Real Kato Blog: Apple Watch: The MacBook WiFi Exploit Controversy

In a discussion about an alleged security hole in Apple's wireless networking drivers, name-calling and unprofessionalism abounds.

Let's start with the facts, from the beginning.

At the Black Hat computer security conference in August, SecureWorks researcher David Maynor and hacker Jon Ellch presented a video on a way to break into an Apple MacBook via its wireless networking drivers. Washington Post writer/blogger Brian Krebs put out an article entitled "Hijacking a Macbook in 60 Seconds or Less", which got widespread attention in the mainstream media. The gist of the mainstream media articles seemed to be that Macs are just as vulnerable to security issues as PCs.

Many Mac fans were upset by the video and the article, for a number of reasons.

- First, while the video made clear that a third-party wireless card and driver were being used, the Krebs' article implied that unseen evidence pointed to an actual vulnerability in Apple's built-in wireless drivers.

- Second, while the video claimed that the victimized machine did not need to be connected to an access point for the exploit to work, the video used the attacking machine as a software access point "for the ease of the demo".

- Third, the whole thing seemed to be specifically made to inflame Mac users: "We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said.

- Fourth, Mac fans argued that most reputable security companies would go through proper channels (advising Apple of the vulnerability and allowing them to come out with a patch) before releasing such a sensationalist video.

Jon Gruber, who authors the highly respected Daring Fireball blog, wrote a critical article about the demonstration and the article. This started a name-calling contest which has since escalated and become really, really ugly.

There are two sides here. There are the supporters of Maynor and Ellch. This includes Krebs as well as ZDNet blogger George Ou. I'll call these guys "the Maynorettes". Then there are the supporters of Gruber and his view. This includes many other Mac bloggers (so many, that Maynor lumps them all together in the category 'Mac bloggers', as if we all held a single viewpoint). I'll call these guys "the Gruberettes".

Both the Maynorettes and the Gruberettes are guilty of name-calling. The Gruberettes have called Maynor and Ellch "liars" and "frauds". The Maynorettes have called Jon Gruber an "idiot", a simple Mac blogger who doesn't even know what a ring 0 exploit is. (For the record, I'm a Mac blogger and I do know what a ring 0 exploit is. It refers to an exploit that gives an attacker access to code running in kernel-space, exempt from user-space access restrictions.)

As time went on and the Gruberettes pressed for actual evidence of an exploit against Apple's native wireless drivers, the Maynorettes hinted that some conspiracy (originating within Apple's legal or PR departments, perhaps) was preventing them from speaking further on such exploits.

Last week, Apple did release a patch for wireless driver vulnerabilities, but claimed that these were vulnerabilities found via an internal audit of source code, and not vulnerabilities that were demonstrated to them by SecureWorks.

On Saturday, Maynor and Ellch were supposed to finally unravel the mystery about the whole story. But this was thwarted Friday by an announcement by Apple and SecureWorks, saying they were now working together to resolve security issues.

Huh?

Here's what I think is going on. Note that this is pure speculation.

Maynor and Ellch did find a legitimate vulnerability in third-party wireless drivers. Based on crash dumps, they suspected a vulnerability in the native Apple drivers but were unable to come up with a reliable exploit in time for the Black Hat demo.

SecureWorks sent some information to Apple, but Apple believed the crash dumps did not point to a vulnerability. Further, the Apple legal department probably threatened a defamation lawsuit if any claim was made about a native Apple vulnerability that did not actually exist. However, the episode probably prompted Apple to start their internal source code audit.

It is entirely possible that Maynor and Ellch were able to come up with an exploit that they could show at Toorcon. Whether this exploit would have been the result of reverse-engineering Apple's latest security patch is unknown. But SecureWorks seems to have finally come to its senses and figured out that security exploits are best handled through proper CERT channels, and that they should only be demonstrated once a patch is available.

Now, some opinions.

First, Jon Gruber was entirely right to question the legitimacy of Krebs' original article. When things are presented in an article as facts, without sufficient supporting evidence, then it is the responsibility of bloggers and other journalists to raise questions. Krebs should have been the one raising questions and pointing out flaws in the demonstration, and when he didn't, he was rightfully taken to task for it.

Second, bloggers such as George Ou and David Burke are doing nothing to help the conversation. They use convoluted logic to "prove" that Apple must be lying and that Maynor must have been right all along. Look, a detailed analysis of the situation is great, but not when it is done to support just one side of an argument. Burke's "careful dissection" of Apple's responses to George Ou's questions are a logical mess. If I have time at some point, I'll dissect his dissection and show you just how flawed it is.

Hopefully sometime in the future, we'll find out what happened. But for now, I think it's safe to say that this whole thing has been marked by some ugly unprofessionalism and dirty name-calling. Maybe we can all just shut up now, until we have more facts?

Permalink