August 2, 2006 3:17 PM PDT

Breaking into a laptop via Wi-Fi

LAS VEGAS--Flaws in the software that runs wireless-networking hardware could let an attacker break into a PC over Wi-Fi, security researchers warned Wednesday.

An attacker could gain complete control over a laptop by sending malformed network traffic to a vulnerable computer, David Maynor, a senior researcher at security service provider SecureWorks, said in a presentation at the Black Hat security event here.

Maynor, along with researcher Jon "Johnny Cache" Ellch, showed a video of a successful attack on an Apple Computer MacBook. However, the attack is possible also on other computers, both laptops and desktops, and not just MacBooks, the researchers said.

Click here to Play

Video: Breaking into a MacBook
Flawed Wi-Fi drivers can expose PCs

"These driver flaws are pretty common," Maynor said. Researchers are starting to find those bugs as they shift their focus from hunting for operating system flaws to exploitable errors in drivers and in applications, he said. The reason for the shift is that operating systems are becoming increasingly more secure, he added.

There is no immediate threat to the millions of laptop-toting wireless users. Maynor and Ellch are not releasing the details of their attack, and they deliberately did not show a live demonstration to prevent anyone from copying their attack.

"People who should be worrying about this are the hardware and software makers, so this doesn't make it into the mainstream," Maynor said.

Wi-Fi researchers at Black Hat

Consumers should be streetwise when using their laptop by not connecting to networks they aren't sure they can trust and by disabling the wireless radio when it is not needed, Maynor said. "There is no need to run out and rip your wireless card out of your laptop, but you should take precautions," he said.

With their Black Hat talk, Maynor and Cache hope to wake up makers of buggy drivers. "We want to educate developers and hardware makers about this threat before it becomes a wide-scale issue," Maynor said. "We're not talking about something that people don't know about, but a lot of people don't know the severity."

Driver flaws have been getting more attention recently. Microsoft, for example, is readying tools for driver developers to scan their code for common vulnerabilities. According to a recent experiment by Intel flaws in driver software may be worrisome and a potentially serious threat, but there is no need for alarm yet.

To launch an attack using the Wi-Fi driver flaws, the would-be intruder needs to be within about 100 feet, or 30 meters, of its target--the typical reach of a Wi-Fi signal. However, new wireless technologies are extending this range significantly and could increase the threat, so new bugs will likely be found, Maynor said.

To facilitate an attack, the researchers found a way to remotely identify the wireless driver that a particular computer is running, Maynor said. Then malicious data traffic needs to be crafted and sent to the vulnerable PC. A flaw in the way that computer processes the data subsequently causes the compromise, he said.

Coincidentally, Intel late last week issued fixes for flaws in software that controls its popular Centrino wireless hardware. These patches are not related to the Black Hat research, Maynor said. The researchers have worked with hardware and software makers on the issue of Wi-Fi drivers, but not with Intel, he said.

Black Hat runs until Thursday.

See more CNET content tagged:
Black Hat, researcher, flaw, attack, attacker

39 comments

Join the conversation!
Add your comment
a good article
A very balanced approach. Others have hyped the fact that the
demonstration was done on a Mac, but the issue is not specific to
any operating system.
Posted by Thrudheim (306 comments )
Reply Link Flag
and yet..
This.. and other articles about this name apple multiple times. The
ABC News article even tried to contact Apple about it. These guys
were trying to show something.. they even admit it.
This is not even remotely related to apple.. hence the use of a third
party card.. for them to make a big deal out of using a Macbook is
pure fud on their part.. and only makes them look like tools.
Posted by Jesus#2 (127 comments )
Link Flag
CNet's bias, yet again
Even though the article had nothing to do with the Macbook or the
fact it was an Apple, C|Net decided it would be fun to put on their
FRONT PAGE that a "macbook was hacked." Thanks alot, guys.
Posted by steinah6 (21 comments )
Link Flag
What exactly were they able to control?
What does "successful" mean?
And what do they mean by "complete control"?
Via the command line? As a root user?
Was this a machine with no passwords enabled?
Where they able to get into specific folders and files?
Whenever someone presents this little of information
about the break-in, it usually means they are trying to
sell you something, like security software.
I'm pretty suspicious at this point without details.

Dan
Posted by danrnw (1 comment )
Reply Link Flag
see the separate video
They got full control of the user account at least. They didn't
say if they got root access or not.

The interesting thing is that the hole was in a *third-party*
wireless card driver. They actually plugged in a third-party
wireless card to the MacBook, which is silly since the MacBooks
all have built-in wireless. Furthermore, they don't say if the
drivers for Apple's built-in wireless are vulernable or not. So, we
don't actually know if any MacBook users are actually vulnerable
to this attack at all with the normal configuration. Needless to
say, if the regular Apple wireless driver is *not* vulnerable, this
is getting a lot of gratuitous hype.
Posted by Thrudheim (306 comments )
Link Flag
Installed a rootkit
They ended up with a hidden full ownership of the targeted machine.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
And, isnt it great that...
...Microsofts next Operating System, just so happens, will absolutely-require "Driver Signing"..?

Funny, though, the timing and nature of this new Security-angle (driver insecurity), since the overwhelming number of REAL "Security Issues", for over a decade, has actually been directly due to BAD CODING, and REALLY-BAD CHOICES related to "embedded features" from, primarily, ONE software-company.

And, isnt it also funny that Microsoft has taken such a large-role in the "Black Hat Conference" exactly when this -new revelation- could most benefit the "Trusted Computing" elements in their floundering push to roll-out "Vista" to a, more and more, resistant-market.

And, its even stranger, to me, that this particular "security issue" is happening EXACTLY when "IT companies", and developers, are just beginning to publicly-rebel, in earnest, against the very "authorized-drivers-only security model" in Microsofts next OS, ...which, by the way, WILL allow Microsoft to control, and charge, every single "anti-virus software" producer, manufacturer of printers, video-cards, and memory-devices, ...or anybody else that produces any "device", or "product", that needs to work in the "Vista Trusted Computer environment".

But, Im sure this is all just an amazing coincidence... After-all, Microsoft has changed, ...havent they..?
Posted by Gayle Edwards (262 comments )
Reply Link Flag
go whine somewhere else
if they had attacked a Windows box, you would have been shouting something about spaghetti code. Boo hoo, they went after your little darling. If you can't take the heat, turn the computer off little girl.
This is exactly what Black Hat is all about; pick a flashy, high profile target and hit as hard as you can(or at least give that appearance).
Too bad you fanbois can't separate the lesson from how it was taught.
Posted by catchall (245 comments )
Link Flag
3rd party card?
Why did he use a third-party WiFi card instead of the built-in WiFi?
This seems a little fishy to me. Yeah, I can hack a lot of things
myself, especially if I can add my own hardware and know in
advance what to expect. I'm not buying this as a legit hack, sorry.
Posted by TedPax (8 comments )
Reply Link Flag
Agreed
I was equally confused by the need for a third-party card, as this
completely negated the use of the MacBook as a test subject -
no one would ever use a third-party card in a MacBook as it has
internal WiFi.

While I appreciate the message, the proof of concept provided is
useless - especially when you take into account the fact that the
test subject was directly and intentionally authenticated to the
attacking machine.
Posted by lockhartt (1 comment )
Link Flag
As mentioned before
At tomshardware:

"Some people watching the video have noticed that the Macbook is using an external wireless card, rather than the built-in card. In a Washington Post interview, Cache and Maynor say Apple leaned on them to use an external card rather than the built-in card. Despite this, both contend that the internal card is identically vulnerable."

<a class="jive-link-external" href="http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/" target="_newWindow">http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/</a>
Posted by Rolndubbs (194 comments )
Link Flag
Too much missing info...
The authors chose a MacBook for its high profile, so if their break-
in were possible with the built-in Apple Wi-Fi card I'm sure they
would have done it that way. More glory. But they failed to provide
any real (useful) information about the target machine. Were they
logged in as a root user? Did they have file sharing enabled? Was
the software firewall enabled? They were clearly running the
Terminal shell (which the average user never opens). Just what does
it take for this exploit to work? It's hard to take this seriously
without more information.
Posted by fshepinc (41 comments )
Reply Link Flag
The guy is a tool.
Seriously. Why even do this?
Was the built in firewall turned on? Probably not.

Why the hell use a 3rd party card on a macbook with built-in
wifi?

Acess to a user account via a a rigged setup is not "owning" a
system. I can make an applescript that can own your system if
you lock me in a room with your mac.. doesn't mean squat.

Either this guy is an idiot.. or he thinks we all are.
I'm inclined to think that he is just a tool.
But that's just based on the evidence.

I will personally volunteer to let this tool try to get into my
system.
Posted by Jesus#2 (127 comments )
Reply Link Flag
The point was
Don't buy any OS from a company who doesn't produce/controls hardware that OS runs on, as you might have to install untursted kernel components.

Don't use any any hardware that is not built by the manufactures of your OS, as you never know how many holes there are in the kernel driver.

Buy Mac OS X, use only built-in devices, or at least ones that manufactured by Apple.

Also, MS need to acquire Intell, AMD, Dell, HP, Lenovo and the rest of PC manufacturers around the world and prohibit manufacturing of MS PC clones (including Itel-based PCs from Apple).
Then driver lab testing/signing will be obsolete and hardware compatibility problem and security of the 3rd party drivers solved forever.
Posted by Ice Moose (28 comments )
Reply Link Flag
Pay attention and research the facts
These black hat people are all about promoting themselves, to justify their services. Look and read carefully...

A third party wireless device was used...NOT THE BUILT IN WIRELESS APPLE AIRPORT.

Hmmm, how many users are going to buy a macbook pro and then decide NOT to use the built-in airport.

IF this is a legitimate exploit, then use airport. otherwise, don't use some third party device, designed for windows, and then when the OSX drivers are created in India as some vague afterthought.

In order for security threats to be percieved as real, they have to represent real life scenarios.

Do this on an Apple with Airport or a Dell with Centrino. Otherwise, shut up.
Posted by dynsight (5 comments )
Reply Link Flag
once again
"Some people watching the video have noticed that the Macbook is using an external wireless card, rather than the built-in card. In a Washington Post interview, Cache and Maynor say Apple leaned on them to use an external card rather than the built-in card. Despite this, both contend that the internal card is identically vulnerable."


<a class="jive-link-external" href="http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/" target="_newWindow">http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/</a>
Posted by Rolndubbs (194 comments )
Link Flag
You've all missed the true point
The point of the demonstration has *nothing* to do with the fact they did it on a Mac (something they tried to emphasize but it appears most of you simply can't comprehend).

The point was simple: "There are too many device drivers out there which haven't been checked and cleansed of serious bugs which could allow a computer to be compromised". They chose to attack via a wireless driver simply because that particular device provides a remote attack ability that a wired connection (such as via a normal NIC) doesn't.

Further I'd suggest they used a third party card mainly because they found their vulnerability in the drivers for that particular card.

So why did they do this demo with a Mac instead of a Windows based machine? Probably because they read C/Net and have grown to hate the iTrolls like the rest of us. Enthusiasm for Apple and the Mac is good, very good. Blind loyalty and irrational, rabid zealotry though defines the iTroll's mindset.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
hehe, out of spite perhaps...
I agree with your rationale for the hardware choice... of course they had to know that people would point out the 3rd party card and go, "OOOH LOOK! MAC IS STILL PRISTINE AND PERFECT!! TEH CARD IS BUNK!!111" while still ignoring the fact that it was STILL possible on a Mac as much as any other PC. That's the real news, and it SHOULD be enough to diffuse at least a small amount of that mindset. Maybe.
Posted by DraconumPB (229 comments )
Link Flag
Read this article, it will shed light on this guy...
Reading this story from the Washington Post will make clear Mr.
Maynor's intent:

<a class="jive-link-external" href="http://blog.washingtonpost.com/securityfix/2006/08/" target="_newWindow">http://blog.washingtonpost.com/securityfix/2006/08/</a>
hijacking_a_macbook_in_60_seco_1.html

He's quoted as having some type of grudge with Apple, and I'm
guessing he deliberately rigged this test to his advantage to
prove a point.

For the record, I work with both platforms, and I would be
writing this same comment whether it was with an Apple or a PC.
His method is flawed and he's just trying to invoke controversy,
which he as succeeded at. I think he's a real doing a real
disservice to the security community.
Posted by TedPax (8 comments )
Reply Link Flag
He should have...
He should have reversed the hack afterwards from the Apple to the
Dell. But wait, that would make the Macbook look better, and he
wouldn't want to do that.
Posted by steinah6 (21 comments )
Link Flag
C|NOT BS FUD
THIRD PARTY WI_FI CARD people!

Apple Notebooks ALL have Wi-FI BUILT IN, so you do not need a third party Wi-Fi card.

CARD / DRIVERS are not secure. Mac OSX + Airport Wi-Fi are encrypted secure wireless protocols.

Bad Form C|NOT!
Total FUD BS to smear Apple just before their WWDC &#38; keynote announcements.
Posted by Llib Setag (951 comments )
Reply Link Flag
Another iTroll failes to understand, why are we not surprised
Simple reflection reveals the reason they used an *unnamed* Third Party plugin card. They have been very careful to not name the exact vendors involved but if they'd compromised that machine using it's own built in wireless it'd be obvious that at least that one machine is vulnerable. Using a third party card leaves it very much up in the air as to whether the Macbook itself it vulnerable.

I did see on another site that they installed a full rootkit on the Macbook so the vulnerability is extremely serious even if the Macbook ultimately turns out to be completely safe against this attack when it's using it's own built in wireless.

