Apple excels in creative and innovative marketing. Often it's what they don't tell you that creates the most buzz. For example, we know next to nothing about the Apple iPhone. We know little about the new Leopard release of Mac OS X. Both have generated a lot of press, and so far the hype has succeeded in distracting everyone from a very real concern: the overall security of each. When you strip away all the creative marketing, when you take away the Steve Jobs' induced hype, what you have is a new mobile phone based around an operating system that is just as vulnerable as the next one. Trouble is, Apple isn't being as forthcoming about security as other vendors.
The naked iPhone
For the moment, iPhone will be running a version of the current Mac OS 10.4; in the fall, Apple will presumably upgrade its phones to the newer Mac OS 10.5. So far, the company seems to be rolling out a series of patches, one a month for last year or so, which is good. Apple might, however, want to follow Microsoft's lead and standardize its releases to the second Tuesday of each month.
While the point of a beta is to ferret out the bugs on a variety of different machines before it goes final, some of the flaws disclosed in Safari this week were pretty easy to find.
When flaws are patched, Apple often does not acknowledge the researchers who actually brought the vulnerability to its attention. Apple is known to be looking for more security researchers
. It's not an ego thing; by working with the vendor to correct the vulnerability, researchers put in long hours, usually without compensation. A public "thank you" is more than enough. But that hasn't happened.
Shoot the messenger, why don't you?
Instead, Apple has created history of attacking security researchers. Last summer, during BlackHat USA, security researchers David Maynor and Johnny Cache disclosed a wireless vulnerability using an Apple Computer Macbook. The team found that malformed network traffic could allow the laptop to be compromised, and they provided a video of the attack.The researchers did use a third-party wireless card for their video demonstration, but said repeatedly that the Apple Airport wireless driver was also vulnerable.
Apple should stop attacking the messengers--the researchers--and change, as did Microsoft, by working with them.
After BlackHat, Apple rebuked Maynor's employer, saying "despite SecureWorks being quoted saying the Mac is threatened, they have provided no evidence that it is." Apple orchestrated media attention toward third-party wireless device drivers, which is fine because those drivers were patched quickly. Two months after BlackHat, Apple quietly released a patch
, which, if the vulnerability that was fixed had been exploited, could have compromised the Airport wireless drivers in Macbooks. Apple forgot to mention David Maynor and Johnny Cache.
Reap the seeds that have been sown?
Ironically, it was another Apple vulnerability that put David Maynor in the news again this week. He was one of three independent security researchers who disclosed vulnerabilities within the new Safari 3.0 for Windows beta. Some of the flaws exist on the Mac OS as well. While the point of a beta is to ferret out the bugs on a variety of different machines before it goes final, some of the flaws disclosed in Safari this week were pretty easy to find. In other words, Apple could have found these vulnerabilities themselves during various alpha builds.
Rather than work quietly with the vendor, Maynor and the others made their findings public. A few weeks ago, I interviewed security researcher Chris Soghoian who pointed out that disclosing an Apple vulnerability is almost a guarantee of a lawsuit. Instead, many security researchers would rather find a fault with another vendor. On the other hand, Maynor is rumored to have another Safari exploit primed and ready, one that works on both the Windows and Mac OS versions of Safari. It's ready to go once he gets his hands on an iPhone.
Which brings us to the iPhone. Again, no one outside of an elite few has actually held an iPhone, yet there's legitimate concern about its security. But Jobs has said that it will be a closed operating system, meaning you cannot write mobile applications for it--directly. The carrot Jobs extended to the WWDC crowd was not a software development kit (SDK) for writing applications (which the developers I spoke to all wanted), but a way to write applets within the Safari browser.
As we have seen, security researchers were able to find fault with Safari 3.0 within days of its beta. Malware today is almost always financially motivated. The crowd that stands in line on June 29 for the 6 p.m. release of the iPhone has at least $500 to spend, more with the two-year contract to AT&T. These early adopters are going to load their iPhone with important contacts--maybe even download songs and movies that have value as well. In the end, the typical iPhone user may have a target on his back.
Below the surface
Even before the Safari announcement, the underlying Mac OS remains vulnerable, although by locking outside vendors to writing code for the iPhone, the overall security risk could be lower than expected. Eric Chen, writing on Symantec's blog site, said back in January 2007 that the iPhone was prone to two types of vulnerability exposure. One, the Mac OS is based on Unix, and Unix has a number of well-known vulnerabilities that could also affect the Mac OS. While the incentive to exploit these exists today (to give Apple a black eye, not to mention wreak havoc on the Apple community), there's much greater financial incentive in waiting to go after the mobile version of Mac OS in July. Second, Chen worries about the rise of nonstandard software on the iPhone. I think that the latter is somewhat removed now that Safari will be the legit platform for ad hoc programmers.
From an IT perspective, say you want your workforce to switch over--what security guarantees do you have? Does the iPhone include auto update or an update button, or will there be a way to push out updates across the network so your employees can remain patched? And if there's a firewall included, does the user have the ability to tweak it or opt out? These are questions that will be answered in two weeks.
Can't really predict
Criminals today are not writing code to garner "greetz" from their 3l337 crew; they're targeting attacks aimed at the most profitable parts of the Web. Apple may not enjoy the 90 percent saturation of Windows, but of that 5 percent it does hold dear, the relative income of the Apple user base may be enough to finally make Apple a big target.
And of the percentage that purchases the very first iPhone with its two-year contract to AT&T, that too is a financially attractive group for criminals to attack. Given that they wouldn't want to risk compromising the iPhone with gnarly malware infections, Apple might see the light. Apple should stop attacking the messengers--the researchers--and change, as did Microsoft, by working with them. Maybe, with the popularity of the iPhone and Leopard OS, that will happen.
On 6/19/07, I clarified that Apple often does not credit security researchers and that it is looking to hire more security experts.
Are you planning to buy an iPhone? Does security enter into your decision? TalkBack to me.