Cayble | 09/23/06
Hasn't Apple been clear on the subject?  tic swayback | 09/23/06
Apple has not been clear, that artilce is far from clear  Cayble | 09/23/06
Again, you're blaming the victim  tic swayback | 09/24/06
Boy, who needs Apple to prove it? Just say it even.  Cayble | 09/24/06
Ack  zkiwi | 09/24/06
Well, I guess we will just have to wait and see wont we?  Cayble | 09/24/06
Well...  zkiwi | 09/24/06
Maybe Apple has better lawyers and spokespeople  tic swayback | 09/25/06
Apple has no need to prove anything  tic swayback | 09/25/06
Unlike  Rick_K | 09/25/06
Wrong.  jragosta | 09/26/06
BSD Flaw: If true, then Maynor/Ellch didn't discover anything  bkwatch | 09/23/06
? Wrong....not quite yet...  Cayble | 09/23/06
umm...I don't know what to say  bkwatch | 09/23/06
SecureWorks and Maynor have a lot more than 2  georgeou | 09/23/06
Just like there are...  zkiwi | 09/23/06
well, how many...  bkwatch | 09/24/06
Bad grammar? Is that the best you have?  Cayble | 09/23/06
In case you hadn't noticed  zkiwi | 09/23/06
Good lord. You are way out there.  Cayble | 09/24/06
Ok  zkiwi | 09/24/06
You clearly are a lawyer/paralegal  jehrler | 09/24/06
Wrong analysis. Here is where you blew it.  Cayble | 07/20/07
Get your facts right  georgeou | 09/23/06
Say, weren't you going to tell all?  zkiwi | 09/23/06
Read the last paragraph  georgeou | 09/23/06
I did  zkiwi | 09/23/06
Since I've seen the evidence  georgeou | 09/23/06
Oh...  zkiwi | 09/23/06
Why haven't they released it?  tic swayback | 09/24/06
umm, Sam dies that  bkwatch | 09/23/06
Maynor/Ellch fanboy?  dgtruckses | 09/24/06
The real question is, "do Maynor and Ellch have credibility  KiwiMonster | 09/24/06
There is a thing called digital time stamping  georgeou | 09/24/06
Not hard to fake  jragosta | 09/26/06
Windows fanboys just can't let this go!  Jeffsters | 09/23/06
It's called...  Rick_K | 09/25/06
Apple DOES give credit  zott | 09/23/06
They don't give credit on this one  georgeou | 09/23/06
OK, so if you're right...  bkwatch | 09/23/06
It was the irrational response to Krebs that started the fire  georgeou | 09/23/06
And so far  zkiwi | 09/24/06
Irrational????  jehrler | 09/24/06
Gee Mac users can't read as well?  TonyMcS | 09/24/06
Just as much as...  Rick_K | 09/25/06
And yet...  zkiwi | 09/23/06
Another poorly argued, distorted blog entry  timyu | 09/23/06
You haven't even read the basics yet  georgeou | 09/23/06
You didn't even read my post yet.  timyu | 09/23/06
Sure they did  zott | 09/24/06
Maybe some day, you'll provide some evidence  jragosta | 09/26/06
Ou == Krebs == Populist Scumbag  Chris_B | 09/23/06
I hate to disagree...  bkwatch | 09/23/06
Do this from the start and no mess  dgtruckses | 09/24/06
yes... where's the beef??  doctorSpoc | 09/24/06
We will see.  Cayble | 09/24/06
Well...  zkiwi | 09/24/06
hey 'buddy'... you completely missed the point...  doctorSpoc | 09/24/06
Chomp! Chomp! Chomp!  Cayble | 09/24/06
???  doctorSpoc | 09/24/06
Erm...  zkiwi | 09/24/06
You are kidding me right?  Cayble | 09/24/06
Well...  zkiwi | 09/24/06
"where's the beef?" is an expression...  doctorSpoc | 09/24/06
More info on "Where's the beef"  Cayble | 09/24/06
ok... so now that we are on the same page (this is an expression too)...  doctorSpoc | 09/24/06
Honestly doc_ your out of line.  Cayble | 09/24/06
Out of line?  zkiwi | 09/24/06
for real.. is this george or what...???  doctorSpoc | 09/24/06
Don't feign knowledge  timyu | 09/25/06
Want proof? Here.  Cayble | 09/25/06
that's proof? where's the timestamp? *wink*  timyu | 09/25/06
Very admirable....  jragosta | 09/26/06
Beef  SquishyParts | 09/24/06
Ethical question  tic swayback | 09/24/06
Hmm?  TonyMcS | 09/24/06
Wrong?  zkiwi | 09/24/06
I wish I could know that I was wrong here  tic swayback | 09/25/06
Good question tic, honestly.  Cayble | 09/24/06
The focus has changed  zkiwi | 09/24/06
Who says they are going to do the demo at Toorcon  bkwatch | 09/24/06
For your info?  Cayble | 09/24/06
demo or no demo? easy question, why hide?  bkwatch | 09/24/06
bkwatch..you keep asking so I decided to answer...  Cayble | 09/24/06
Maynor/Ellch are NOT Whistleblowers  bkwatch | 09/25/06
George has indeed been hung out to dry  tic swayback | 09/25/06
