Researcher Publishes Apple Wi-Fi Exploit Details

By Lisa Vaas  |  Posted 2007-09-20 Print this article Print

Duo show how they broke into a MacBook via a wireless driver flaw.

A researcher has published details of how he and a colleague broke into a MacBook via a flaw in its wireless drivers at Black Hat last year. Errata Security Chief Technology Officer David Maynor published the details in an article in the September issue of Uninformed, an online security research magazine. The situation got weird between the researchers—Maynor and independent security researcher Jon Ellch—and Apple after the two demonstrated the break-in at Black Hat in August 2006. The duo used an Apple MacBook laptop fitted with a wireless card that was broadcasting its presence to another computer set up as an access point at the security show.
Apple initially denied that the flaw affected its products. It then gave itself credit for finding the bug through an internal audit, altogether dropping from the reporting credits mention of either the researchers or SecureWorks, the company that claimed ownership of the vulnerability details.
Apple is one of the top vendors when it comes to publicly disclosed vulnerabilities. Read more here. News reports quote Maynor as saying that the reason the exploit details are coming to light at this time is that until now he under a nondisclosure agreement that kept him from revealing the details. He has declined to say who the NDA is with. As for the paper, Maynor said in the conclusion that it presents merely a quick walk-through of the vulnerability in terms of discovery and exploitation, but thats just one part of an exploit. "To do something useful, an attacker needs kernel-mode shellcode," he said—the subject of a future paper. The exploit discussed in the paper is just a proof of concept, Maynor said, given that an exploit writer still needs the load address of the kernel module on the target machine. But this "is a choice, not a restriction," Maynor writes, and weaponizing an exploit is simple. "This method of gaining execution is well-suited to a proof of concept," he said. "Creation of a weaponized exploit that can execute arbitrary code with no prior knowledge is just as easy. Its just a matter of overwriting different parts of the kernel." Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel