14 DAY TRIAL // The “Hijacking a Macbook in 60 Seconds or Less” article has stirred up quite a bit of controversy, especially after the video demonstration itself was put up online. The wireless exploit demonstration video that leverages a flaw in the drivers seems to have quite a number of ‘gray areas’ in it.
Firstly, the original article fails to mention that a third party wireless card was used to gain access to the MacBook. Thus, the entire dig at the Mac user security smugness becomes nothing more than sensationalism. In reply to this, Brian Krebs has written a follow up to the article: I spent more than an hour with DaveMaynor watching this exploit in action and peppering him with questions about it.
During the course of our interview, it came out that Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet. Maynor acknowledged that he used a third-party wireless card in the demo so as not to draw attention to the flaw resident in MacBook drivers.
But he also admitted that the same flaws were resident in the default MacBook wireless device drivers, and that those drivers were identically exploitable. And that is what I reported. I stand by my own reporting, as according to Maynor and Ellch it remains a fact that the default Macbook drivers are indeed exploitable.
So… Apple ‘leaned’ on blackhats? This sounds very interesting, just how exactly did Apple ‘lean’ on them? What leverage could Apple possibly have? And admitting that Apple did lean on the two enough to actually make them not use a MacBook in the demonstration, they then throw all that out of the window by having it published that the MacBook drivers are just as vulnerable?
As for the driver of the built in wireless of the MacBook being equally vulnerable, that could very well be the case, but this was in no way proven because of the use of a redundant third party wireless card. What are the specifics of that third party card? Is it identical to the MacBook or is it 802.11pre-n? In the video, they clearly state “don’t think that because we are attacking an Apple, the flaw itself is in an Apple, were using a third party video card.” That sounds significantly different from “the flaw we are exploiting today in the MacBook’s wireless drivers, and it can be found in drivers for many different wireless cards, used by many different manufacturers”.
The second question arises to how the demonstration MacBook is used. The demonstration states that the attack can be carried out whether or not a vulnerable targeted laptop connects with a local wireless network. Yet for the ease of the demonstration, they state that they will be connecting to a fake wireless access point.
After the wireless access point is created by running a script on the Dell, the Mac’s terminal window is opened and you can see “bash” being typed to access the bash shell and then “ipconfig” to get the current network settings, after which the IP of the Mac is relayed to the audience.
This is not normal ‘handling’ of the Mac. There is an Airport menu in the menubar from which you can choose to an available network, and that is what the vast majority of users use. Furthermore, since this step is skipped, the MacBook must have been configured to automatically connect to any open wireless access point available, which is not the default setting on a MacBook.
This is not an attempt to undermine the efforts of Ellch and Maynor, but simply an investigative look into gray areas that are open to interpretation and speculation, and hopefully we’ll get one step closer to the actual facts.