Last year, Maynor, who was a senior researcher with Atlanta-based managed security services provider (MSSP) SecureWorks Inc., and Ellch, showed attendees a video in which Maynor used a Dell Inc. laptop to compromise a MacBook in about 60 seconds, just by targeting its wireless card and wireless device driver. The presentation caused uproar in the Mac community and Apple pressured Maynor into writing a blog entry on the SecureWorks Web site saying that the laptop did not contain any vulnerabilities.
In a presentation at the Black Hat DC Training conference on Wednesday, Maynor revealed several exchanges he had with Apple after the public demonstration, disclosing packet captures that showed he tried to give researchers there the ability to exploit the flaws. He also showed several email exchanges that he said proves that he helped Apple build a Wi-Fi auditing box after Apple researchers couldn't get the exploit to work internally. The email exchanges he provided were from his personal email account. He said he is still unable to discuss any communication he had with Apple via his SecureWorks email account.
"I said over and over again on the video that although I'm exploiting a MacBook, I'm not exploiting anything native," Maynor said. "The bugs that affected the MacBook also affected every Windows machine with a Broadcom card."
Maynor, who currently serves as chief technology officer of Errata Security, also took the blame for not disclosing the vulnerabilities to Apple before the public demonstration at the Black Hat conference.
"I made mistakes, I screwed up," Maynor said. "I probably shouldn't have done that demo. I probably shouldn't have talked to a reporter about it before the information was made available. There are a lot of things you can blame me for. I was wrong. At the same time, I also didn't try to assassinate Apple."
Maynor said that although the demonstration took place on an Apple MacBook using version OS X 10.4.6, he said repeatedly on the video that the Wi-Fi flaws affected a variety of drivers and not just Apple. Apple released version 10.4.8 which patched the wireless bugs, but Maynor said neither he nor Ellch, were credited with discovering the flaws. Maynor said he plans to release the attack code for researchers on his blog.
"I believe in responsible disclosure, but disclosure should be a two way street," Maynor said, adding that he won't likely talk to Apple researchers as he conducts further research on wireless exploits.
One of the major problems with wireless drivers is that driver makers rely on chipset maker to provide a sample driver that they can adopt to their needs, Maynor said. The reference driver created from the sample is often vulnerable, he said.
Future research will cover other Wi-Fi areas, Maynor said. Wireless fuzzing will not just target the 802.11 specification. Bluetooth is susceptible as well as WiMax and infrared technology, he said.
"So far we haven't delved into the trickey parts of the protocols yet," he said. "There's a huge untapped area."