Atheros hasn't seen any credible code, either: Brian Krebs of Security Fix at the Washington Posts updates the story he was the first to write about extensively with access to the researchers. The Wi-Fi exploit that they claimed allowed compromise of a computer because of drivers problems with several adapters now appears to be somewhat debunked. While the general premise is still reasonable--Intel released an unrelated Centrino update intended to prevent escalation of privileges via a Wi-Fi driver flaw--the researchers appear to have no leg to stand on at this point in terms of their demonstration and their claims. (Update: Some commentators and security experts have a different opinion: see bottom.)

Atheros's CTO, a blunt-spoken fellow, sent Krebs this statement: "Atheros has not been contacted by SecureWorks and Atheros has not received any code or other proof demonstrating a security vulnerability in our chips or wireless drivers used in any laptop computers. We believe SecureWorks' modified statement and the flaws revealed in its presentation and methodology demonstrates only a security vulnerability in the wireless USB adapter they used in the demo, not in the laptop's internal Wi-Fi card."

Apple said yesterday that the researchers had provided no information that showed an exploit was possible, and that the demonstration used a third-party Wi-Fi card and driver; the researchers updated their site to reflect this. Krebs received a clarification today from Apple that the researchers had, in fact, contacted them prior to their demonstration at Black Hat 2006--which seemed in dispute yesterday. Krebs writes, "Apple's revised statement today made it clear that the company had not received any evidence from SecureWorks to back up the claim that the Macbook drivers are indeed vulnerable."

Finally, Jim Thompson, whom one of the researchers attempted to smack down by assaulting his expertise and misreading some of his analysis, goes all out. He's obtained a high-resolution version of the video that the two researchers recorded, and uses information that he can see in that version to show what appears to be misdirection and other problems with what they stated they were doing.

The suspicion now is that the researchers hit upon a FreeBSD Wi-Fi driver flaw that has since been patched, and that Apple doesn't directly rely on, although they've built on top of it. Krebs is waiting for confirmation of this back from Apple.

What do we learn from this? Not that Mac OS X is impregnable. Not that Wi-Fi drivers are trustworthy. Not that researchers may exaggerate data for publicity. Rather that it's, in fact, all too likely that a Wi-Fi driver could allow an exploit to happen--but that under the guise of preventing exploits in the wild that it's too easy to take that general case and believe that it's applicable when we can't see and touch it.

Ultimately, the exploit the researchers allege to have found must be fixed, and at that point, their research should be made fully available for inspection. If that doesn't happen, their credibility is sunk.

The moral of the story, truly, is "Don't taunt Mac users unless you've got something real to show."

Update: Some folks like George Ou and a few through private email who don't want to be identified at the moment are stating that researchers David Maynor and Jon Ellch never said that there was an exploitable feature in the driver for Apple's own Intel-based laptop Wi-Fi adapters. Ou has video of his interview at Black Hat 2006 with the two fellows in which they state this more clearly than any other coverage I've read or, in fact, their own video.

Ou suggests there's an orchestrated attack being conducted--one assumes by Apple?--against Maynor and Ellch to discredit them. He cites hate mail and crazy phone calls as part of this, but I don't think he's implying Apple is making them. But he does think the press is ganging up against Maynor and Ellch. I'd suggest that we're seeing follow-up stories because the two researchers first said that Apple leaned on them not to show an Apple driver being hacked, then they backed off that claim (or that claim was misunderstand). They also baited Mac users and didn't deliver the goods, making the goods seem unreliable.

Ou can't get Maynor to talk about the Apple situation, so he references the live demonstration that Brian Krebs received in a hotel room at Black Hat 2006 that Krebs published the full transcript of after people on his blog complained that he was exaggerating the exploit's potential. However, Ou misses a key point when he writes, "The transcript clearly reveals that Maynor had demonstrated the same exploit on a Mac without any third party wireless hardware!"

Krebs wrote in the introduction to the interview transcript, "in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in. As far as I'm aware, only one other person at the conference saw the demo the way I saw it (a Black Hat staff member whom I'm not at liberty to name); the discrepancy over the wireless card is probably the biggest reason why the Mac community was so confused and upset by my original post."

Now here's the crux. No one that I know of has seen the actual code or the details of exploit, or at least they are not yet able to even state that they have. Thus, what Brian Krebs saw and George Ou cites is Krebs seeing a few keystrokes on a computer and then a file appearing on a Macintosh. Krebs saw a live demonstration, but he still hasn't seen the code. Apple has apparently seen the code, but says it's not an exploit. Atheros has not seen the code.

I'd like to say I'm from Missouri here. Let's hear from an independent party that won't reveal the code but who has inspected it, and performed the exploit on unmodified equipment.

Another update: Some think that Apple has snowed me. There should be more news this week. Many security researchers and commentators know Maynor or Ellch, and believe they have seen something legitimate. If so, Apple will have a lot to answer for.

Posted by Glenn Fleishman at 11:11 PM | Categories: Security | 3 Comments

3 Comments
David Ulevitch | August 20, 2006 3:10 PM
For such a serious attack, you would think the security researchers would be proactively finding other credible researchers to demo the attack and get confirmation from. They don't need to post code to bugtraq to clear their names, they just need to get the word out to other trusted names who can back them up.