Apple software may not be as secure as we like to think. A security researcher based in Dunedin, of all places, has recently published some interesting Apple-related information about the security of Unique Device Identifiers in iDevices, and this has been picked up in the international press.
Aldo Cortesi is a security consultant for www.nullcube.com but the UDID work was not specifically commissioned by anyone but done in his personal capacity as a side-project, "motivated by mostly by curiosity".
The first set of UDID work he did has resulted in a class-action lawsuit against OpenFeint in the states.:
Cortesi feels a bit ambivalent about this: "on the one hand, the US legal system is clearly crazy, on the other hand, this kind of action might actually force the companies in question to change their ways."
In his latest article on his own blog, Cortesi describes a systemic failure in the way gaming/social networks use Apple UDIDs for single-sign-on. This problem affects more than 100 million users, all told.
Cortesi's previous research focused on OpenFeint and was covered in The Wall Street Journal, Der Spiegel, CNN Online, Wired and the Huffington Post.
The UDID is like an individual serial number permanently in every iPhone, iPad and iPod Touch. Any installed app can access the UDID without requiring your knowledge or consent. UDIDs are very widely used: in a sample of 94 apps Cortesi tested, 74 per cent silently sent the UDID to one or more servers on the internet, often without encryption.
Phone identifiers don't make very secure keys, so sites are using these phone identifiers as keys to the other information. In other words, UDIDs are not secret values.
Cortesi has so far confined his tests to Apple devices, studying seven major game networks, including Crystal, the game network of Chillingo (Angry Birds) and Zynga, maker of FarmVille.
If you use an Apple iDevice regularly, it's certain your UDID has found its way into scores of databases you're not aware of. Many developers seem to assume UDIDs are anonymous values, says Cortesi, and routinely use them to aggregate detailed and sensitive user behavioural information.
Cortesi gives an example: Flurry, a mobile analytics firm used by 15 per cent of apps he tested, can monitor application startup, shutdown, scores achieved and a host of other application-specific events, all linked to the users UDIDs.
Cortesi finds this a real concern: "I recently showed that it was possible to use OpenFeint, a large mobile social gaming network, to de-anonymise UDIDs, linking them to usernames, email addresses, GPS locations, and even Facebook profiles."
In experiments, Cortesi found that social gaming networks systematically misuse UDIDs, resulting in serious privacy breaches for their users. "All the networks I tested allowed UDIDs to be linked to potentially identifying user information, ranging from usernames to email addresses, friends lists and private messages."
There's a lot more nitty-gritty on Cortesi's blog.
There is hope for your security, though: "A few days after I notified the companies involved, it was revealed that Apple was quietly killing the UDID API. It will still be present in IOS5, but is marked deprecated, and will probably be removed in future."
He recommends developers shift away from using UDIDs now, rather than wait for formal removal of the API. Cortesi also cautions that replacement ID systems developers might add to their apps in place of Apple's UDID could have the same problems if developers don't use them in a secure way. "The challenge will be to make sure that the cure isn't as bad as the disease."
There are other problems with Apple devices, actually. FaceTime calls, which are like Skype with video iDevice/Mac to iDevices/Macs over WiFi networks, are encrypted, but only as long as you use the right type of connection. If your thought cell hone calls could be a source of trouble when taped, imagine the trouble CafeTime could get some couples into.
Apple issued the following response to those who questioned how secure FaceTime is:
"iPad supports WPA2 Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit AES encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection." So WEP connections aren't so safe - WEP and WPA2 are forms of encryption common to wireless networks.
Read Cult of Mac's take on this here.
And Macs may not get any viruses, but they're not invulnerable either. Mac users can pass on PC viruses to PC users even if they don't affect their Macs in transit, so Mac users in mixed environments should seriously consider installing prophylactic software to stop that happening. It's good neighbourly. (Hopefully, your attitude isn't 'serves 'em right!')
There's the Target Disc Mode vulnerability, too. Apple computers have a unique boot option called Target Disk Mode which allows access to another system's hard drives via a Firewire cable in older Macs and a Thunderbolt cable in newer ones. This is fantastic for literally turning another Mac into a hard drive and copying large files across fast to your own ... however, anyone can do it to anyone.
You access Target Disk Mode by pressing and holding the T key while the system starts. Either the Firewire or Thunderbolt symbol appears on its screen - it doesn't boot up properly into OS X. Cult of Mac has more about this potential vulnerability, including advice about how to stop people doing it to you (of course, they have to have access to your Mac and the right cable, plus some time).
Probably more risky is a Lion vulnerability discovered by a security research firm. A flaw allows attackers to change your system password without any knowledge of its existing password. Ouch. Apparently a change to Lion's authentication system has somehow allowed non-root users to view password hash data.
Chester Wisnieski revealed in a post on the company's Naked Security blog it was Apple's decision to use a local directory service in OS X Lion has left permissions insecure.
It takes some knowledge - but hackers are hardly ignoramuses. An attacker who has access to a logged-in Mac (locally, over VNC/RDC or SSH protocols etc) is able to change the currently logged in user's password without knowing the existing password as would normally be required via the local directory service. Then they can lock you out - only they have access.
It's not that hard to prevent, and this goes for anyone who uses any connected device: use a secure password. For example, not '1234', '4321' and not 'admin' - mix up letters and numbers. Random is best.
Enable the screensaver and set it to prompt you for your password to use your Mac again after waking it from sleep (System Preferences>Security & Privacy under the General tab).
Disable automatic logon, so you have to put in your password every time you start up your Mac (System Preferences>Users & Groups under Login Options).
And finally, although it's kind of in the 'duh! category: never leave your Mac logged in and unattended - use a Hot Corner to lock your screen.
So yes, people, do take some elementary precautions and keep safe.
- Mark Webster mac-nz.com