The Black Hat Wireless Exploit Interview, Verbatim
I've received an overwhelming amount of hate mail from Mac enthusiasts over two previous posts on a wireless-device-driver presentation at the Black Hat hacker conference, with people accusing me of all kinds of nasty things. Rather than respond to every wild accusation under the sun, I thought it best to give readers all of the information that I have on this. I am posting here a word-for-word transcription of a taped interview I had with David Maynor of SecureWorks in his hotel room on Tuesday, Aug. 1 -- the eve of his presentation at Black Hat.
I've been asked this many times, so let me make this crystal clear: I had the opportunity to see a live version of the demo Maynor gave to a public audience the next day. In the video shown at Black Hat, he plugged a third-party USB wireless card into the Macbook -- but in the demo Maynor showed me personally, he exploited the Macbook without any third-party wireless card plugged in. As far as I'm aware, only one other person at the conference saw the demo the way I saw it (a Black Hat staff member whom I'm not at liberty to name); the discrepancy over the wireless card is probably the biggest reason why the Mac community was so confused and upset by my original post. I tried to clarify that in a follow-up, and am posting the contents of that interview -- verbatim -- to give the public all of the information I have about this particular exploit.
As I turned the tape on, Maynor was just beginning to demonstrate the exploit for me.
Maynor: OK, so the first step in this is we want to turn this [Windows laptop] into a wireless access point.
BK:Oh, so you do have to have it connected?
Maynor: No, this is just for the demo. This is the way we've developed the demo. If I explained it any other way, you wouldn't see anything. It would just say, "Exploit done." This way you can see the results of it.
[Maynor runs the connect-back script that leverages the flaw in the Macbook's wireless device drivers to connect back to the Windows laptop to which it was already associated.]
Maynor: So, I'm going to place a file on the desktop here on the Macbook using this machine here. What should I call it?
BK: I dunno. How about "owned"? [A text file named "owned" shows up on the Macbook desktop.] Wait, OK. Explain to me exactly what you're exploiting in here. Is it a flaw in the Macbook itself?
Maynor: Yes, it's a device driver. The thing is, there's a flaw in the OS, but I don't want to specifically point to it, so in the video you'll see I used a third-party USB device. What I'm trying to do is highlight the problems in device drivers themselves, not any one particular flaw. [Maynor misspoke here, and I later clarified this point with him. The wireless device driver that powers the internal wireless card on the Macbook contains flaws that -- when exploited -- give the attacker the ability to create or delete files, or modify system settings. The flaw is in fact in the Macbook's wireless device driver, which is made by a third party. So again, to be clear, the flaw is not, as he suggests in the transcript of this interview, in the Mac OS X operating system itself.]
BK: Oh. OK, well, then aside from this Macbook example, how many other machines have you been able to find this kind of --
Maynor: So this attack I'm showing right here doesn't work on anything but this particular Macbook. If we were looking at something else like Broadcom or Linksys or something like that, you'd have to develop a custom exploit just for that. You're asking how many other machines have been able to compromise remotely like this, right?
Maynor: There's three other ones right now, and those are all Windows-based. Wait, actually, two of them are Windows-based and the other is in a [garbled] operating system --
BK: A what?
Maynor: A free operating system, like a Linux-based operating system.
BK: I see. OK. Care to be more specific about which of the Windows ones you've been able to exploit?
Maynor: Well, on the Windows ones, one is an external card and one is an internal card.
BK: OK. So, where does the scanner come in?
Maynor: Remember how I told you that exploiting these are very, very dependent on driver version and operating system? So that the exploit you developed for one version, but if you make a minor change it doesn't work on another system? [The scanner] can tell you what chipset and driver version, so you can tailor your attacks better.
BK: But you're saying in addition to this you've found multiple problems? You're saying that in addition to this flaw [present in the Macbook drivers] there were three others that you've been able to find?
BK: And, so I'm clear: Two of [these] were Windows-based, one Linux-based, and one of those Windows exploits is actually in a third-party external wireless card designed for Windows?
Maynor: Correct. Well, I mean, technically they're all third party. [Points to my HP Pavilion laptop] Microsoft itself -- on your HP laptop here -- Microsoft doesn't write those drivers. A third party does.
BK: I understand. So, have you got something to exploit the embedded HP drivers too? I'd love to see that.
Maynor: I dunno. Pull it out and we'll look.
[We looked and learned that my machine uses a built-in Broadcom device driver, for which Maynor and Ellch were not yet able to find an exploit. Moving on ...]
Maynor: So, the other stuff we found I'm telling you, but we're not ready to release a lot of our other findings, because one of our goals of our talks is we want to educate developers on how to find these vulnerabilities and how to integrate those methods into their development process. We've already talked to Microsoft about this --
BK: Oh? And what was their response?
Maynor: I mean, I'm really surprised by Microsoft these days. The guy -- specifically the guy giving the Vista wireless talk here -- we, [co-presenter Jon Ellch] and I talked to him about how to make fuzzers more efficient. Our goal here isn't specifically to highlight individual vulnerabilities we found, but the class of these vulnerabilities and educate people on how to fix them. So, it's cool that it's in an Apple, but the fact that we have a bug in Apple in itself isn't the coolest thing, it's just that you can then basically extrapolate that this problem is pretty much across the board. Take a look at this, if you want to see what we've been looking at lately -- we've been auditing a lot of wireless cards.
[Maynor pulls out a couple of cards, both made by Netgear. One is a WPN511, and the other a WG511T. As Maynor would later allude to, these were the cards he and Ellch used to locate and exploit the wireless device driver flaws they found.]
Maynor: So, what we've been -- you know, I lost my train of thought. To be honest, you're not going to find a lot of people running around with that kind of caliber exploit, and that's one of the reasons we're so paranoid about it. We don't want copies of it to get out. But a lot of these cards, you can flat-out crash them. So a denial-of-service, most security researchers will generally turn their nose up at, because it's not generally that interesting, right? But in this case, it's also like VoIP [voice over Internet protocol, which facilitates Internet-based telephone calls]. If you have a DOS in Cisco VoIP, for example, you can DOS a box and make the phones stop working, and that's better than your average DOS, right? So in these cards, if you DOS them, you can blue-screen the box. Which in itself can be a nuisance.
BK: So explain to me again how it is that -- you said earlier that you put these two on the same subnet, because you wanted to be able to show the exploitation on the Mac system, right? But what if they weren't on the same subnet?
Maynor: So that demo compromises the Macbook, and allows me to log into it interactively. It's just like I'm sitting at the keyboard on the Mac. So that's possible because we're on the same IP network.
BK: I understand. But let's say this thing isn't connected to your network, and it's just broadcasting and looking for an AP?
Maynor: So at that point there's no way for a connect-back shell to work because we don't have a central communication medium, so without writing my own driver that's going to insert to like bring up the card and get the same IP address on my network, we can't do bi-way TCP communication. So, an exploit in that case would look like -- you would exploit that Macbook, and you would put something on it like a bot. But this wireless exploit is an exploitable flaw and it's in the wireless IP stack.
BK: OK, so in that case, the machine would be exploited and you would have it connect up to your IRC channel of choice or something like that?
Maynor: Exactly. It's just like any other exploit, but the only difference is the communications medium in which that exploit gets delivered. And this could just as easily be a proximity attack -- if you have an exploit for a certain type of wireless card, and wait until they come into range -- and then using fingerprinting software, determine what kind of wireless card they have and what driver, if they, say, come into the coffee shop and are using a card and firmware that you have an exploit for you could attack them.
BK: What do you say to people who are going to look at this tomorrow and go, "Yeah, but I mean, these guys haven't released all that information about their attacks, it might have been something that they put together in some sort of test environment that's not going to work in the wild or in a real-life exploit situation"? I'm just trying to play devil's advocate here.
Maynor: No, no, no. I understand that. I can appreciate that. Look, I'm not going to go break into a bunch of machines with this exploit out in the wild to make sure it works. I can make it work and make it work in a test environment. And if I can make it work in a test environment -- spending the amount of time I have -- someone who is getting paid to do this, or because they just want the exploit, could spend three times as much time and then make it work in a robust environment. But this is a time game. We found these bugs, and now we're moving on to other stuff. This isn't something that I'm going to spend like four years researching. This is a problem we found that we can help people fix it. This is the same argument that people had with heap overflows. I mean, heap overflows were originally thought of to be not very reliable, they wouldn't be great exploits, things like that.
BK: But they're some of the best types of exploits out there that you could find, right?
Maynor: They are now, because people spent time making them far more reliable. I mean, to be honest, this exploit has a lot of shortcomings. It's not perfect. But it's also designed to be used in a demo and test environment. It's not weaponized and I'm not going to go running around trying to exploit things in the wild. It's designed to be run in a test environment. If someone wants to spend more time, I have no doubt it can be made more reliable.
BK: So what interaction have you had with the various OEMs and device driver people?
Maynor: We talked to Apple today, as I mentioned earlier. We also talked to Microsoft. We're actually hoping to talk to more of the vendors at the show. It's hard to chase down some of the contacts. To be honest, do you think that D-Link or SMC's first priority is a year-old device driver?
BK: No, but it might be if they sold 20 million of these flawed devices.
Maynor: Right, so the point of this whole talk is: These are methodologies you can integrate into testing environment, so that when we get to adding in new stuff like 802.11N and Wimax, stuff like this is going to become a lot more dangerous and important because these standards are going to cover a lot more geographical area. So right now, this exploit pretty much has a range of whatever 802.11B has. So these device drivers -- we've had [802.11] A, B and G, now moving to N and Wimax is on the horizon, and the driver code quality is not getting much better. And it's because people are under a ship date crunch. They want to get this working, they reuse code as much as possible, and some of that code has problems. No one is really auditing these things for security. Microsoft would be a bad example, because they actually do this. Ask any of these third-party device-driver authors whether they fuzz any of their drivers -- they don't. You want to hit the low-hanging fruit first. You'll find a lot of DOS conditions, but to find stuff that you can use for remotely exploitable conditions, you've got to spend a lot of time on it.
