Krebsgate Update

Friday, 2006-08-18; 20:52:00

Krebs' first response after the hack was revealed to be a fake, and an update from Jim Thompson

Krebs has posted an update regarding the falsified MacBook Wi-Fi hack on his Security Fix weblog. In it, he basically outlines everything that's been revealed today -- you can pretty much find all the same information from the links I've previously posted. Krebs says that:

A number of news outlets and blogs have picked up on these various statements and clarifications, but nowhere have I seen this tidbit: Apple's Fox said that prior to the Black Hat demo, SecureWorks did contact Apple about a wireless flaw in FreeBSD, the open-source code upon which Apple's OS X operating system is based.

Actually, Jim Thompson posted about that very same vulnerability earlier today, before Krebs posted his update. So apparently Krebs' reporting on this issue really isn't worth anything, since the same info can be found elsewhere. But maybe that's pushing a little too harshly on Krebs...


Note also that nowhere in Krebs' update did he call into question his original reporting. He didn't try to figure out where he got duped, he didn't try to figure out what questions he should have asked in order to figure out that he was getting duped, and he didn't even apologize to the Mac community for making a mountain out of a, well, not even a molehill. In fact, he reiterates that he saw the hack running on a MacBook without a third-party wireless card built-in! What the hell?

Indeed, as I reported earlier, in his hotel room on the eve of that presentation, Maynor showed me a live demo of him exploiting the built-in Macbook drivers to break into the machine from another laptop -- without a third party card plugged in.

He's still claiming that he saw a fake hack running on the MacBook's internal AirPort card? Wow. Well, Thompson sheds some light on the subject. He's acquired a high-resolution version of the taped video that was shown at the Black Hat conference. (I could never get the video that was posted at the top of the original article to work.) From his analysis:

Moreover, if you look carefully at the output of the 'ifconfig' command that Maynor types in the shell window on the Macbook, only four interfaces are present in the machine. en0: The Ethernet device en1: The Aiport device wlt1: A device driver Apple supplies for applications to read raw IP frames, like bpf on other Unix systems, doesn't work with Airport on Intel hardware when last I checked. fw0: IP over FireWire (1394a) Note the lack of a USB device in the IP interfaces listed. In a very real sense, I find it likley that the USB device is a McGuffin. A distraction.

Thompson actually e-mailed me to notify me of the follow-up post that he wrote after seeing me quote his original article in MY earlier article. I raised the question as to whether it's possible that the listing of the USB device could have simply gone off the top of the screen. He pointed out that it's possible, because we don't see the "lo0", "gif0", and "stf0" lines that are present on both of our machines (just run "ifconfig" from the Terminal). But it's also unlikely, because the USB device would have registered itself as "en2", which would have been listed after interface "en1", which we would have seen in the video. But we don't.

Thompson also states:

In what must now be viewed as a desperate attempt to drum up business for their Maynor's firm, the pair went and found a USB device with a driver for MacOS that would forward unsolicited probe response frames, and then, via methods they are too shy (or embarassed) to explain, attached same to a "reverse shell" process on the Macbook. Frankly, from what we're show [sic], its [sic] possible that all Maynor does is type nc -e "/bin/sh" port-num, and then simply clears the screen. The version of nc that comes with MacOS doesn't support the '-e' switch, but it would be easy to compile in and replace the stock nc binary.

In case you're wondering what nc does, the man page states:

nc allows you to use network sockets (tcp or udp) from the shell.

Thompson concludes that the supposed external USB device really didn't have much to do with the hack at all, and was just a diversion. That would make sense if Krebs really did see a supposed "demonstration" of the hack without the USB device attached.

The only other questions I had about Thompson's analysis was whether 1) the unknown white item at the start of the video was simply resting under the supposed external USB device when the Dell notebook is picked up and brought to the other side of the table, and 2) whether it's possible that Maynor's hand just dropped while picking up the external USB device from the table, making it appear as if he reached under the table. That would mean that the USB device and the unknown white item at the start of the video are one and the same.

But the answer to either of these questions doesn't really matter. The IP and MAC addresses that Maynor was supposedly hacking were clearly bound to the MacBook's internal AirPort card, even though he was claiming to hack the 3rd party wireless card. But none of the things that we see in the video add up to the conclusion that Maynor draws -- i.e.: that even the 3rd party wireless card was hacked.

I really can't believe that these "researchers" played this video at Black Hat. I mean, sure, they could dupe Brian Krebs, but how about anybody who actually thinks about the situation and looks at the video?

Technological Supernova   Intarweb   Older   Newer   Post a Comment