updated 01:50 pm EDT, Wed August 2, 2006
Hackers to hijack MacBook
Two hackers today are planning to take complete control of a MacBook at a Black Hat presentation. Jon "Johnny Cache" Ellch and David Maynor have targeted a specific security flaw in the MacBook's wireless device driver, according to a one blogger, and while the security flaw is not Mac-specific, Maynor said the hackers decided to demonstrate the exploit on a Mac due to a "Mac user base aura of smugness on security." "We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," Maynor said. "The main problem here is that device drivers are a funny mix of stuff put together by hardware and software developers, and these guys are often under the gun to produce the code that will power products that the manufacturer is often in a hurry to get to market."
Many systems running a vulnerable wireless device driver are vulnerable just by being turned on, as the wireless devices in most laptops constantly broadcast their presence to any network within range. Many wireless-enabled notebooks are even configured to automatically connect to any available wireless network.
The attack to be demonstrated today, however, is executable regardless of whether a vulnerable laptop connects to a local wireless network. The wireless card need only be active for the attack to prove successful, and because device drivers operate at such a low level within the operating system, traditional safeguards such as firewalls and anti-virus software are unlikely to stop the host system from accepting malicious probes from potential attackers.
The hackers are trying to shed light on the fact that many device drivers are developed by a peculiar mix of hardware and software developers in an environment where products are rushed to market. Such rushing of important low-level software development makes the drivers prone to security flaws due to lack of thorough code review, according to blogger Brian Krebs.
Ellch is also scheduled to discuss a new tool he is developing which remotely scans and discovers chipsets as well as driver versions of wireless devices on target computers following the demonstration. Ellch said the tool recognizes 13 different wireless device drivers so far, and breaks them down by operating system as well as firmware version.
"I'm getting this tool to the point where it can tell you not only how many people in a room are running, say, Centrino or Broadcom devices, but that 'x' number are running them on a Windows box with a specific version of the driver," Ellch said. "The useful thing for that information is that if you have a device driver exploit and it's version-specific, you could tweak [the exploit] before you launch it."
Both hackers have been in contact with Apple as well as Microsoft, and those companies are working with original equipment manufacturers as well as wireless card vendors to address the problems, according to Maynor.