Apple Just Doesn’t Get It | Apple and Security

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Apple doesn’t believe in Security?

As I said nearly two months ago, in my blog post here, "I am concerned about the attitude by Apple which suggests complete laxity, and indeed, abhorrence, of the concept of Information security."  I also pointed out that at hitting the milemark of 40 million iPhones, Apple is now positioned to become a major, sexy, target for computer hackers and malefactors.

As I feared by stating

"Oh, what happens if (or when) a Cracker finds that code or connects remotely to your cell/wifi enabled phone and does the trick for you?"

Less than a month later, a code was revealed that would let attackers run software code on the phone that is sent by SMS and allow them to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.   Sigh.

And, of course, when you combine the above with the statement I made about "Steal a Phone, get a CAR!”, just imagine what can happen now….

So, Apple, it is nice that you put an encryption chip in the phone.  But without proper testing and validation, what you get is this (from The Register): 

"A researcher has delved into the encryption used to protect content on the iPhone 3GS, only to claim it is "entirely useless" and that he had "[never] seen encryption implemented so poorly before".

It is nice that you, Apple, spend time making sure that iTunes does not get "mis-used" by such "evil" devices as the Palm Pre.  But you are not going to be taken seriously by Corporate America until you show more attention to Risk and Security.   Now that over 40 million devices are there, you really should.

Better yet.  Contact me.  I will fix it for you.




The Trouble with Tribbles Apples

I will admit it: I want an iPhone.

I do not have one, and I will not have one until it is available in the USA from a better quality-connection company than AT&T Wireless. I will also not have one until it will be more of a business tool, rather than a toy. Not that I wouldn’t want to toy with it…

This post relates to the iPhone (old, 3G and 3GS), and it written in the shadow of yesterday’s announcement by Apple of certain new features for the Mac OS (to be called Snow Leopard), for Safari, and for the iPhone 3S.

I have nothing against Apple. One of my first computer was an Apple IIe. I taught C on the Apples and even some Logo (see Wikipedia article). And by all accounts, Apple is both a great place to work and, arguably, the best marketing company in the world today.

What I am concerned about is the attitude, both by Apple and by its users, which suggests complete laxity, and indeed, abhorrence, of the concept of Information security.

Let’s start with the users:

True, in the past, Apple machines have not been The choice of attack for computer hackers. Some of it, if not most, was simply because the ratio of “Wintel” machines to Apples out there was such that a Cracker (malicious hacker) would build their reputation much faster by sheer number of machines affected by their hack when they attacked windows-based machines. This fact affected the number of known hacks for Macs and related devices and also created an aura of invulnerability that is simply wrong.  Here is an example:

Just last year, a Mac with Leopard was hacked in under 30 seconds when it was taken out of the box. (Info Here)

When asked, the “researcher” (read: hacker) who did that said simply: “Every time I look for [a flaw in Leopard] I find one. I can’t say the same for Linux or Windows”.

This is just one example of just how easily Macs are Pwned (Owned, in Hacker-speak).  If a known security “researcher” states the statement above, should you be cautious?

Further, Macs have viruses too. Mac Virii are not new. The focus of virus writers (who should all be damned to hell) has also not been Macs.  Neither glory nor income was to be had with Macs. Not when comparing the number of Macs out there to the green fields of PCs.

The situation has changed: today most Wintels have antivirus, firewall and all-kinds of (frequently too invasive and bloated) protection software. But….many Macs do NOT.  Guess what’s going to happen?  Well, it is happening already. Kidlets are using easily available virus writing tools (yep, kinda wordprocessors for Dr. Evils) to create customized versions of Mac Virii for public “enjoyment”.

Here, Apple’s success has not helped it. Au Contraire…

One of Apple’s announcements yesterday was that they hit 40,000,000 (that’s forty MILLION) iPhones sold. If the iPhone was a record (a kind of plasticized large CD, for the unwashed 😉 ) it would have gone Platinum 40 times over (in the USA). Clearly, a very successful product.  What do you think is happening now in the realms of Crackers?

And when those are successful….beware.

Now let’s discuss yesterday’s announcements in further detail, with a view towards

Apple, the company:

In the past few months, Apple has seemed to adopt some plays from Microsoft, and even Sony’s playbooks.  These are not good things (note, this list is not meant to be comprehensive):

  • Six Months After announcement, a security hole reported in Apple’s implementation of Java has not yet be fully addressed (details here, thank you, Computerworld)
  • Apple threatened to, and then indeed expired those users who Jailbroke their iPhones allowing utilities and programs not sold thru iTunes to be used on their phones. It then proceeded to argue infront of the US Copyright office that doing so is breaking the law.

The Electronics Frontier Foundation, a privacy think tank in DC released a statement by Fred von Lohmann, an EFF senior staff attorney who is the organization’s expert in intellectual property law:

“Apple justifies [its position] by claiming that opening the iPhone to independently created applications will compromise safety, security, reliability and swing the doors wide for those who want to run pirated software,” said Lohmann in an entry posted to an EFF blog. “If this sounds like FUD [fear, uncertainty and doubt], that’s because it is.” (Thank you, ComputerWorld)

  • The Apple “surprise” protocol, Bonjour, which is included without warning in all iTunes download, creates its own security holes in existing firewalls. And no…it does not bother to ask permission first…
  • QuickTime’s installations are repeatedly rife with more and more security holes, that Apple fails, sometimes for months, to patch.
  • Apple’s other iTunes surprise, the Apple Update is so intrusive on Windows XP machines that users often ask on the web for help on how to disable it…which is not a straight forward thing to do.
  • But the worst sin? If you ask me, the worst sin is Pride.  Recently Apple deleted a recommendation to owners of Macs to install an antivirus tool. Again claiming that “Apple devices are safe right out of the box.”

I said it before: the only way to 100% gurantee the security of any computer is to take out the drives,

encase it in cement, drop it in the deepest part of the ocean (Mariana Trench), and even then it is not 100% secure. 

Get of off your high horse, Apple.

And now more on yesterday’s announcements

Apple made quite a few announcements yesterday. I want just to focus on a few of them. And thanks to endgadget for the photos

Firstly, look at this picture, as announced by Apple, you could connect (via the web, one assumes, or asking ATT, if in the USA) to your lost or stolen iPhone and cause all the data on it to be deleted. …

Erase All

…Nice. Good.  Oh, what happens if (or when) a Cracker finds that code or connects remotely to your cell/wifi enabled phone and does the trick for you?


How about the announcement that a physican is using the iPhone 3GS to monitor the vital signs of his patients:

assuming for the moment that this technology will be used to monitor more than just one individual…. What are the HIPAA implications of this?  Of losing a phone?  What would happen in the next iteration when related software could be used to CONTROL medical devices?

And finally, and my favorite.

I title this: “Steal a Phone, get a CAR!” (today only!)”Steal a Phone, get a CAR!”

Apple, together with ZipCar, showed off a tool allowing the user to pay for and unlock the doors of a ZipCar. This is a really nifty application. It shows where the cars are, allows you to navigate to them and then pfft – presto unlock-, the doors open.

Can you imagine the poor soul who lost / had stolen their iPhone only to find out 2342 traffic tickets and a bill for 500 hours of car driving?

And all of this from a company that is YET to create the position of a Chief Security Officer.  A company with the attitude shown above.

Note: I love toys. For business, however, I beleive that proper risk assesments and thought should be given prior to wide scale adoption of any new technology.