The high-profile security conference season is usually enlivened with a few Mac attacks, Apple app attacks, and other euphonious assonances. While the most consistent source of such diversions is probably CanSecWest, BlackHat and Defcon often have some interesting harvesting from the Apple orchard too.
Charlie Miller is a veteran of CanSecWest and possibly a persistent thorn in Apple’s side, though I’d like to think that the company actually takes seriously his assurance to CNN that "I don't want to be their adversary. I want to have them fix stuff – and I want them to get better." While none of us like it when people pick holes in our work and products, informed criticism is sometimes a necessary incentive to improve.
CNN’s interest arises mainly from Miller’s talk at Blackhat on Battery Firmware Hacking, in which he presented a paper on his experiments in accessing a commonly used (by Apple, among others, for many of its laptops) smart battery controller, and reverse engineering and modifying the firmware. He didn’t go as far as causing the battery to overheat, catch fire or explode, and in any case this isn’t likely to be a common attack, though if the idea worries you that much, he has made a patching tool available. (No, I haven’t tried it.)
Miller’s research into battery battering has had quite a lot of publicity in the past few weeks, so I won’t discuss it further here, but his comments in the interview on the comparative security of Apple and other platforms are worth summarizing.
He asserts that when he started “this gig” four years ago, Apple products were far easier to hack (in a pejorative sense) than Windows, which is not exactly the common perception, even among those strange people who use PCs instead of (or as well as) Macs. However, he also says that Apple has caught up, and that Lion and Windows 7 are comparable in security terms, while he regards iOS as “definitely more secure than Android.”
Strangely enough, Tom Daniels, Aaron Grattafiori, BJ Orvis, Alex Stamos, and Paul Youn of iSEC partners took a rather gloomier view in a presentation called Macs in the Age of APT. While they agree that OS X 10.7’s anti-exploit and sandbox technologies are in good shape, they argue that the same is not true of network security, citing pervasive authentication issues. They claim that “OS X networks are significantly more vulnerable to network privilege escalation. Almost every OS X Server service offers weak or broken authentication methods.” And they conclude that you should “Run your Macs as little islands on a hostile network.” What does that have to do with APT (Advanced Persistent Threats)? The assumption seems to be that:
- A percentage of users within a targeted organization could be tricked into executing such a threat. (Obviously possible, and obviously it happens.)
- Mac users may be more susceptible to social engineering, having been brainwashed into believing that Macs are invulnerable. Also possible, though I think that fewer people nowadays would use the term invulnerable.
- A threat that targeted Mac users could spread from one naive user to threaten a whole network using privilege escalation as a stepping stone.
Clearly, there are no impossibilities here. But how likely is a real-world attack like this? Well, never say never... If I was aiming to break into a network I knew to be Mac only or mixed Mac and PC, it’s certainly an approach I’d consider.