Apple Ethics  arkitty | 09/25/06
You are making assumptions  tic swayback | 09/25/06
Black is White  TonyMcS | 09/24/06
nice logic...???  doctorSpoc | 09/24/06
Its my understanding proof was provided.  Cayble | 09/24/06
This proof...  zkiwi | 09/24/06
?  Cayble | 09/25/06
Well...  zkiwi | 09/25/06
no proof...  doctorSpoc | 09/24/06
Wake up Jackass and smell the coffee  Cayble | 09/25/06
you'd have a point if...  doctorSpoc | 09/25/06
Well...  zkiwi | 09/25/06
Wow  TonyMcS | 09/24/06
my diagnosis is george ou syndrome...  doctorSpoc | 09/24/06
look at one of your nonsensical statements...  doctorSpoc | 09/24/06
Lets look at 5 or 6 or your silly statments....  Cayble | 09/25/06
ok you made me look... couldn't find even one eh? nt.  doctorSpoc | 09/25/06
Because your fanboism is embarrasing and undefensible, 'natch.  comp_indiana | 09/25/06
Sure  Cayble | 09/25/06
Incorrect  tic swayback | 09/25/06
Witholding judgement?  arkitty | 09/25/06
Different judgements  tic swayback | 09/25/06
My opinion  arkitty | 09/25/06
Apple's actions are irrelevant  tic swayback | 09/25/06
Accepted practice  arkitty | 09/25/06
Wrong tic. We know for an absolute fact about Apple already.  Cayble | 09/25/06
arkitty--  tic swayback | 09/25/06
Cayble--again, you're assuming  tic swayback | 09/25/06
Well tic...the boat has sank ( IMHO)  Cayble | 09/25/06
Another option  tic swayback | 09/25/06
Talk about spin...  comp_indiana | 09/25/06
Same old strawman  tic swayback | 09/25/06
Seems Apple gave full credit  Richard Flude | 09/24/06
Apple gave full credit to themselves when they only deserve partial  georgeou | 09/24/06
Surely SecureWorks could answer your questions for you  Richard Flude | 09/24/06
Apple has alot better to do!!!!  Cayble | 09/25/06
I don't need to ask SW because I already know  georgeou | 09/25/06
Why ask questions that have been answered?  Duncon_Idaho | 09/25/06
Actually, that's precisely how they answered in the past  georgeou | 09/25/06
But you would  Rick_K | 09/26/06
With your current crediablity  mrlinux | 09/25/06
found this interesting post over on Kreb's blog..  doctorSpoc | 09/24/06
just in case your wondering...  doctorSpoc | 09/24/06
Uh you do know Centrino PROSet is not used in a Mac right?  georgeou | 09/25/06
george... you really need to read posts...  doctorSpoc | 09/25/06
here is why Elch is talking about Centrinos...  doctorSpoc | 09/25/06
Why not go right to the source?  arkitty | 09/25/06
Ineptitude demonstrated  arkitty | 09/25/06
are you guys completely and utterly daft???  doctorSpoc | 09/25/06
You truly are an idiot  arkitty | 09/25/06
Please, dear God, let there be ONE problem with Macs!!!  comp_indiana | 09/24/06
Try and read the history first  TonyMcS | 09/24/06
You may be able to read but understandig is different  KiwiMonster | 09/24/06
"LOST? apparently not just a TV show.  Cayble | 09/25/06
Amusing  timyu | 09/25/06
Sigh  tic swayback | 09/25/06
Must be those...  Rick_K | 09/26/06
Total disrgard?  arkitty | 09/25/06
Your ignorance is telling...  comp_indiana | 09/25/06
Uhhh...beg yer pardun?  Cayble | 09/25/06
maybe you should first?  Rick_K | 09/25/06
This is why I don't own a apple!  rupaa62 | 09/25/06
It would be interesting to see  zkiwi | 09/25/06
Impressive  Jim Hussey | 09/25/06
I don't follow you  jragosta | 09/26/06
If you say so  Chiatzu | 09/27/06
what if  piet jansen | 09/25/06
Interesting  Shelendrea | 09/25/06
Sort of  tic swayback | 09/25/06
Riddle me this then.....  Shelendrea | 09/25/06
That's one of the big questions  tic swayback | 09/25/06
You hit the nail on the head, tic  Rick_K | 09/25/06
Problems Problems!  Cayble | 09/25/06
This is the post I was referring to.  timyu | 09/25/06
Thank you. Some answers  Cayble | 09/25/06
Motivations  tic swayback | 09/25/06
Response:  timyu | 09/25/06
Give it up, George.  James T. Kirk | 09/25/06
Sure he could  jragosta | 09/26/06
Hacks researchers  comp_indiana | 09/25/06
What really bugs me about this  Rick_K | 09/25/06
For the record, George...  Moltz | 09/26/06
You should know better....  jragosta | 09/26/06
The only person that label applies to is the blogger that wrote it  georgeou | 10/01/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here