Thursday, August 03, 2006

A 3rd party To BS About Apple Security

As reported by Daring Fireball:

Supposed MacBook Wireless Networking Exploit

The Washington Post’s Brian Krebs reports on a supposed wireless networking exploit that allows a MacBook to be hijacked. I smell BS, though — if you watch the video, the exploit apparently requires the MacBook to be using a third-party wireless card. Given that all MacBooks come with built-in AirPort support, how many MacBook users are actually susceptible to this? Any?

* Picture of paused video showing 3rd party USB wireless card

Worse, Krebs’s post makes no mention of this, instead making it sound as though the exploit works against MacBooks using their built-in wireless cards and drivers. If it’s truly the case that this particular exploit only works if a MacBook is using a third-party Wi-Fi card and driver software, it’s sensationalism at its worst — a case of supposed security experts impugning Apple’s reputation for the sole purpose of drawing attention to themselves.

Here's the article at The Washington Post: Hijacking a Macbook in 60 Seconds or Less

Look at the first of the video for the "3rd Party wireless card" John Gruber speaks of ... I don't understand how you could get a 3rd party driver installed onto someone's Mac like this ... you'd already have to have root level access to install the driver that will give you root level access. As far as I know, Macbooks won't run most USB wireless "add ons" straight out of the box ... you have to scour the net for a driver and usually have to ask a question or two at XLR8YourMac.

Further, the video (as you will see) also already has the terminal activated, meaning root level access is activated (most likely)

* Picture of paused video showing open terminal on "hacked MacBook"

I'll further John's BS-O-Meter and say ... how many Mac users use the terminal to connect to a wireless network?

Lastly, the user must specifically connect to a hacker's Windows machine that has been turned into a wireless base station (access point) ... even though "for demonstartion purposes" the presenter says you don't have to. I suppose the "hacked access point" could be called "Free Internet Access" to intice users to connect ... but most people will connect automatically to the stronger signal in coffee shops and wifi hotspots.

What do you think?


Anonymous said...

Further, the video (as you will see) also already has the terminal activated, meaning root level access is activated (most likely)
That doesn't makes sense. Having a terminal session open is going to be independent of enabling the root user. You also do not need to have the root user enable to install drivers.

FYT said...

The root user doesn't have to log in or supply a password for anything.

Anonymous said...

"The root user doesn't have to log in or supply a password for anything."

uhh... The root user has to supply a password to log into a system. Once logged in, the root users would no longer have to supply a password to make changes. And your comment really has nothing to do with mine. Having a terminal window open has nothing to do with enabling the root user in netinfo manager which you seem to imply it does when you say this:
Further, the video (as you will see) also already has the terminal activated, meaning root level access is activated (most likely)

FYT said...

So what's the argument - that is esactly what i was saying ... maybe I didn't phrase it properly.

From Daring FireBall:

Jim Thompson’s “Yet Another Thing About the Maynor/Ellch Affair” points to something in Maynor and Ellch’s video demonstration that has been bothering me, too: when Maynor gets shell access to the “attacked” MacBook, his shell’s current directory is that of the user who is logged in to the Mac’s GUI. A root exploit would typically put the current directory at “/” — that is, the root level of the startup volume.

Anonymous said...

Sorry, my point was that in your post you imply that if there is terminal session active that this somehow means that root the root has been enabled. This is factually incorrect.

You also said that you need root level access to install a driver. This is again incorrect. You can install drivers without ever enabling the root user.

The Daring Fireball post has nothing to do with what I am saying. The point that John is making is that it doesn't look like the attacker loged in as the root user.

I thought you might want to update the technical veracity of your post, or clarify your point to be correct.

FYT said...

In order to access the internal driver or to alter the OS a password IS needed. In the video, he does not enter a password so you must ASUUME he is logged in as root.

The point is the video, the presentation, and the information behind it are so poorly presented and ambiguos that it's really hard to debate what's right, wrong, or inaccurate. Gruber did the best job , but I'm not willing to go into such anal depth about it.

But thanks for your points ... it certainly will help others who read this.