The Boy Who Cried Wolf
It appears that Apple’s new commercials have gotten under some people’s skins. Justin Long, previously of Dodgeball fame, makes the true claim that there are no known viruses for OS X. With comedy. I thought that particular commercial was one of the funnier ones, actually, with John Hodgman sneezing.
About a month later, Washington Post computer security columnist Brian Krebs reported on an 802.11b/g exploit for the MacBook. We’ll get into the minutiae of this story later, but first I want to underscore how central these commercials have been in bringing security researchers Jon Ellch and David Maynor, of SecurityWorks, to the MacBook in particular. He quotes Maynor as saying:
We’re not picking specifically on Macs here, but if you watch those ‘Get a Mac’ commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something.
Now, what Krebs says is that he saw Ellch and Maynor demonstrate an exploit that allows them to take control of a computer just by having its WiFi card turned on. They say that this is a flaw in the driver that powers the card itself. But they’re short on details; they say they’re doing it to keep the exploit from making it into the wild before Apple resolves the underlying flaw, and I’m willing to give them the benefit of the doubt on this.
At this announcement, all hell broke loose. Within hours, this story was all over Digg and Slashdot—and the entire rest of the Internet. I picked it up off John Gruber’s Linked List. Much of what I saw was the usual, self-congratulatory “A-ha! You’re not safe either!” stone-throwing, which I’ll never understand. For some reason, it seems to me that a lot of writers on the Internet let Justin Long’s satyrical tone get under their skin and, rather than lamenting Windows’ poor security or finding solutions, just want Mac users to be vulnerable, too. It’s like watching the sore loser fans who cheer when an opposing player is injured.
Ordinarily, this story would end there, and I would report for you on what everyone said about it. My usual approach to these sorts of stories is a little like “Crossfire”: get out of the way and let the bomb-flinging begin.
But this WiFi hack story is a little more esoteric, and a lot more shrouded in secrecy, than most of the material that I get to report on. (It took all the fun out of the WWDC post-mortem I was going to write for September.) So, this month, you’re going to get a more in-depth analysis of exactly what’s going on in this story—from the few tech writers who have really immersed themselves in finding out whether Ellch and Maynor are being secretive as a public service, or for more nefarious reasons.
Glenn Fleishman took an initial hack at it, trying to make sense of what our friendly neighborhood researchers are saying is possible. You see, Ellch and Maynor are claiming that you don’t have to be associated with a particular access point, or be transmitting data via the AirPort card at all, in order to be vulnerable to this attack. Fleishman says that the only kind of frame an unassociated WiFi card will accept is a “beaconing frame,” data that identifies available, open access points to anyone within the physical broadcast area. (That’s how the AirPort menu is populated with available access points.) His hypothesis is that the attack relies on a bad (“malformed”) beaconing frame, which somehow exploits a vulnerability in the driver to give an attacker access to the computer.
Several days later, Jim Thompson analyzed a high-resolution version of the demonstration video and came to the conclusion that the attack itself was staged, a fraudulent non-exploit, to give Ellch and Maynor a headline-grabbing story to run with for a few days. He goes into technical details about what the attack could be, which are really esoteric—he notes that there are a few more possibilities than Fleishman suggested, but that some kind of bad data is involved.
But Thompson recognizes, from looking over the video, that it does not appear to use either hardware or software that would make a stock MacBook vulnerable:
In the presentation, Maynor uses a “third-party wireless card.” It looks like a ExpressCard/34 802.11 card, but the non-‘Pro’ MacBook doesn’t have ExpressCard slots, and the card they hold is too big to be a USB device, yet the MacBook they use is definitely black.
Something already smells like day-old fish.
He believes that this is no real-life exploit at all, but a staged attack with both ends controlled by the attacker. Like playing at war in a video game, or like the time that “Dateline” did a report on GM trucks exploding when hit on the fuel tank at low speed, and staged the accidents. Thompson’s conclusion? This paper should have been called, “[W]e can create a covert channel by having control of the software on both sides of a communication link.”
John Gruber calls foul on the whole thing: he says that either Maynor and Ellch or Krebs, or both, are going to exit this situation with their reputations in tatters. The problem, as Gruber sees it, is that Apple has categorically denied that the exploit uses any code in OS X. So either Ellch and Maynor are lying, or Krebs is misrepresenting their claims. Gruber notes that SecurityWorks has backed down somewhat from Ellch and Maynor’s initial claims, essentially admitting that the vulnerability only affects non-AirPort hardware and software. This is a synopsis of a very long piece, but it’s well worth reading. Two days later, Gruber wrote an update to the original post to note a few additional considerations about the story.
