August 8, 2006

The Black Hat Wi-Fi exploit coverup

Author: Joe Barr

Commentary -- You've probably heard of full disclosure, the security philosophy that calls for making public all details of vulnerabilities. It has been the subject of debates among researchers, vendors, and security firms. But the story that grabbed most of the headlines at the Black Hat Briefings in Las Vegas last week was based on a different type of disclosure. For lack of a better name, I'll call it faux disclosure. Here's why.

Security researchers Dave Maynor of ISS and Johnny Cache -- a.k.a. Jon Ellch -- demonstrated an exploit that allowed them to install a rootkit on an Apple laptop in less than a minute. Well, sort of; they showed a video of it, and also noted that they'd used a third-party Wi-Fi card in the demo of the exploit, rather than the MacBook's internal Wi-Fi card. But they said that the exploit would work whether the third-party card -- which they declined to identify -- was inserted in a Mac, Windows, or Linux laptop.

UPDATED: A reader has pointed out that Maynor recently left ISS and is now at SecureWorks. As a matter of fact, SecureWorks is trumpeting the faux disclosure as a major news event, listing 29 different sites reporting on it. You can even watch the tape of the video on their site.

How is that for murky and non-transparent? The whole world is at risk -- if the exploit is real -- whenever the unidentified card is used. But they won't say which card, although many sources presume the card is based on the Atheros chipset, which Apple employs.

It gets worse. Brian Krebs of the Washington Post, who first reported on the exploit, updated his original story and has reported that Maynor said, "Apple had leaned on Maynor and Ellch pretty hard not to make this an issue about the Mac drivers -- mainly because Apple had not fixed the problem yet."

That's part of what is meant by full disclosure these days -- giving the vendor a chance fix the vulnerability before letting the whole world know about it. That way, the thinking goes, the only people who get hurt by it are the people who get exploited by it. But damage to the responsible vendor's image is mitigated somewhat, and many in the security business seem to think that damage control is more important than anything that might happen to any of the vendor's customers.

Big deal. Publicly traded corporations like Apple and Microsoft and all the rest have been known to ignore ethics, morality, any consideration of right or wrong, or anything at all that might divert them from their ultimate goal: to maximize profits. Because of this, some corporations only speak the truth when it is in their best interest. Otherwise, they lie or maintain silence.

I asked Lynn Fox, Apple's director of Mac public relations, two very direct questions.

1. Are Apple MacBook users at risk using their built-in Wi-Fi capability?
2. Is Krebs' Washington Post report about Apple pressuring researchers
not to reveal a MacBook Wi-Fi vulnerability/exploit accurate?

I've received no response to that query. Nor do I expect one.

Why don't the researchers disclose what they know anyway? They are not, as far as we know, on the payroll of Apple or the hardware vendor making the Wi-Fi gear. I got a clue about a possible reason while chatting with "dead addict," one of the original organizers of DEFCON.

"dead addict" reminded me of the big blow-up at Black Hat last year, when Cisco was threatening to shut down the conference in its entirety if part of a scheduled presentation on a Cisco exploit wasn't removed. By a strange coincidence, ISS and one of its employees was involved in that situation, too. The researcher, Michael Lynn, resigned from ISS and then gave the presentation anyway.

That act threw Cisco and ISS into a stone cold fury. Injunctions were filed, and the FBI was called in. To me it looks like every legal maneuver those bad boys at corporate could dream up were hurled at Lynn and Black Hat.

To protect Cisco's customers? I don't think so. Cisco's customers would have been better served with the truth, not a coverup.

The point "dead addict" was making is that some researchers can afford to leave their jobs, or be fired, or be arrested, and some can't. Those are pretty good reasons not to speak out. They are also a testament to how corrupt and rotten our system is, when corporate greed and gluttony trump virtue, and the FBI acts as corporate muscle.

I tried to query Maynor on the subject, to ask him if Krebs' reporting that pressure from Apple kept him from identifying the MacBook hardware as being vulnerable to the exploit he demoed at Black Hat was correct. He hasn't answered either, and I can't say that I blame him. Not everyone can afford to act like Michael Lynn.

At press time, millions of end users may be using Wi-Fi so insecure that an attacker could install a rootkit on their system in less than a minute. Those who know, or at least claim to know -- the researchers, Apple, and perhaps ISS -- are keeping mum, for reasons known only to Baud and their lawyers. So at the moment, Apple's current ad campaign about being more secure than Windows is being kept safe from harm.

But what about the users? Who speaks for them? Remember, we are not talking about a matter of a few days. This exploit has been trumpeted in the press at least since June 22, when Robert McMillan first reported on it and the fact that it would be disclosed at Black Hat. Presumably, the researchers, or ISS, would have notified the responsible vendors prior to publication of that story.

If any laptops are compromised as a result of the cone of silence that apparently has been slapped down on this issue, their lawyers may choose to call it something other than faux disclosure. Maybe something like depraved indifference.


  • Security
Click Here!