Robert Lemos interviews Kevin Finisterre, founder of security startup Digital Munition, who created the three recent versions of the InqTana worm to raise awareness of security in Apple's OS X. Finisterre discusses his reasons for creating the worms, the problems with Mac OS X security, and why he does not fear prosecution.
Kevin Finisterre: I am 25 years old and a current resident of Columbus, Ohio. I have been publicly active in the computer security scene since around 1998. Most of my research was published through Secure Network Operations, where I served as the Head of Research and Development. Since SNOSoft has dissolved, I have been focusing my time on a project called Digital Munition. My educational background stops with your traditional high-school-level education. After feeling as if I were being spoon-fed at DeVry, I decided to just dive in head first into my career as a Unix sysadmin. My spare time is spent researching various aspects of computer security under a number of platforms.
How long have you been using Macs? How do you think the security model compares to Windows and Linux?
Finisterre: I got my first Mac in 2001. Most of InqTana was actually developed on my Dual USB 2001 iBook and an old G3 333Mhz iMac. I honestly love Mac hardware, but do not care too much for the OS. I have spent a great deal of time on Mac-based hardware developing shell code and learning the ins and outs of exploiting the PPC architecture.
Overall, I do like some of the features that OS X offers, however it is very difficult to compare the different operating systems. Obviously, because it is Unix-based, it is very similar to Linux. To put it simply, however, all three sets of OS developers do some dumb things--this is very unlikely to change in the near future. I really cannot say that which operating system is better than the other, but my personal preference is Mac hardware running the Linux OS.
Ninety percent of my time is spent on the Mac. I would take a PowerPC 4-byte assembly instruction over a single byte Intel instruction any time.
How did you find the original vulnerability in Bluetooth that this worm exploits?
Finisterre: Lots of caffeine and late nights. The real story is that OS X had recently added Bluetooth support and I just had got a new Mac Mini. That alone is the recipe for keeping me up late. My recent fetish with Bluetooth made it an easy and obvious target. I was already in the process of working on a number of other Bluetooth-related issues.
The funny thing is that it actually took some prodding to get Apple to consider this an issue. I originally reported to them that I thought it was a bad idea to share out Bluetooth in a completely open fashion. Shortly after, I discovered the directory transversal attacks which made the default setting that much more "fun." Once this developed, things were obviously taken more seriously.
In your paper, it sounds like both 10.4 and 10.3 were vulnerable, but aren't any longer. Is that right?
Finisterre: The Bluetooth bug that InqTana exploits has been patched for some time now. There was a short period of time that 10.3.x was patched, however, 10.4 silently sat vulnerable. Apple asked me to withhold information about 10.4 being vulnerable until they could get patches out. I happened to find the issue just as 10.4 was just pressed and shipped. Plenty of folks don't update their software, so under vanilla configurations of 10.3 and 10.4--read: no patches--you are vulnerable.
I would assume that if you went to the store right now and came home with a new Mac, it would have a vanilla version of 10.4 installed with Bluetooth enabled by default. [Editor's note: An Apple spokesperson has said that the Macs currently available at retail have had this problem fixed.]
Why did you decide to make a worm out of the vulnerability?
Finisterre: I have heard of so many folks touting that misconception that Macs can't get viruses that I thought it was about time to start a dialog with some of the AV (antivirus) companies and express some of my ideas. In the process of confirming my own concerns, this code was created. I am not one for talking about things in concept form - I like to actually implement and prove a concept.
The idea that Macs can't get viruses is simply absurd and I wanted to highlight that fact. It was pure coincidence that Leap.A had already (been created to) set out to prove that the old wives tale is false.
InqTana was more or less an exercise in proving folks wrong about the possibilities of Mac malware.
Just to be clear, you wrote all three variants of this worm, right?
Finisterre: This is correct. The code that was dubbed as InqTana.A by (researcher) Jarno (Niemelä) of F-Secure was originally completed on Valentine's Day. Once Leap.A was released and I did some reading I came up with InqTana.B by making a slight mod to the Leap technique. InqTana.C was the final demonstration of my concerns and will most likely be the last variant.
Each variant was created to illustrate a specific vector for implanting malware onto OS X. The detail of each one of these techniques was outlined in the paper titled InqTana through the eyes of Dr. Frankenstein.
Which of the three above methods do you think will be used by future worm and virus authors the most? Hopefully Apple will take note and address these areas of concern.
Finisterre: The InputManager technique seems to be very powerful. Using it to hook either
- init or for a MethodSwizzle will most
definitely be a popular thing to do. The primary reason I think it will be used often is due to the fact that it is portable across major versions of OS X. The launchd and dyld techniques are more specific to a particular version of OS X.