Gruber singles out CNet’s George Ou, along with Krebs, as a tech reporter who gagged on the fundamental issues. But unlike Krebs, who appears to have just punted in the aftermath of the story’s implosion, Ou brings in a “legal professional” friend to analyze Gruber’s logic and come to a different conclusion. He parses the words, much like any other lawyer, and determines that Ou’s and Krebs’ reporting was not necessarily bad or misleading…and that Gruber is playing hard and fast with the facts. You know my feelings about John Gruber, and I think his article was solid, but if you read Ou’s article, you might not agree.
Last but not least—whew!—is Securosis’ re-analysis of the situation. Like Ou’s “legal professional” friend, but without the parsing, writer rmogull admits that he reads the facts the same way as Gruber but comes to a completely different conclusion. He doesn’t buy that a PR lackey has any stake in security, and is willing to believe Maynor, Ellch, and Krebs over Apple’s PR people. That unequivocal statement from Apple’s Lynn Fox, was, after all, the lynchpin in Gruber’s logic.
The very real risk here—the most obvious point of all—is that if Ellch and Maynor are doing this just to get attention, they could become the boy who cried wolf. If you claim that there are existing vulnerabilities and are proven wrong too many times, what happens when you really do find one?
But, as far as your safety is concerned…you should be safe from any specific attack, for now. Either you’re not vulnerable unless you’re using an external USB adapter; or you’re not vulnerable unless you’ve hacked your driver to allow for the vulnerability; or you’re not terribly vulnerable because the details haven’t been released. Keep your eyes open, as always, but this one looks like it’s not going to bite you just yet.
Rock Me Like a Hurricane
- A switcher update: Josh Marshall loves his Mac, and Tim Bray is back to his after all the to-do about Ubuntu Linux.
- In case you missed it, WWDC was at the beginning of August. The wrap-up was originally going to be this month’s column. Apple announced the new Mac Pro, and Macworld, AnandTech, and Powermax snapped it up and had their reviews up shortly. John Gruber makes a note of the fascinating new Apple hardware nomenclature. Macworld takes a more in-depth look at how Time Machine works, and Ars Technica wonders if a new OS X compiler is coming.
- Do you remember the Apple Newton? My seventh-grade teacher had one, and he loved it. With Microsoft’s ultramobile PC (UMPC) concepts finally coming online, CNet UK pits Samsung’s against the Newton—and they think the Newton wins. That was ten years ago, folks.
- Word on the street has it that the latest iPod software update contains signs of phone software. Nothing’s definitive, but I might have to eat my hat if Engadget is right and that shows that the iPhone is coming soon.
- Macworld discovers that the Mighty Mouse Bluetooth discharges its batteries in series, rather than in parallel like I would have expected. That means it can operate on just one battery. It also means the second battery is only for added time on a charge, which is not the reason you add a second slot normally. Good for Apple.
- If you’re a student at a West Coast university, or a quarter school, you still have time to buy a new computer. This month, Julio Ojeda-Zapata of the St. Paul Pioneer Press and Mike Langberg of the San Jose Mercury News have their respective recommendations for good back-to-school PCs, including Macs. In case you’re in the market, for school or not, they’re worth reading.
- From the Icon Factory, an article on iconography in the era of very high resolution displays. This is a topic that is going to become increasingly important, because someday your computer screen really is going to have a resolution similar to laser printed text. It’s interesting, how an icon that once needed to be 16×16 or 32×32—think of Susan Kare’s dogcow—now needs to be 128×128, or 256×256. Someday, maybe more.
- Wild speculation from Slate: Can Apple build the iTV? More to the point, is it within Apple’s power to get this right?
- Dell is throwing in the towel on selling MP3 players. Don’t say I didn’t tell you so, guys. I’m sure most consumers are shedding tremendous crocodile tears.
An update: On September 1, John Gruber issued a challenge to Maynor and Ellch: I will purchase and give you a new MacBook if you can hack into it, off the rack. He expects to be ignored, but he’s right that it would be nice to know if the MacBook is vulnerable—or not.