If you've found this post, please note that it's no longer active: We started this blog to track Apple-specific Wi-Fi announcements, but they've turned out to be both so sporadic and of such broad interest to the Mac community, that we write and post articles over at TidBITS.
The Month of Kernel Bugs (MoKB) project finished out November with a undisclosed flaw for AirPort Extreme: They had previously noted a number of Wi-Fi flaws, including a major one for AirPort Card users, now patched by Apple. In this case, they write that they communicated the flaw to Apple before announcing its existence, and haven't disclosed the full parameters of it. It's a similar flaw to others that have appeared, in which the kernel can be made to panic (crashing the computer), among other potential implications they're not disclosing, when improperly formed messages are sent to an AirPort Extreme Card. The security posting mentions "beacon frames" without elaboration. These frames are messages sent by an access point or base station that describe its parameters to an adapter that is looking to associate with a local network, or gathering information about the networks around it.
It's likely that Apple would be able to patch this quickly, as their September update covered a general category of malformed frames. The security team is probably now well aware of how to fix this kind of exploit. I'll guess we'll see an updated by Dec. 10 unless Apple deems this a much worse or much less severe problem than how it's being described now.
Apple released security updates for Mac OS X 10.3 (Panther) and 10.4 (Tiger) that fix the AirPort Card weakness: While there was no widespread (or even narrowly spread) information about this exploit in the original AirPort Card's drivers being taken advantage of in the wild, Apple has patched the flaw within a few weeks of its announcement. The flaw would allow a nearby attacker to crash a Mac with an AirPort Card under the right circumstances (see previous post for more details).
Security Update 2006-007 has six different versions, but the AirPort Card was only ever available for PowerPC computers--Mac models released between 1999 and 2002 could accept the card--but Intel-based Macs include fixes to other bugs and weaknesses in this package. The security update is available in client and server flavors to patch 10.3.9 and 10.4.8.
You can download the patches manually or simply use Software Update from the Apple menu to get the appropriate release for your system.
Mac OS X may be at risk via the original AirPort Card because of an attack methodology published last week as part of the Month of Kernel Bugs. The attack can corrupt some "internal kernel structures," and causes a kernel panic - a crash. The developer of the attack believes that he may be able to modify this with some effort into a root exploit in which control of the machine could be seized.
The approach as published works only with the AirPort Card, the internal 802.11b Wi-Fi adapter for Macs introduced in 1999, and used in all Mac models introduced until late 2002. Apple stopped selling the AirPort Card some time ago - much to the dismay of people whose adapter died on an otherwise usable computer. All Mac models introduced in 2003 and later sport a slot for AirPort Extreme (802.11g) networking; the AirPort Extreme Card slot is not compatible with the original AirPort Card.
Further, the developer of the attack notes that the exploit works best when a Mac has been placed into active scanning mode, which requires a command-line tool included with Mac OS X or the KisMAC utility. In a brief interview with Brian Krebs of The Washington Post's Security Fix blog, the exploit developer told Krebs that he found some vectors for breaking Macs with AirPort Cards that were in an idle, non-associated state, but hasn't produced results he wanted to discuss yet.
The exploit was published as a recipe for reproduction, more or less, so it's not embedded in a prefabricated application designed simply to crash computers, but it will be incorporated into the open-source Metasploit framework, which is a system to stress-test software and operating systems in an automated fashion using malformed packages of data and other techniques. (At this writing, the developers say it's part of Metasploit, but I don't see an item representing it in the list of modules.)
The Month of Kernel Bugs (MoKB) uses a small set of standard tools that stress test operating system kernels by generating massive amounts of arbitrary input - fuzzing - which can be associated with resulting errors on the attacked computer to figure out what input caused which exploitable errors or crashes. The project says they have five more Apple kernel bugs that will appear over the next 30 days. (No additional Apple bugs have appeared as of this writing.)
In a fairly irresponsible move, the MoKB coordinator said there will be no advance notice to the makers of affected systems in any systematic way prior to release of the exploit. Exploits that are released on the day the vulnerability is identified are called "zero-day exploits." In the security world, this is considered bad form, somewhere between taking a dump in a swimming pool and selling drugs to children. There's little reason to not provide advance information to affected parties unless you're trying to be clever, instead of smart.
The justification by the MoKB coordinator, identified only as LMH, is the tired old "Apple doesn't listen to security flaws and pretends it doesn't have any" argument. The industry soap opera that began in August, "To the Maynor Born: Cache and Crash," apparently has led many hobbyist and professional security researchers to decide that Apple systematically denies security flaws when they exist. In the case of that saga, it's fairly clear that only a handful of people have actually seen what was alleged to have been given to Apple, which means that relying on that case as an example of Apple ignoring security issues or misusing security researchers requires second- or even third-hand knowledge. (Apple told Krebs that they are investigating this latest AirPort flaw, which they learned about "recently.")
In comments to a post about this on LMH's Kernel Fun blog, he or she writes, "It's actually a matter of time to demonstrate that all the pro-Mac paranoia is just plain useless. Apple does good stuff indeed, but they obviously do [make] mistakes as everyone does." It's hilarious that anybody credible thinks that vocal Mac zealots represent the interests of the entire Mac community. A more realistic view by an experienced Mac user can be found as the second comment (by Dave Schroeder) on Ryan Russell's blog entry on this exploit.
May I state for the record as a regular reporter on Macintosh matters that I don't reflexively believe that Mac OS X is invulnerable? In fact, I have written regularly about flaws that are reported, and about the risk that we face as a community of users that lack immunity. While Apple has built its operating system on a strong foundation, that in no way precludes exploits that use vectors that weren't considered.
Your high-level takeaway? No Mac model that shipped beginning in 2003 nor older Macs without active scanning enabled are known to be vulnerable. The vulnerability requires a nearby user, too, or one with a high-gain antenna who can reach your computer. I'm guessing Apple patches this relatively quickly for Mac OS X 10.3 and 10.4 users, and that they'll be working overtime to stay on top of other MoKB announcements.
Macworld's editor-in-chief Jason Snell and I talked about Wi-Fi and Apple on today's podcast: The Macworld Podcast (Wi-Fi Security and iTV) covers the Maynor/Ellch exploit controversy, and when 802.11n might arrive on a Mac (and whether iTV will sport 802.11n). In this podcast, I note that Apple's patches for what they term never-demonstrated-exploits, is the worst security hole in Mac OS X ever. But it's patched. (Download MP3.)
If you don't know what EAP-FAST is, you don't need it. Apple's Mac OS X 10.4.8 update includes new support for a Cisco-exclusive method of logging into a wireless local area network. EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) is a replacement for Cisco's LEAP (Lightweight EAP), which is still in use despite extensive documentation of its cryptographic weakness, including exploit software to extract passwords from transmitted data.
EAP methods allow a username and password or other credentials (such as a smart card swipe) to be passed through a wireless or wired gateway to a backend server that authenticates the validity of the credentials--that the password is valid or the smart card is authorized. Once that's approved, the user trying to gain access is given access. Before then, they're sort of shunted to the side in a way that only allows them to petition for access. This provides a pretty high level of security.
Unfortunately, EAP isn't secured, meaning that any of the data sent via EAP is passed in the clear. Various methods of secured EAP encrypt the authentication part, so that credentials aren't revealed to snoopers. The most widely used form of secured EAP is PEAPv0 (Protected EAP version 0), a method that's found in built-in software in Windows XP SP1 and later and in Mac OS X 10.3 and later. It's also available through free and commercial software for Windows, Linux, and handhelds.
Cisco has a document that describes EAP-FAST and its use, and its limitations.
Long period of quiet on this blog, I know. The news tends to come in bunches, doesn't it?
