AOH :: ISN-2952.HTM

Johnny Cache breaks silence on Apple Wi-Fi exploit

Johnny Cache breaks silence on Apple Wi-Fi exploit
Johnny Cache breaks silence on Apple Wi-Fi exploit 

By Joe Barr
September 04, 2006

Jon Ellch -- aka Johnny Cache -- was one of the presenters of the now
infamous "faux disclosure" [1] at Black Hat and DEFCON last month.  
Ellch and co-presenter Dave Maynor have gone silent since then,
fueling speculation that the entire presentation may have been a hoax.
Ellch finally broke the silence in an email to the Daily Dave security
mailing list [2] over the weekend, and one thing is clear: he is
chafing under the cone of silence which has been placed over the two
of them.
Ellch explains their silence since the presentations in his email by 
  Secureworks absolutely insists on being exceedingly responsible and 
  doesn't want to release any details about anything until Apple 
  issues a patch. Whether or not this position was taken after a 
  special ops team of lawyers parachuted in out of a black helicopter 
  is up for speculation.

He also went on to explain that while the debate was centered in the 
Mac blogger community, it made no sense to discuss it because most of 
them wouldn't understand the explanation if he gave it, adding, "Since 
this conversation has moved into a venue of people who can actually 
grasp the details of this, I'm ready to start saying something."

Ellch then breaks down the elements of the vulnerability and possible 
exploits, but in the context of Intel drivers rather than Apple's, 
asking and then answering the obvious question of why he did so when 
he wrote: "Why am I switching the subject from Apple's bug to Intel's? 
Because it's patched, and Secureworks has no influence over what I say 
regarding this one."

He buttressed his explanation of how he crashed the Intel Centrino 
driver by creating a race condition by flooding it with UDP packets 
and disassociation requests with links to dumps of crashes he caused 
using this technique.

Ellch notes that a crash caused this way doesn't guarantee a 
successful exploit, saying "If you're lucky, your UDP packet will end 
up on the stack. If you're less lucky, a beacon packet from a nearby 
network will end up on the stack. In the case where I successfully 
overwrote eip (Extended Instruction Pointer), the UDP packet was 1400 

He also responded to criticisms that he and Maynor have simply been 
"playing the media" instead of reporting an actual vulnerability and 
exploit, saying: 

  You know, of all the comments I see, the ones that 'we played the 
  media' make the least sense. Have you ever seen me in the news 
  before? No. Have I ever talked to a reporter before? No. Am I doing 
  a very good job of winning this PR smear campaign lynn fox ignited? 
  No. If I was so deft at manipulating the media, would I be 
  explaining myself on dailydave praying that a few technically 
  competent people will actually get it?

I contacted Ellch by email after reading his post and asked if he was 
claiming Apple is the cause of their silence. He replied:

  Let's just say its pretty obvious I'm not happy about being silent. 
  So much so that i'm releasing non-apple bugs to convince people that 
  we do in fact know what we're talking about.


HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: 

Site design & layout copyright © 1986-2015 CodeGods