Apple’s Security Flaws: Are you Paranoid Enough Yet?
It’s hard not to be paranoid about technology these days, what with the constant onslaught of data theft, zero-day exploits, malware botnets, and run-of-the-mill security vulnerabilities.
Add into that mix the ongoing revelations aboutNSA snooping and the complicity of RSA and other tech vendors in its surveillance agenda, and it’s no surprise that the latest cases of technical eavesdropping — a major SSL vulnerability in iOS and OS X and an iOS flaw that allows malicious apps to record touchscreen presses – brought a maelstrom of criticism and scrutiny down on Apple.
While Apple promptly issued an iOS patch for the
gotofail SSL bug, which left users vulnerable to man-in-the-middle attacks that monitor and record everything that transpires on unsecured public networks, it was another four days before the company shored up defenses in OS X Mavericks. “How difficult is it to release [a fix] for OS X?” asked Andrew Storms, director of DevOps at security firm CloudPassage. “Shouldn’t it have been out an hour later?”
It turns out that embarrassing security hole in the OSes’ implementation of basic Internet encryption had existed since September 2012. It didn’t take long for Apple/NSA conspiracy theories to gain traction. Security experts at this week’s RSA Conference openly speculated whether the vulnerability was a backdoor deliberately inserted for surveillance purposes — a clear sign, says NetworkWorld’s Ellen Messmer, that anxiety about state-sponsored surveillance is running high.
“One line of code — was it an accident or enemy action? I don’t know, but it’s the kind of bug I’d put in,” Bruce Schneier, CTO at Co3 Systems, said about the flaw during his presentation on government surveillance at the conference. The NSA is involved in aggressive mass surveillance, he said, and “are going to take any means necessary — including finding ways to put backdoors into commercial products, such as by code tampering.”
Daringfireball’s John Gruber sees five levels of paranoia in SSL hole theories:
- The NSA was not aware of this vulnerability.
- The NSA knew about it, but never exploited it.
- The NSA knew about it and exploited it.
- The NSA itself planted it surreptitiously.
- Apple, complicit with the NSA, added it.
While Gruber identifies himself as a 3, he also considers that optimistic, given that the SSL flaw was introduced in iOS 6, which shipped in September 2012, and in a leaked PowerPoint on NSA’s PRISM surveillance program, Slide 6 described Apple as “added” as a data collection provider in October 2012.
When, on the heels of the SSL furor, security vendor FireEye revealed a vulnerability in iOS that allows the touchscreen equivalent of keylogging for apps running in the background on devices like iPhones and iPads, many were — again — quick to ask whether it was a simple coding mistake or a backdoor. “We have no evidence [it is a backdoor], but we suggest this is a possibility,” said Tao Wei, senior staff research scientist at FireEye.
In this atmosphere of heightened anxiety, perhaps security vendor CrowdStrike should have received a personal foul for piling on when it demoed an Apple OS X computer being deep friedin the course of a hack at the RSA Conference. CTO Dmitri Alperovitch showed how by targeting the machine’s APC embedded controller with a fake firmware update he was able to spike the CPU and turn off the fans. Alperovitch warned that enterprises should expect this type of cyber attack — “an attack that is not recoverable in terms of data or the machine itself” — in the future. “This is the next-generation permanent destruction,” CrowdStrike’s CEO George Kurtz concurred. “We are entering a new age of targeted destruction attacks.”
Meet the brave new world, a world where you’re thankful it’s “just” your data that’s snatched, and not your entire machine gone up in smoke.