The big news of the last few months has been the alleged security flaws uncovered by two researchers that would allow a network cracker to access a system running Mac OS X (along with some Wi-Fi adapters not yet identified used with Windows) by sending particular sets of data that would cause the AirPort driver to either crash the Mac, run some code it was sent, or allow a cracker access at a level that no one but a system administrator should have access.
There's dispute over whether the researchers provided information to Apple that led to Apple releasing patches last week that fix flaws that sound quite similar. The researchers have not directly stated publicly that they provided enough information to pinpoint the flaws; Apple says explicitly they did not. We'll leave that to whomever needs to figure out credit.
For detailed information on the history of this, you can read my coverage at Wi-Fi Networking News in the Security category.
For the purposes of this AirPort blog, I advise everyone running Mac OS X 10.3 (Panther) or 10.4 (Tiger) to use Software Update to install the appropriate AirPort patches immediately. These patches should make it currently impossible (to the best of Apple's ability to test) to use this entire category of attack to crash or hijack a Mac. Apple says no exploit code was found, but that these patches obviate any future exploitation of this kind.
The Wi-Fi sniffing and monitoring software gets revised to version 0.21a: This is the first stable new release in over a year following the heels of new maintainers of the open-source software project. Development has been ongoing, but it's taken a while to get a version that the programmers feel is ready for broader use.
The new version is a universal binary and supports Intel iMacs, but still lags in the code necessary for the slightly different Wi-Fi chips found in the MacBook Pro and Intel Mac minis. (The iMacs use chips from Broadcom, which hasn't open-sourced its driver code; the other machines use Atheros chips, which should do provide some details on accessing their lower-level functions.)
I know that this blog has been quiet again for the last few months, but there's been precious little AirPort-related news. Firmware is stable. The new Intel Macs seem to work fine with Wi-Fi. And no new products have appeared.
I expect this to change soon. The latest revision to Wi-Fi, the 802.11n standard working its way through a standards process, has already started appearing in early draft versions this month. 802.11n can boost the raw speed of Wi-Fi from the 54 Mbps of 802.11g (AirPort Extreme) and 802.11a to 600 Mbps in the most expensive version that has all optional elements included.
In the "slowest" version of 802.11n, expect a raw data rate of 150 Mbps and a net throughput of about 100 Mbps or better, nearly four times faster than plain 802.11g. Now Apple's AirPort Extreme and other manufacturers' enhanced versions of 802.11g can deliver rates of 30 to 50 Mbps depending on equipment and interoperability. The pioneer in multiple-in/multiple-out (MIMO) antenna systems, Airgo, has delivered chips that appear in Buffalo and NetGear equipment that already provide 100 Mbps or better real throughput, but only at a high cost and among like devices.
Because Apple was an early adopter of 802.11g, and because it's eschewed the proprietary and odd extensions to 802.11g that have appeared in intervening years--they adopted the more generally compatible improvements--they're ideally poised to make the leap from AirPort Extreme to AirPort FreakingFast or whatever super-duper name they'll assign to it.
My expectation is that Apple will announce the new technology at or before WWDC this August because the final draft of the standard should be finished or close to it before then, and at least four chipmakers will have been producing draft chipsets for months and worked out the bugs. Interoperability should actually be fairly decent, or achievable via firmware upgrades.
I predict that Apple won't offer any 802.11n products that work in existing AirPort Extreme slots. Rather, they'll only use a PCI ExpressCard style interface. (The onboard Wi-Fi in the first Intel Macs use this architecture.) So don't get your hopes up about Apple helping you to speed up a G4 or G5 Mac of any kind.
The higher pricetag on the new Mac mini with Intel Core Solo or Duo chips obscures the fact that it's not just faster, but includes both wireless networking options previously sold separately. The $100 or so you'd pay for AirPort and Bluetooth 2.0 with a $499 first-generation Mac mini is built into this unit, probably due to very high demand for that built-to-order option.
The new Mac mini base model includes more memory, too, and gigabit Ethernet, but its more powerful video card uses main system memory instead of dedicated video memory, obviating that price difference.
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |