The Black Hat Wi-Fi Exploit

Joe Barr writes to tell us that while many have heard that an Apple was exploited in order to install a rootkit at the recent BlackHat security conference, most people don't know the details of how it works. This is no mistake, it seems that the researchers who demonstrated the flaw were intentionally vague. Some theorize that this is in response to the real or perceived threat of legal action similar to the situation with previous Blackhat presenter, Michael Lynn.

Video of the exploit

[AcgiGlyph]

For those that couldn't make it, here is a video showing the exploit. http://video.google.com/videoplay?docid=-441573595 8080028817 [google.com]

Re:Still fishy...

[EvanED]

Flamebait? Maybe, but the [macrumors.com] parent [thecrimson.com] is [theregister.co.uk] right [theregister.co.uk]. (Especially the second to last one is egregiously bad, and Apple easily should have had to pay court costs to Something Awful.)

Not an apple wifi card.

[Anonymous Coward]

I think the comments about Apples image are off. This was a third party card, NOT the built-in apple one. So it was probably based on a different chipset than the one Apple uses - otherwise they could just have used the built-in one.

So, which card was it? Considering that most companies only threaten legal action, and researchers usually ignore the threats, a good guess that this is a company that is known to not only threaten. One that ISS had problems with before. In short: I bet it was a Cisco card. Not an apple card but a Cisco one.

Was it root

[INeededALogin]

From the presentation... it seems that he didn't have a root shell, but only a user shell on Apple. Why just play on the user's Desktop? He should of edited some serious files like /etc/shadow, /etc/password or /usr/local/etc/sudoers. He could of at least used the "say" command in the demo to have the Mac say that it had been owned by Johnny Cache. That would of been a nice touch.

My main reason for believing that he had the logged in user's access is due to the fact that wireless is not system wide on Apple, but is started when a user logs in. If you change users(fast user switching etc...) then all your network connections drop as the wireless is restarted with the new user.

Re:This seems a bit misleading...

[gnasher719]

Your post is very misleading. You write that "it still worked on the macbook's internal airport card" with a reference to the highly respected arstechnica.com. However, if you read the arstechnica article, all it contains is that a reader told them that the hackers claimed that it works with an airport card. So the only evidence that we actually have for this is an article claiming hearsay about an unsubstantiated claim. Bollocks to that.

Re:Was it root

[Anonymous Coward]

The exploit owns kernel since this driver runs in kernel; and owning kernel is even better than root.

Re:Was it root

[LexNaturalis]

They discussed why your comment is completely baseless while at DefCon. This was a kernel-level (as it was driver-based) exploit so asking if they had "root" is to demonstrate a fundamental lack of knowledge of the OSI model. The driver itself is what was being exploited which is being run by the kernel. There is absolutely no root v user shell debate in this exploit.

Re:This seems a bit misleading...

[Aladrin]

Actually, you WERE told how to prevent an attack. Maybe not outright, but it was there. The original slashdot report http://it.slashdot.org/article.pl?sid=06/08/03/129 234 [slashdot.org] said that "Machines are vulnerable if they have wireless enabled and are set to connect to any available wireless network". This is enough information to secure your system. Simply tell it not to connect to any available wireless network. Only allow it to connect networks you have specified. Tada. No cash needed for this fix.

You can throw money at me instead, if you feel the need.

Methods of Disclosure

[Ravenium]

Without any detailed disclosure, sure, the craftiest people will determine how to perform said exploits. However, there are very, very few of these compared to the script kiddies that will show up if you hand out the source and/or a road map to every Tom, Dick, and Harry. At least they're giving Apple (and others) a chance to address the problem by pointing out that there IS a problem.

I'm not buying the people who are upset at a lack of full disclosure because they are "unable to protect themselves". If there was a way to protect yourself, sure, perhaps you could tell people how to do it. However, judging from the presentation itself (at Defcon), there really IS no way other than mutilation of the driver itself (see the slide with the nintendo DS) to quickly defend one's system. Not only would this significantly break a lot of things, most users wouldn't know the first thing about doing it.

The root causes as outlined in the presentation were a combination of a poorly planned and thought out protocol (802.11) and a quick-to-market rash of sloppy driver implementations, and it's going to take nothing less than at least a driver patch (or in a fantasy world, an overhaul of existing wireless protcools...802.11 lite if you will).

So quit accusing the presenters of being motivated by greed, stupidity, or other such notions - the best way to secure users at this point is to speak with the manufacturers directly and attempt to achieve a patch, not to detail how to break in to every last miscreant on the planet. The authors are starting to do this by their dealings with Apple.

Oh, and for those of you that missed the FAQ at the end of the presentation:

-Yes, it affects the kernel, which means it's >= root/Administrator on any system

-It's a driver/spec implementation issue, which means it's not an OS-specific problem. The use of an Apple machine in order to show that "any" platform is at risk was meant to illustrate this.

