14 DAY TRIAL // The plot of the wireless MacBook exploit thickens, and - as the quagmire grows - it is becoming increasingly clear that something is amiss.
After Apple spokesperson Lynn Fox's statement got published in Macworld, a reader of Krebs' article called him out in the comments, asking him to explain the discrepancy between his report and the Apple statement. Krebs' response is interesting at the very least: "and you think that Macworld articles adds anything to this because why? You should spend a little bit of time looking at what Apple is actually claiming, and what they're not talking about here. Apple's PR people are basically pointing out exactly what I've said for the past two posts on this issue - that Maynor et. al indeed used a third-party USB card in the video."
Of course, looking at the Apple statement, one can clearly see the second part of it which reads: "Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship."
How exactly Krebs managed to miss that part is unclear; however, he clearly missed it, as his response continues: "SecureWorks is claiming that despite Apple's claims to the contrary, that the company is shipping Mac products with vulnerable wireless device drivers. What Apple has not addressed in any kind of detail is whether or not the embedded drivers in the MacBook are vulnerable. All of their response so far is aimed at the demo showed in the video publicly."
So, according to Krebs, Apple is only talking about the video and the third party card. Furthermore, they are in the wrong for shipping vulnerable devices, despite warnings from SecureWorks, and have made no clarification as to whether there is vulnerability or not. Krebs' comments would be comical were they not actually very serious. How he can suggest to his reader that he should spend more time looking at the statement is baffling considering his own extremely poor reading comprehension.
Regardless of how confused or in denial Krebs might be, these are two very contradictory statements. Apple says they have not been contacted regarding any vulnerability in the hardware and software they currently ship, while Krebs repeatedly reported that Maynor had contacted Apple.
Another interesting piece of information can be found in the PowerPoint file that Krebs links to at the end of his transcript. The file was created by PowerPoint file created by Maynor and Ellch, and contains "slides responding to some of the questions they'd heard from Mac users," which they apparently presented at DefCon, their second appearance to give this talk.
There are only six slides in the file, the last of which reads: [Q:] I saw some people quote you as saying the bug is in the built-in in card and other people quote you as saying as its [sic] not, who is right? [A:] They both are. The exploit shown in the video was targeting a specific third party driver and that same vulnerability does not affect the built in [sic] card. We are, however, doing ongoing research on the built-in card as well and have shared our findings with Apple.
So it seems that according to Maynor and Ellch, they have contacted Apple and have shared their findings, but Apple says they have not? Clearly one of the two has to be lying.
Interestingly enough, the chief technical office of Atheros Communications, the company that produces the built-in AirPort chipsets Apple includes in every MacBook, sent the following message to Brian Krebs via email:
"Atheros has not been contacted by SecureWorks and Atheros has not received any code or other proof demonstrating a security vulnerability in our chips or wireless drivers used in any laptop computers. We believe SecureWorks' modified statement and the flaws revealed in its presentation and methodology demonstrates only a security vulnerability in the wireless USB adapter they used in the demo, not in the laptop's internal Wi-Fi card."
At this point, one begins to wonder exactly what SecureWorks is playing at. Supposedly, they have discovered a vulnerability, however, they have not contacted the manufacturers of the vulnerable devices in question regarding the vulnerability itself, despite claiming to have made such contact. This seems irresponsible at the very least, if there is a vulnerability, get the fiasco over with, and come out with some proof, if there is one, and if this is nothing but an elaborate hoax, then take what is coming to you.
Both Krebs and SecureWorks' stand on this is that of the juggling of focus to the video, and the third party device used there. This is not the core issue, and everyone is in agreement that a third party device was used and its accompanying driver vulnerability; however, the original article read "Hijacking a MacBook in 60 Seconds or Less" and initially made no mention of the fact that a third party device was used. Furthermore, in a follow-up, Krebs reported that the flaws were existent in default MacBook wireless device drivers, and that they were identically exploitable, as well as the statement that "during the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet." While the headline is clearly sensationalistic, one fact is clear, the articles clearly state that the default, out of the box, apple shipped MacBook is vulnerable to this kind of attack. If anything Krebs reports were in fact fabrication, and Maynor and Ellch had not said anything about the default wireless drivers being vulnerable, or Apple leaning on them, or them having contacted Apple, why have they not made any public statement, clearly indicating so. The lack of any such statement indicates that indeed Krebs was reporting on what he had been told; however, the manner in which this was done is clearly geared towards making as much noise as possible and riding on the security reputation of Apple's machines. At this point, it is far too late for Maynor and Ellch to deny any of the statements in the original article, as it is too late for Krebs to go back and get rid of the headline of the original article and the clear dig on the Mac's security record, their best hope is to fade slowly away from everyone's attention; but that does not look like it is going to be happening any time soon. In fact, it looks like things might be heating up a lot more.
Jim Thompson, after obtaining and studying a high-resolution copy of their exploit demonstration video from which he can read the characters in the terminal windows on-screen, suggests that even their exploit of the third-party USB card was a fraud, based on discrepancies in the MAC addresses and networking interfaces. His investigation into the matter can be found here.
If indeed this entire thing turns out to be a hoax, the one question is why? Why go to such lengths to try and tarnish the security reputation of Macs? Can it really be because of frustration caused by the Get a Mac ads?