September 4, 2006

Johnny Cache breaks silence on Apple Wi-Fi exploit

Author: Joe Barr

Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now infamous "faux
at Black Hat and DEFCON last month. Ellch and co-presenter Dave Maynor have gone silent since then, fueling speculation that the entire presentation may have been a hoax. Ellch finally broke the silence in an email to the Daily
Dave security mailing list
over the weekend, and one thing is clear: he is chafing under the cone of silence which has been placed
over the two of them.Ellch explains their silence since the presentations in his email by saying:
Secureworks absolutely insists on being exceedingly responsible and
doesn't want to release any details about anything until Apple issues a
patch. Whether or not this position was taken after a special ops team
of lawyers parachuted in out of a black helicopter is up for speculation.

He also went on to explain that while the debate was centered in the Mac
blogger community, it made no sense to discuss it because most of them
wouldn't understand the explanation if he gave it, adding, "Since this
conversation has moved into a venue of people who can actually grasp the
details of this, I'm ready to start saying something."

Ellch then breaks down the elements of the vulnerability and possible
exploits, but in the context of Intel drivers rather than Apple's,
asking and then answering the obvious question of why he did so when he
wrote: "Why am I switching the subject from Apple's bug to Intel's?
Because it's patched, and Secureworks has no influence over what I say
regarding this one."

He buttressed his explanation of how he crashed the Intel Centrino
driver by creating a race condition by flooding it with UDP packets and
disassociation requests with links to dumps of crashes he caused using
this technique.

Ellch notes that a crash caused this way doesn't guarantee a successful
exploit, saying "If you're lucky, your UDP packet will end up on the
stack. If you're less lucky, a beacon packet from a nearby network will
end up on the stack. In the case where I successfully overwrote eip
(Extended Instruction Pointer), the UDP packet was 1400 bytes."

He also responded to criticisms that he and Maynor have simply been
"playing the media" instead of reporting an actual vulnerability and
exploit, saying:

You know, of all the comments I see, the ones that 'we played the media'
make the least sense. Have you ever seen me in the news before? No.
Have I ever talked to a reporter before? No. Am I doing a very good job
of winning this PR smear campaign lynn fox ignited? No. If I was so deft
at manipulating the media, would I be explaining myself on dailydave
praying that a few technically competent people will actually get it?

I contacted Ellch by email after reading his post and asked if he was
claiming Apple is the cause of their silence. He replied:

Let's just say its pretty obvious I'm not happy about being silent. So
much so that i'm releasing non-apple bugs to convince people that we do
in fact know what we're talking about.
Click Here!