Uncharted Waters

Feb 11 2019   5:02PM GMT

Apple Security and the Internet

Matt Heusser Matt Heusser Profile: Matt Heusser

Tags:
Apple
iPhone
Security

It’s a running joke that the internet is held together by duct tape, bailing wire, and bubblegum. There may be some truth in that, because when it comes to security, it is undeniable.

The world-wide-web was invented at CERN, a physics laboratory in Switzerland. Before the web you’d go to a library, pick up a journal, read an article and select the next journal from the footnotes. Two weeks later your journal would arrive and you’d start the process all over again. Time consuming? Absolutely! The brilliant idea was to take all those footnotes at the end of the paper and link them together with the click of a button. HTML, the basic language of the web, is a hyper-text markup language. Everything else added to the web – the java-script, CSS, APIs, the cookies and authentication systems, are grafted on.

That’s a good thing. Tools like WordPress make it possible to put a site together in minutes, built on top of those technologies. We re-use all sorts of code libraries, in the hope that frequent patching will be good enough. If the patching isn’t good enough, well, everyone else has patched up systems, too. Hopefully, the bad guys, who search for security bugs for the sheer joy of it, will target someone else, like a bank.

This complexity problem hit Apple’s iPhone, which just might mean it hit your iPhone.

The iPhone Security BugSecurity Camera

Last week my colleague Richi Jennings broke a story where Facetime users can hear the other side of a call before pickup. This means you could call into a private meeting, possibly an interview, and listen to what people are saying. That is before the phone is picked up, while they are discussion if they should pick up. How wonderful and convenient! You can call and listen to the other side of a negotiation. Or call to catch a partner you suspect is cheating. This is not “conversation,” as much as eavesdropping. The process is as easy as adding yourself to a group call, which allows you to hear the microphone of the person you are calling.

The fix rolled out yesterday, eleven days after Benjamin Mayo published the steps to exploit the defect.

It’s tempting to think this isn’t that bad. It only took eleven days for Apple to roll out the fix, and in that time, if the bad guys targeted anyone, it was probably a bank.

Except, of course, banks are where we keep our money, too.

A Brief History of Breaches

Broken Can

As a former Army Reservist, my name was in a department of Veterans Affairs (VA) database. So were 26 million other people. The information in that database included dates of birth, home address, and social security number. In 2006, a VA staffer took a hard drive with that entire data dump home on an unencrypted hard drive. As you probably guessed, the hard drive was stolen. I got a letter in the mail telling me to look out for identity fraud. The 26 million people affected included close to 10% of the population of the United States.

Forty-one million people using credit cards at Target were exposed in the company’s 2013 breach. Equifax’s data breach in 2017, affected 149.7 million people exposing their addresses, driver’s licenses, phone numbers and more. As the list grows, so does the number of people impacted.

Again, the reality is today’s systems are built on top of an infrastructure that was not designed with security in mind. Http is inherently insecure. Https, security certificates, and every other system built are designed with force locks and keys on top of a system that assumed, naively so, that everyone should have access to all information that exists.

In knowing this, and having a plan, can give us an edge.

What To Do

Tomorrow's SecurityYou don’t need to be a security expert to find security system problems before they can be breached. Usually, they are obvious and egregious, but only if you are willing to admit they exist. DeMarco and Lister call willfully turning a blind eye to the truth “dead fish.” In fact, the Apple security bug was found by a fourteen year old high school student. I suspect that plenty of people on the iPhone team could have found that bug — it just wasn’t their problem regardless of how much the dead fish stunk.

Look around, keep your eyes open, and you’ll see the duct tape, bailing wire and bubble gum sticking out all over internet security.

When you open your eyes and see the problems, you suddenly become very powerful … and a little bit dangerous.

More to come.

 

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: