More on the Macbook WiFi Hack

I went to a follow-up talk over the weekend at Defcon on the Macbook break-in my colleague Narasu covered earlier in the week, and since the two presenters - Johnny Cache and David Mayner - answered some of the at-times heated questions that had come up, I thought I'd pass along some of their additional info.

Most importantly, and as Narasu said in her post, this vulnerability isn't specific to Macs. It's due to flaws in the 802.11 device drivers used for most all laptop wireless connections. Maynor and Cache say they found the holes mostly with automated tools called fuzzers.

The two say they had three attacks that worked against three particular device drivers, which vary depending on the wireless card used and the operating system. One of the holes used has since been fixed; the Macbook attack still works.

Because each attack is tailored to a particular driver, the exploit begins by "fingerprinting" the exact driver used on any given laptop, down to the version. The wireless card in question doesn't have to be connected to, just on.

Once the driver is identified, an attacker can launch a specific attack and take full control of the machine. Execute commands, create and delete files, what have you.

Mayner says he's giving Apple the data on the attack, and isn't otherwise releasing specifics that would let someone else reproduce the exploit. So I wouldn't expect to see the particular Macbook attack that he and Cache demonstrated in the wild. But the underlying 802.11 driver vulnerability, which the two hackers say is because of their complexity, will presumably remain for plenty of drivers.