BK: So, again, you're looking at four altogether --
Maynor: Yeah, four remotely exploitable wireless-device driver flaws, including this MacBook one. Yes, this is one and there are three others. We've tried to spread it out pretty evenly, and not spend any more time on one particular vendor. Because, as I said, we're not trying to point out specific flaws --
BK: But you're not going to talk about specific manufacturers of these cards?
Maynor: We're not going to be shaming the driver makers --
BK: Well, so then what is significance of these cards here [pointing to the external Netgear cards Maynor pulled out of his bag a few minutes ago]?
Maynor: These network cards are Atheros-based and allow you to do raw packet injection. You can't do that on most cards. We had to build our own custom kernel. It's just real reliable for you to do raw packet injection. You can't do that with another card, because the attack is based on building these wireless control packages yourself -- and cards like that want to do it for you. That's one of the things manufacturers count on. It's like, well, OK, if you implement the specs properly, I shouldn't have to worry about things over here on our side. The problem is you get stuff that you never intended to see on the wire.
BK: So what you've found is going to create some pretty serious waves. Once you point it out, people are going to start looking at it.
Maynor: Well, that's that goal, really. But it's like, how do you tell a secret without telling the wrong people? You have to tell everyone at once.
[Maynor's phone rings, and my tape runs out of space, shutting itself off. I have another interview scheduled a few minutes later, and the interview between Maynor and me ends shortly after he gets off the telephone.]
On Saturday, Maynor and Ellch gave their talk a second time at DefCon, after which they posted a few PowerPoint slides responding to some of the questions they'd heard from Mac users.
Posted by: Steven Fisher | August 15, 2006 3:47 PM | Report abuse
Posted by: David Maynor | August 15, 2006 3:50 PM | Report abuse
Posted by: Thor | August 15, 2006 3:53 PM | Report abuse
Posted by: Thor | August 15, 2006 3:58 PM | Report abuse
Posted by: Bill | August 15, 2006 4:19 PM | Report abuse
Posted by: foQ | August 15, 2006 4:20 PM | Report abuse
Posted by: Tim | August 15, 2006 4:40 PM | Report abuse
Posted by: Broken Record | August 15, 2006 5:59 PM | Report abuse
Posted by: Bill | August 16, 2006 2:43 AM | Report abuse
Posted by: James Bailey | August 16, 2006 2:33 PM | Report abuse
Posted by: ba | August 16, 2006 2:45 PM | Report abuse
Posted by: osteridge | August 16, 2006 5:53 PM | Report abuse
Posted by: none | August 17, 2006 8:40 AM | Report abuse
Posted by: Dude | August 17, 2006 8:51 AM | Report abuse
Posted by: bjojade | August 17, 2006 11:35 AM | Report abuse
Posted by: Anonymous | August 17, 2006 12:16 PM | Report abuse
Posted by: James Bailey | August 17, 2006 5:36 PM | Report abuse
Posted by: James Bailey | August 17, 2006 6:58 PM | Report abuse
Posted by: Bk | August 17, 2006 8:50 PM | Report abuse
Posted by: Thor | August 17, 2006 9:01 PM | Report abuse
Posted by: Thor | August 17, 2006 9:19 PM | Report abuse
Posted by: Bk | August 17, 2006 9:24 PM | Report abuse
Posted by: Thor | August 17, 2006 9:33 PM | Report abuse
Posted by: Bk | August 17, 2006 9:55 PM | Report abuse
Posted by: Thor | August 17, 2006 11:56 PM | Report abuse
Posted by: GWMahoney | August 18, 2006 7:02 AM | Report abuse
Posted by: Tom | August 18, 2006 8:15 AM | Report abuse
Posted by: Thor | August 18, 2006 10:09 AM | Report abuse
Posted by: Chris W | August 18, 2006 11:27 AM | Report abuse
Posted by: Want To See Proof | August 18, 2006 11:59 AM | Report abuse
Posted by: John Fallon | August 18, 2006 12:09 PM | Report abuse
Posted by: Chris W | August 18, 2006 12:18 PM | Report abuse
Posted by: Michael | August 18, 2006 1:11 PM | Report abuse
Posted by: MacBoy | August 18, 2006 1:23 PM | Report abuse
Posted by: Michael | August 18, 2006 1:24 PM | Report abuse
Posted by: charlie | August 18, 2006 1:31 PM | Report abuse
Posted by: Jim McMurry | August 18, 2006 1:41 PM | Report abuse
Posted by: Mel | August 18, 2006 2:16 PM | Report abuse
Posted by: Arlington | August 18, 2006 3:28 PM | Report abuse
Posted by: Krebs going down | August 18, 2006 3:35 PM | Report abuse
Posted by: Bk | August 18, 2006 4:36 PM | Report abuse
Posted by: Ben Miller | August 21, 2006 1:37 AM | Report abuse
Posted by: email@example.com | August 21, 2006 12:10 PM | Report abuse
Posted by: Troy | August 29, 2006 1:01 PM | Report abuse
Posted by: Clay | August 31, 2006 11:31 AM | Report abuse
The comments to this entry are closed.