05 September 2006, 16:22

WLAN hack explained - but once again, not for the MacBook

Writing in a security mailing list under his alias Johnny Cache, Jon Ellch has published details about how a security problem in Intel's Centrino WLAN driver for Windows, since patched, can be exploited to plant code on a laptop and then execute that code with kernel level privileges. In a nutshell, he bombards the laptop with disassociation requests and UDP packets. He has documented his achievement with Windows crash dumps from both successful and unsuccessful attacks.

David Maynor and Jon Ellch attracted attention at the recent Black Hat Convention when they demonstrated how a MacBook could be hacked via a flaw in the WLAN driver. To do so, they used a WLAN card from a third party manufacturer and drivers not included in the package delivered with Mac OS X. Their assertion that original Mac hardware and software are also vulnerable remains unproven. Apple's spokespeople have for their part denied the existence of a comparable hole in Mac OS X.

In his new posting, however, Ellch insists that there is a WLAN security problem for MacBooks that requires a patch from Apple. Yet he does not provide any details on this, in his words because SecureWorks, the company sponsoring that project, wants to be exceedingly careful. Ellch hinted again that pressure had been exerted: "Whether or not this position was taken after a special ops team of lawyers parachuted in out of a black helicopter is up for speculation." The Intel hole by contrast is already patched and SecureWorks has no influence on what he says about it.

Whether Apple's software truly has a similar flaw and whether it can in fact be exploited remains an open question. The fact is that Ellch and Maynor clearly possess the technical capabilities for turning up and exploiting this kind of error. Given these new confirmations of his assertions, Ellch has played the ball back into Apple's court. The company now has two options to clear up the matter: either it releases a patch or it publicly challenges Maynor, Ellch and SecureWorks to publish all information related to the issue, whilst guaranteeing them immunity from legal action.