I've been thinking about the security vulnerability in WiFi network cards announced yesterday, and I'm starting to wonder if there's really all that much to this. The security hole was demonstrated on a MacBook with a third-party WiFi card installed, and was shown in a video tape rather than in a live demonstration. Very little additional information was given, other than that the bug was in the WiFi driver.

This strikes me as odder and odder the more I think about it.

To begin with, the hardware used is really unusual--probably less than one in ten thousand MacBooks will have a third party WiFi card installed, for the simple reason that all MacBooks come with built-in WiFi. The only reasons to have a third party card would be because the built-in WiFi broke (and the MacBook is a new machine, so they're all still under warranty), or because the user wants to connect to two networks simultaneously.

So it is reasonable to ask why they would choose to use a hardware combination so unusual as to be almost nonexistent in the real world. The given answer was that they chose Mac to tweak the image of Apple as a secure platform (the actual quote is somewhat more colorful), but used a third-party WiFi card because they didn't want to leave the impression that it was just an Apple problem. Huh? A finer example of pretzel-logic I have rarely seen.

In the absence of more details, it is entirely possible that this bizarre hardware was chosen precisely because it has a unique vulnerability which does not exist on more common platforms. This undermines the implication in the demonstration video that every WiFi equipped computer is vulnerable.

To put a finer point on it: if the flaw is in the WiFi device driver (as claimed), then every combination of WiFi hardware and OS will have, potentially, an entirely different set of vulnerabilities. Some drivers might be very bad, and others very good. It is possible that this hardware was chosen for the demo because it has a particularly bad driver, but that doesn't translate into a real-world problem since almost no real users would be using the buggy driver. (What's more, we shouldn't fault the manufacturer if they didn't rigorously test their software with hardware that nobody uses. As with anything else, there is a law of diminishing returns in testing.)

My next problem has to do with the way the demo was carried out: on video. The stated reason is that they didn't want anyone sniffing the WiFi connection and discovering the attack before it could be patched. That's an entirely reasonable concern. But it also conveniently avoids almost all independent scrutiny of the attack, and even the most basic questions about the level of the problem.

And that gets me to the third issue I have with this claim. The people responsible for the demo are spinning it as a major flaw affecting every WiFi equipped computer out there (and getting a lot of publicity as a result), but have given almost no information about what hardware and software might actually be vulnerable, and under what conditions. Some very basic questions have yet to be answered about the scope of the problem, such as:

* Is this a universal flaw, something unique to this oddball hardware combination, or a class of problems the severity of which can vary widely between configurations? For example, is the MacBook's built-in WiFi also vulnerable? What about PowerPC-based Macs? Or Windows laptops?

* This attack used (effectively) a malicious base station. What network states make a computer vulnerable? Is the computer only safe if the WiFi is actually turned off, or is it safe when connected to a trusted base station? What about when it is attached to an encrypted network? Or does it depend on the particular hardware? What about configuring the computer to only attach to trusted networks?

* Is firewall software an effective defense against this class of attacks, or not?

In sum, is this really the huge problem that the headlines imply, or just a case of the hardware company (Apple) failing to test its device drivers with a particular third-party add-on that nobody is likely to install? Inquiring minds want to know.

(And in the meanwhile, the practical advice--turn off the WiFi when you're not using it--still stands. As a bonus, turning off WiFi extends the battery life of the laptop.)