In short, the fact that the compromise was made using a third party card neither convicts nor exonerates the Macbook. These researchers are taking great care to not make enough details available that the bad guys can use them before the vendors have time to fix their drivers.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
It's not FUD if...
...at some point on an older Mac laptop the AirPort Wi-Fi was replaced for whatever reason by a third-party Wi-Fi card (older AirPort Wi-Fi has been known to fail; just Google to find the articles). The point of this presentation is that the drivers of third-party cards are vulnerable, regardless of platform.

You are WAY TOO sensitive about the Apple laptop being the victim. For the presentation, the laptop could've been a Linux-based machine (assuming of course that they could've gotten the wireless drivers to [i]actually work[/i] with their particular victim distro).
Posted by make_or_break (3747 comments )
Link Flag
Try reading up a little more....
Number one, they are saying this exploit can be used on a wide variety of systems, not just a mac. The reason everyone is making a big deal about the mac being exploited is because of all the annoying commercials they have out. Along with that, Apple pressured them to not show the exploit using the built in wifi.

"Some people watching the video have noticed that the Macbook is using an external wireless card, rather than the built-in card. In a Washington Post interview, Cache and Maynor say Apple leaned on them to use an external card rather than the built-in card. Despite this, both contend that the internal card is identically vulnerable."

So while its great to love a company and its products, being closes minded and lashing out for no reason just shows ignorance.

Link for the entire article, which includes a link the washington post interview:

<a class="jive-link-external" href="http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/" target="_newWindow">http://www.tgdaily.com/2006/08/03/macbook_hacked_minute/</a>
Posted by Rolndubbs (194 comments )
Link Flag
This is a Threat?
Do I understand that if someone gets physical access to my Mac
(these computers are called "Macs" in popular usage, not "Apples")
by theft or other means and substitutes a third-party wireless card
for my built-in AirPort card, they can hack my Mac? Anyone
surprised by this? Why didn't they hack a real-world Mac across the
Internet?

Give me unrestricted and undisturbed access to Ft. Knox and I
guarantee you I'll get away with the gold!
Posted by santdewi (3 comments )
Reply Link Flag
did u see the video?
Boy, this fella really wants the publicity!

First, he says the target doesn't need to be asociated with an AP.

Then he attaches the target to the Dell FROM THE TARGET! And leaves the shell open on the target...

Then he creates a few files, then deletes them.

Show me where he even _claims_ to have obtained root or admin on the target, much less proves that he has!

Any script kiddie can attack and control a target that voluntarily attaches to your laptop - especially if you have access to the keyboard!

Repeat this demo by attacking and establishing a wireless connection to a target machine with the settings on default, and the curent user logged in as user, and prove to me that you can do it without access to the target's keyboard, and gain elevated privileges on the target by performing admin or root level tasks.

Then I'll believe it.
Posted by rwahrens (44 comments )
Reply Link Flag
Apples Have built in WiFi
No Apple would have to use an insecure third party usb wifi dongle.
They attach it in the beginning in order to compromise the
machine. It is a hoax that an Apple could be hacked like that.

Why is this even on CNet?
Posted by sjah (1 comment )
Reply Link Flag
It doesn't matter what card it was
Apple fanboys seem to think that MacOS X is immune to driver flaws due it superior design. This demonstrates otherwise.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
Yes, it does.
"Fanboy" is an overused, tiresome pejorative. Can we debate
this issue without the name calling?

You set up a straw man so that you can knock it down. Show me
one post anywhere where a Mac fan actually said, or even
implied, that Mac OS X is immune to driver flaws.

Nobody disputes that this is a significant and serious security
hole *if* Apple's internal wireless driver is vulerable to the
exploit. At this point, however, we have only the word of these
two guys, and their video left a lot of questions unanswered.

It matters if it is a third-party card because it gives us an
important indication of how many people might be affected.
Since all Apple laptops made in the past year come with internal
wireless, and others who add wireless almost surely use Apple's
Airport card, it might be that only a tiny segment of Mac users is
affected. We just don't know yet.

Take it to the extreme. Suppose I write a wireless driver for
myself, and it is riddled with security holes. My machine is ripe
for the taking. Is that serious security matter too?

That said, my assumption is that Apple's internal wireless is
vulnerable. I just think that a lot of stories, like the Washington
Post's security blog, really hyped the Mac angle and,
unfortunately, were wrong about what the video actually
showed.

You know, it's goofy. Recently, a million Windows users who
vistied MySpace may have been infected with spyware, but this
story has gotten far more attention.
Posted by Thrudheim (306 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.