Black Hat: MacBook hacked via WLAN [Update]
David Maynor from Internet Security Systems (ISS) and Jon Ellch from the U.S. Naval Postgraduate School in Monterey have [ticker:uk_74607 announced] how a MacBook can be hacked using a flaw in the WLAN driver. The duo presented their findings at the Black Hat Conference currently underway in the US. The two kept details about the attack under wraps, however. They only presented a video demonstrating the attacks, to prevent someone from recording the packets and hence repeating the attack and analysing it.
Flaws in device drivers are considered particularly critical because things like manipulated packets cannot be intercepted by a firewall or similar protective mechanism – the packets first pass through the device driver before they are forwarded on to the operating system's sub-systems. Because drivers run in the system context, it's possible for attackers to use clever tactics to sneak through security holes and gain complete control of the computer.
Maynor and Ellch indicated that MacBooks are not the only vulnerable machines. Successful attacks could also be carried out on Windows laptops and desktops. The pair claims to have found similar security holes in Windows WLAN drivers as well. Ellch reported to the American press that he is currently developing a tool that can identify the chip set and driver version of a WLAN device. His tool can currently recognise 13 different device drivers. This is helpful for detecting vulnerable devices and conducting targeted attacks.
Maynor says that he and Ellch work together with Apple, Microsoft and other manufacturers. Both large firms are ready to offer help to WLAN product makers and OEMs to remove the problem in the drivers. The recent release of new drivers for the Centrino platform are not at all related to their research results, Maynor and Ellch claim. Intel, working on its own, discovered, marked as critical and then eliminated security holes that allowed for the planting of malicious code. Only a little over six weeks ago, Intel was still categorising the risk of errors in device drivers as low.
As can be seen in the video, Maynor and Ellch did not use the internal airport WLAN adapter but a third-party wireless card. But according to Brian Krebs from the Washington Post, this was only done at Apple's request. In an interview with Krebs, Maynor stated that "the default Macbook drivers are indeed exploitable". However Krebs did not comment on the strange fact that Maynor abandoned that demonstration in favour of Apple but then postulated this very fact in an interview.