-The money slide was a joke meant to show how lightly many people were taking this issue. I have no way of proving the intentions of the presenters, of course, but I believe this was the case - they stated their intention was to get this problem addressed through discussion, not money.

All in all, easily my favorite defcon session (unless you count the shots of 151 distilled through peppers). Thanks, guys!

Re:what a load of crap

[Drizzt Do'Urden]

The Apple driver can make any card who's chipset is know to work.

I've got a Sonnet PCMCIA card in my PB400Mhz who's chipset is the same as the Apple Extreme Card, when I plug it in, it's found as an AirPort card and I had nothing to install to make it work!

Sad thing is, it's supposed to work on Windows 98/ME/2K/XP, but I did'nt manage to do so yet!

When to disclose exploits

[qazwart]

The presenters were very specific. The security hole discovered is below the OS level and is in the drivers. Drivers are written by multiple parties and have always been a vunerable part of the system. However, before you had to be physically connected to the system to exploit a driver hack. That itself made drivers pretty secure. After all, not too many people install hard disk drivers they get in random emails. With WiFi, you no longer need a physical connection, and therefore the danger. Mac, Linux, Unix, BSD, and even (gasp!) MS-Windows are all exploitable to this hack.

This exploit was kept underwraps to allow vendors to release security fixes before the exploit spreads to every two-bit kiddy scripter around. It doesn't make much sense releasing information on how to implement this exploit when there really isn't too much you can do to stop it. It's the reason why the presentation was done on video and not live.

Of course, once the exploit is known to exist, it is only a matter of time before someone else finds it and implements it. I already know at least one person who is on his way to duplicate it, so the vendors better hurry up and fix the security hole. Apple and Microsoft can't take their merry ol' time fixing this one.

Re:Atheros at the exploiter side?

[bemenaker]

I don't remember which article talked about it, but the presenter said that almost all drivers have this vulnerability in them.

Re:This seems a bit misleading...

[Martin Blank]

Making the details vague, especially by not telling which card to avoid using, makes the users unable to do anything to prevent being victims. That very much GIVES the attackers the upper hand.

For those attackers that can replicate the exploit, yes, it does. However, in some cases, it can be considered ethical to not release the information.

For example, I took a wireless security class led by Joshua Wright, who some may know as the creator of several wireless attack tools such as asleap and lorcon (the latter was used by these researchers). During the class and in a presentation during the week, he demonstrated several tools that he refused to release due to their ability to cause mischief. Some of them had clear legal liability -- a tool designed for use at for-pay hotspots, for example. Some of them he simply deemed too dangerous to be released, such as the Bluetooth PIN cracker that he demonstrated in the presentation. He did provide some information on each tool and vaguely how they worked, but not enough to recreate the exploits.

What he did do is present some mitigating steps, such as using IPSEC VPNs at hotspots, or using Bluetooth PINs of at least eight (and preferably 12 or more) digits in length (but since many device PINs cannot be set by their owners, people should at least be aware of the issue). The presenters did the same thing here, providing a work-around that mitigates the problem for the moment until the situation can be solved at a larger scale.

Re:This seems a bit misleading...

[Anonymous Coward]

Actually the researchers explicitly mentioned that the card does not need to associate with an access point to be exploited.

Re:Why not demo it on multiple platforms then?

[daveschroeder]

They specifically said it was exploitable on Linux and Windows. They chose Mac OS X because they said that Mac users had a "smug" attitude about security and wanted to show something like this could be done on Mac OS X as well.

So no, it's not speculation that exploitable on other platforms, because the presenters themselves said it was, and specifically said they ultimately chose to demo it on the Apple platform for the reason stated above.

On that note, though, I do agree that the reasoning to use a third-party wireless card in the MacBook was shaky. They said they used it so as not to draw attention to the fact that the internal wireless card in the MacBook is vulnerable, even though they specifically state that the internal card is vulnerable. So how does this do anything to not draw attention to that, given that now, everyone thinks this is an exploit affecting only MacBooks, and not even any other Apple products with the Atheros card, much less any other platform under the sun?

John Gruber has a very good writeup on this issue here: http://daringfireball.net/2006/08/krebs_followup [daringfireball.net]

As for "why not demo it on multiple platforms", it sounds like this little exploit is not nearly as easy to set up and take advantage of as they imply. The above writeup also touches on the motives of the presenters as well ("if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something"). Yeah, no bias there!

Re:This seems a bit misleading...

[Anonymous Coward]

Correct. I was at the talk, and they stated that they used these settings in order to gain a remote shell and show off the exploit. The exploit could easily just drop a keysniffer or some other malicious payload which would only contact the attacker once a legitimate connection was established.