|Home » Learning Curve
Apple's Wi-Fi Fallout
Think about it next time you sit down to a latte at Starbucks.
Thanks to the likes of Apple's Lynn Fox, Jim Dalrymple, David Chartier, 'Charlie', Glenn Fleishman, Jim Thompson - and of course the inimitable John Gruber - the ramifications of David Maynor's demo at the Black Hat briefings in Las Vegas last year have never been properly explored in the media. Instead a torrent of distractive spin and fanboy hysteria clouded the issues. Whilst Maynor says himself the target audience - driver writers and not self-serving bloggers - contacted him for advice on preventing such disasters in the future no ordinary users have to any measurable extent considered the implications.
The days of pre-Internet standalone systems are numbered. Microsoft still have such a system online but it is doomed. Personal computers aren't personal anymore and haven't been for a long time. All systems must be multiuser and have multiple levels of privilege with multiple inner barriers and controls. Systems such as Unix - BSD, Linux, Apple's OS X - are appropriate for use on the Internet; Windows is not.
Hacking Windows is both profitable and easy. It is profitable because the numbers are profitable: with a 95% demographic the target is bigger than a barn door. It is easy because an attack need not worry about skirting inner authentication obstacles: as soon as any software interfacing with the Internet breaks the black hats are in.
'You can't break in if no one is listening', said Hacking Exposed author Stu McClure in the understatement of the Millennium. But personal computers connected to the Internet are indeed listening: to read a single web page requires listening; to receive mail requires listening. And so forth.
If the black hats can break Internet Explorer; if they can break Outlook; if they can break Firefox or Thunderbird or Eudora or AOL or MSN or Yahoo Messenger - then they're in. Microsoft can't write 100% flaw free code - no one can. Microsoft can try to improve their coding quality but least of all Microsoft - after years of sloppy programming standards - are going to be able to plug each and every last leak each and every time. Los Alamos can't do that; if they can't Microsoft never will. Flaw free code's an empirical impossibility.
Which again is why multiuser systems with multiple privilege levels and multiple inner barriers and controls are the only bulwark against the malfunctioning software the black hats are attempt to exploit. Without such a security architecture the malware can't be stopped, the damage can't be controlled. When the black hats hack into a Windows computer they take over the entire machine.
The Oompa Loompa exploit for OS X released in 2006 is a case in point of the vast difference between attacking a secure multiuser system and a standalone system such as Windows: the author never once even attempted to escalate to root. Had it been a Windows machine Oompa Loompa targeted there would have been no doubt, no hesitation - 'root' on Windows is there for the taking.
Given the current condition of online 'computing' it's a good thing the systems at least the more intelligent people use have their inner barriers and controls. These are what stop an Armageddon. But the introduction of wireless communications puts everything on its head again.
Although David Maynor has been trying to sensitise security researchers to the dangers for several years the majority of wireless attacks have fortunately been of the form of sniffing traffic rather than overtaking unwitting machines. It's fairly easy - it's fairly commonplace - for anyone today to walk into any major hotel or surgery or hospital with a laptop equipped with the right software and walk away with untold secrets in gigabytes of data presumed to be secure. The editors of The Register were taken on a war driving excursion through the banking district of London not so many years ago; reports continue to stream in about unguarded wireless networks in supposed HIPAA protected facilities where patient records can be picked up without the bat of an eye. And surely if a network be so insecure as to permit login without any authentication it's disastrous. But what happens if computers are in fact secure, are in fact running a 'real' operating system such as a BSD, Linux, or Apple Unix?
David Maynor's demonstration shows not only that exploit is still possible but it shows how it is possible - and it points an accusing finger at a new weakest link in modern security thinking.
Wireless drivers run at root level or close to it. They run in the OS kernel. They interface with the OS at the lowest level possible. They run in unpaged memory. In short: they can own the machine.
Naturally computer users trust their drivers and the vendors who supply the drivers but again: no programming code can ever be 100% perfect.
The flaw Jon Ellch and David Maynor found in Apple's wireless driver has since been fixed (before Toorcon) but the flaw they found in the third party card they substituted for the built in Apple driver has not. How many other drivers are still insecure? Is it all down to one single type of programming mistake, the same flaw in each and every driver on the market?
Is the wireless driver the only place to attack a computer? Is it possible to corrupt any computer at all with malfeasant code and data on a USB stick of any type whatsoever?
A lot depends on exactly what interfaces with these peripherals and where. Send corrupt data in at this level; overwrite the stack or the heap, injecting code of one's own: there are no further authentication controls, no privilege escalation necessary. The box is suddenly as wide open as a Windows box just hacked by yet another Internet Explorer flaw.
David Maynor says our reasoning is flawed if we're still thinking in terms of 'one' computer: each and every component inside a modern computer is more powerful than the PCs of old; each and every one of these components may be capable of overtaking the entire machine.
And our other devices? Our iPhones, our iPods, and of course our obsequious USB sticks? They interact with our computers; they represent computers and computer systems of their own. Can their use be exploited in combination with weaknesses in computer architecture to pave the way for even further types of attacks?
That's what people - and the media - should be discussing today. Not whether David Maynor has a frog in his pocket.
Rixstep: Hacker Finally Publishes Notorious Apple Wi-Fi Attack