Skip to Content
Skip to Table of Contents

← Previous Article Next Article →

ATPM 12.09
September 2006


How To



Download ATPM 12.09

Choose a format:


by Wes Meltzer,

The Boy Who Cried Wolf

It appears that Apple’s new commercials have gotten under some people’s skins. Justin Long, previously of Dodgeball fame, makes the true claim that there are no known viruses for OS X. With comedy. I thought that particular commercial was one of the funnier ones, actually, with John Hodgman sneezing.

About a month later, Washington Post computer security columnist Brian Krebs reported on an 802.11b/g exploit for the MacBook. We’ll get into the minutiae of this story later, but first I want to underscore how central these commercials have been in bringing security researchers Jon Ellch and David Maynor, of SecurityWorks, to the MacBook in particular. He quotes Maynor as saying:

We’re not picking specifically on Macs here, but if you watch those ‘Get a Mac’ commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something.

Now, what Krebs says is that he saw Ellch and Maynor demonstrate an exploit that allows them to take control of a computer just by having its WiFi card turned on. They say that this is a flaw in the driver that powers the card itself. But they’re short on details; they say they’re doing it to keep the exploit from making it into the wild before Apple resolves the underlying flaw, and I’m willing to give them the benefit of the doubt on this.

At this announcement, all hell broke loose. Within hours, this story was all over Digg and Slashdot—and the entire rest of the Internet. I picked it up off John Gruber’s Linked List. Much of what I saw was the usual, self-congratulatory “A-ha! You’re not safe either!” stone-throwing, which I’ll never understand. For some reason, it seems to me that a lot of writers on the Internet let Justin Long’s satyrical tone get under their skin and, rather than lamenting Windows’ poor security or finding solutions, just want Mac users to be vulnerable, too. It’s like watching the sore loser fans who cheer when an opposing player is injured.

Ordinarily, this story would end there, and I would report for you on what everyone said about it. My usual approach to these sorts of stories is a little like “Crossfire”: get out of the way and let the bomb-flinging begin.

But this WiFi hack story is a little more esoteric, and a lot more shrouded in secrecy, than most of the material that I get to report on. (It took all the fun out of the WWDC post-mortem I was going to write for September.) So, this month, you’re going to get a more in-depth analysis of exactly what’s going on in this story—from the few tech writers who have really immersed themselves in finding out whether Ellch and Maynor are being secretive as a public service, or for more nefarious reasons.

Glenn Fleishman took an initial hack at it, trying to make sense of what our friendly neighborhood researchers are saying is possible. You see, Ellch and Maynor are claiming that you don’t have to be associated with a particular access point, or be transmitting data via the AirPort card at all, in order to be vulnerable to this attack. Fleishman says that the only kind of frame an unassociated WiFi card will accept is a “beaconing frame,” data that identifies available, open access points to anyone within the physical broadcast area. (That’s how the AirPort menu is populated with available access points.) His hypothesis is that the attack relies on a bad (“malformed”) beaconing frame, which somehow exploits a vulnerability in the driver to give an attacker access to the computer.

Several days later, Jim Thompson analyzed a high-resolution version of the demonstration video and came to the conclusion that the attack itself was staged, a fraudulent non-exploit, to give Ellch and Maynor a headline-grabbing story to run with for a few days. He goes into technical details about what the attack could be, which are really esoteric—he notes that there are a few more possibilities than Fleishman suggested, but that some kind of bad data is involved.

But Thompson recognizes, from looking over the video, that it does not appear to use either hardware or software that would make a stock MacBook vulnerable:

In the presentation, Maynor uses a “third-party wireless card.” It looks like a ExpressCard/34 802.11 card, but the non-‘Pro’ MacBook doesn’t have ExpressCard slots, and the card they hold is too big to be a USB device, yet the MacBook they use is definitely black.

Something already smells like day-old fish.

He believes that this is no real-life exploit at all, but a staged attack with both ends controlled by the attacker. Like playing at war in a video game, or like the time that “Dateline” did a report on GM trucks exploding when hit on the fuel tank at low speed, and staged the accidents. Thompson’s conclusion? This paper should have been called, “[W]e can create a covert channel by having control of the software on both sides of a communication link.”


John Gruber calls foul on the whole thing: he says that either Maynor and Ellch or Krebs, or both, are going to exit this situation with their reputations in tatters. The problem, as Gruber sees it, is that Apple has categorically denied that the exploit uses any code in OS X. So either Ellch and Maynor are lying, or Krebs is misrepresenting their claims. Gruber notes that SecurityWorks has backed down somewhat from Ellch and Maynor’s initial claims, essentially admitting that the vulnerability only affects non-AirPort hardware and software. This is a synopsis of a very long piece, but it’s well worth reading. Two days later, Gruber wrote an update to the original post to note a few additional considerations about the story.

Gruber singles out CNet’s George Ou, along with Krebs, as a tech reporter who gagged on the fundamental issues. But unlike Krebs, who appears to have just punted in the aftermath of the story’s implosion, Ou brings in a “legal professional” friend to analyze Gruber’s logic and come to a different conclusion. He parses the words, much like any other lawyer, and determines that Ou’s and Krebs’ reporting was not necessarily bad or misleading…and that Gruber is playing hard and fast with the facts. You know my feelings about John Gruber, and I think his article was solid, but if you read Ou’s article, you might not agree.

Last but not least—whew!—is Securosis’ re-analysis of the situation. Like Ou’s “legal professional” friend, but without the parsing, writer rmogull admits that he reads the facts the same way as Gruber but comes to a completely different conclusion. He doesn’t buy that a PR lackey has any stake in security, and is willing to believe Maynor, Ellch, and Krebs over Apple’s PR people. That unequivocal statement from Apple’s Lynn Fox, was, after all, the lynchpin in Gruber’s logic.

The very real risk here—the most obvious point of all—is that if Ellch and Maynor are doing this just to get attention, they could become the boy who cried wolf. If you claim that there are existing vulnerabilities and are proven wrong too many times, what happens when you really do find one?

But, as far as your safety is concerned…you should be safe from any specific attack, for now. Either you’re not vulnerable unless you’re using an external USB adapter; or you’re not vulnerable unless you’ve hacked your driver to allow for the vulnerability; or you’re not terribly vulnerable because the details haven’t been released. Keep your eyes open, as always, but this one looks like it’s not going to bite you just yet.

Rock Me Like a Hurricane

  • A switcher update: Josh Marshall loves his Mac, and Tim Bray is back to his after all the to-do about Ubuntu Linux.
  • In case you missed it, WWDC was at the beginning of August. The wrap-up was originally going to be this month’s column. Apple announced the new Mac Pro, and Macworld, AnandTech, and Powermax snapped it up and had their reviews up shortly. John Gruber makes a note of the fascinating new Apple hardware nomenclature. Macworld takes a more in-depth look at how Time Machine works, and Ars Technica wonders if a new OS X compiler is coming.
  • Do you remember the Apple Newton? My seventh-grade teacher had one, and he loved it. With Microsoft’s ultramobile PC (UMPC) concepts finally coming online, CNet UK pits Samsung’s against the Newton—and they think the Newton wins. That was ten years ago, folks.
  • Word on the street has it that the latest iPod software update contains signs of phone software. Nothing’s definitive, but I might have to eat my hat if Engadget is right and that shows that the iPhone is coming soon.
  • Macworld discovers that the Mighty Mouse Bluetooth discharges its batteries in series, rather than in parallel like I would have expected. That means it can operate on just one battery. It also means the second battery is only for added time on a charge, which is not the reason you add a second slot normally. Good for Apple.
  • If you’re a student at a West Coast university, or a quarter school, you still have time to buy a new computer. This month, Julio Ojeda-Zapata of the St. Paul Pioneer Press and Mike Langberg of the San Jose Mercury News have their respective recommendations for good back-to-school PCs, including Macs. In case you’re in the market, for school or not, they’re worth reading.
  • From the Icon Factory, an article on iconography in the era of very high resolution displays. This is a topic that is going to become increasingly important, because someday your computer screen really is going to have a resolution similar to laser printed text. It’s interesting, how an icon that once needed to be 16×16 or 32×32—think of Susan Kare’s dogcow—now needs to be 128×128, or 256×256. Someday, maybe more.
  • Wild speculation from Slate: Can Apple build the iTV? More to the point, is it within Apple’s power to get this right?
  • Dell is throwing in the towel on selling MP3 players. Don’t say I didn’t tell you so, guys. I’m sure most consumers are shedding tremendous crocodile tears.

An update: On September 1, John Gruber issued a challenge to Maynor and Ellch: I will purchase and give you a new MacBook if you can hack into it, off the rack. He expects to be ignored, but he’s right that it would be nice to know if the MacBook is vulnerable—or not.

Also in This Series

Reader Comments (8)

BKWatch · September 1, 2006 - 22:45 EST #1
You may also want to see my commentary at:

I hope to annouce some breaking news on whether Krebs has changed his views in the next fews days.
Lee Bennett (ATPM Staff) · September 1, 2006 - 23:07 EST #2
Yeah, and there's also Gruber's pretty bold challenge to Maynor and Ellch!
BkWatch · September 1, 2006 - 23:18 EST #3


That made my weekend.

I suggest we start a paypal fund to help John raise $1099.

Too funny.

I can't help but think that consumer computer security columnists hate Macs because if people bought them, they wouldn't have security issues.

(I'm not saying Macs are secure - lord knows they are not. But they are secure from the harrasment that Windows owners have to deal with everyday)
Lee Bennett (ATPM Staff) · September 1, 2006 - 23:27 EST #4
BK - the part about not having security issues of more people bought them I don't think is quite true. The reason Macs are generally more secure is because the scum who write software to take advantage of exploits are lazy and its a waste of their time to deal with something that affects such a low percentage of the computing world. My opinion is, if more people bought Macs, they would have security issues because they would attract more attention of those who would take advantage of the exploits.
bkWatch · September 2, 2006 - 13:26 EST #5
Lee: Quite correct, and I agree with you.

My point is that computer security columists like Brian Krebs are anti-Mac for a reason. For 90% of consumer security complaints, they could have one response: Buy a Mac. It makes their job pretty irrelevant.

But I do agree that at a certain market share Macs become a target. But what is that share: 5% 10% 25% 51%? Nobody has a real answer to that. But a 10% market share is even now a magnitude in difference from where Macs are now. So that is very much a future future concern.

Macs have security issues now. Don't get me started on the failures of Target Disk Mode and FileVault.

But as long as public discussion is around people like Brian Krebs, real security issues are NOT going to be solved.

Thanks again for your posting.
R.K. Foster · September 8, 2006 - 15:58 EST #6
I'm new here, so I would rather not act like a jerk, but I think this whole idea that "if Macs had a larger market share then we would see more security problems" is hogwash. I've been using variations of Unix software for 15 years now and Unix operating systems, of which Mac OSX is one, are inherently more secure by design. Sure there are exploits, security can never be complete, but Unix exploits are an entirely different class than the typical Windows Virus or Trojan, etc. There are currently no Apple Mac OSX "whatevers" running rampant like wildfire through the Mac community because it is just very damn hard to do. Not because Apple's are such a small part of the market place. People like to bait Mac Users all the time. Don't you think that would be enough of a reason for a wannabe hacker to release something on all of us "smug" Mac users? If it ever happens that'll be the reason, it was a challenge. Not because Macs gain market share.
Lee Bennett (ATPM Staff) · September 8, 2006 - 18:21 EST #7
RK - I don't believe anyone's suggesting that 'nix-based operating systems are just as vulnerable as Windows, but I sort of think you have it backwards. There have, indeed, been a few documented exploits of the BSD system OS X uses and they're not "very damn hard to do." But the universal truth is, someone who wishes to inflict havoc upon the computing world by writing a virus or worse is no different than an entrepreneur wanting to only do good—though make a profit from doing that good. They both are going to look to make the biggest effect for the least (or most reasonable) amount of effort. A hacker has no real incentive to write a virus for a platform that may only infect a few tens of thousands or even hundreds of thousand of computers when the same (admittedly, often less) effort on the Windows side can infect potentially millions of computers or more. That's the reality. I firmly do believe if Windows shriveled up and everyone used OS X, we'd be hearing of a lot more exploits being, well, exploited. You are, however, I believe quite correct that Unix exploits are of a different class and that these systems are inherently more secure. But also as you said, no security can be complete, and if enough people had the right incentive, they'd take advantage of that incompleteness.
R.K. Foster · September 12, 2006 - 12:19 EST #8
By "very damn hard to do." I meant an exploit that would spread the way a Windows virus would. As you say, any exploit is easy once you know how to do it. But in most cases on MacOSX it requires the hacker themselves to cause the exploit, automated virus-like exploits are not so easy as in the Windows world. The type of hit-as-many-people-as possible exploit is a Windows phenomenon.

Add A Comment

 E-mail me new comments on this article