Last week saw the fourth occurrence of the Objective by the Sea (OBTS) security conference, which is the only security conference to focus exclusively on Apple’s ecosystem. As such, it draws many of the top minds in the field. This year, those minds, having been starved of a good security conference for so long, were primed and ready to share all kinds of good information.
Because of the control it exerts over its ecosystem, understanding Apple’s attitude to security—and it’s willingness to act as a security “dance partner”—are crucial to securing Apple systems, and developing Apple security software.
I was at OBTS, and this is what I learned about Apple’s current attitude to privacy, security, and communication.
Apple’s not great at working with security researchers
It’s no great surprise to anyone that Apple has a rocky relationship with many security researchers. Years ago, well-known researcher and co-author of the book “The Mac Hacker’s Handbook”, Charlie Miller, figured out how to get a “malicious” proof-of-concept app into the App Store, and reported this to Apple after having achieved it. His reward? A lifetime ban from Apple’s developer program.
This says a lot about Apple’s relationship with third-party security researchers. Unfortunately, things haven’t changed much over the years, and this is a constant cause of strains in the relationship between Apple and the people trying to tell it about security issues. During the conference, Apple got booed several times by the audience following reports from OBTS speakers of mismanaged bug reports and patches.
What is it that Apple has been accused of doing? There have been multiple offenses, unfortunately. First, a number of security researchers have reported getting significantly lower bug bounties from Apple’s bug bounty program than they should have earned. For example, Cedric Owens (@cedowens) discovered a bug in macOS that would allow an attacker to access sensitive information. Apple’s bug bounty program states that such bugs are worth up to $100,000. They paid Cedric $5,000, quibbling over the definition of “sensitive data.” (For the record: Cedric’s bug absolutely gave access to what any security researcher or IT admin would consider sensitive data… more on this later.)
Other researchers have reported similar issues, with significantly reduced payments for bugs that should have qualified for more. Further, there is often a significant wait for the bounties to be paid, after the bugs have been fixed—sometimes six months or more. Apple also had a tendency to “go silent,” not responding to researchers appropriately during the process of handling bug reports, and has repeatedly failed to properly credit researchers, or even mention important bugs, in its release notes.
All this leaves a sour taste in many researchers’ mouths, and some have decided to either publicly release their vulnerabilities—as in the case of David Tokarev, who published three vulnerabilities after Apple failed to act on them for many months—or to sell those vulnerabilities on the “gray market,” where they can earn more money.
Keep in mind here that Apple is one of the richest companies in the world. Paying out the highest prices for security bugs would be pennies compared to Apple’s yearly profits.
A patching myth busted
It has long been a rule of thumb that Apple supports the current system, plus the previous two, with security-related patches. Currently, that would mean macOS 11 (Big Sur), plus macOS 10.15 (Catalina) and macOS 10.14 (Mojave).
However, this is not something Apple has ever stated. I honestly couldn’t tell you where this idea came from, but I’ve heard it echoed around the Mac community for nearly two decades. Although researchers and some IT admins have questioned for years whether this “conventional wisdom” is actually true, many believe it. Josh Long (@theJoshMeister) did a lot of research into this, and presented his findings at the conference.
There have been many bugs in the last year that were fixed for only some of the “current three” systems. This was known to a degree, but Josh’s data was eye-opening as to the extent to which it was happening. Folks who were aware of some of these discrepancies theorized that some of these bugs may not have affected all three systems, and that may explain why patches were never released for them.
However, Josh was able to track down security researchers who had found these bugs, and confirmed that, in at least one case, Mojave was affected by a bug that had been patched in Catalina and Big Sur only. There were a number of other instances of similar bugs, left unpatched on different combinations of systems.
Thus, we know now that this rule of thumb is false. This confirmed many people’s suspicions, but there are many others who have continued to believe in the myth. It’s echoing around Apple’s own forums, among other places.
The fact that this speculation persisted for years, and that research was even necessary to prove it false, is a major failing on the part of Apple. Microsoft tells its users whether a system is still supported or not. Why can’t Apple do the same? Staying silent, and allowing people to believe the myth of the “three supported systems,” means that some machines are left vulnerable to attack.
At this point, you should assume that only the most current system—Big Sur at the moment, but soon to be Monterey—is the most secure system, and that there may be known vulnerabilities left unpatched in all others. This means you should feel a bigger sense of urgency at upgrading when a new system like Monterey comes out, rather than waiting for months to upgrade.
Apple loves privacy, but you can still be tracked
Apple is well-known for its strong stance on privacy. (I say that as if Apple isn’t well-known otherwise, and you might say, “What’s the name of that company that really likes privacy?”) However, we heard plenty of talk about data access and tracking despite this. (Or maybe because of Apple’s views on privacy, it’s more interesting when we learn how to violate it?)
Eva Galperin (@evacide) talked about how stalkers can track you on iOS, despite Apple’s protections. From a technical perspective, spyware—defined as software running on the device that surveils and tracks you—is not much of a thing, because of Apple’s restrictions on what apps can do, plus the fact that you can’t hide an app on iOS.
However, Eva showed how spyware companies are nonetheless capable of enabling you to creep on your ex. Many of these companies provide web portals where you enter your stalking victim’s Apple ID and password, which enables tracking via iCloud’s features. iCloud email can be read, as well as notes, reminders, files on iCloud Drive, and more. Find My can provide the victim’s location. Photos synced up to iCloud can be viewed. And so on.
You might say, “But wait! This requires me to know my victim’s Apple ID password, and have access to their two-factor authentication! Therefore, this is a non-issue.”
However, keep in mind that in many domestic abuse situations, the attacker has exactly this kind of information. Further, Apple ID credentials can easily be found in data breaches, for potential victims who have used the same password for Apple ID that they’ve used elsewhere, and there are techniques attackers can use to capture two-factor authentication codes.
Plus, let’s all remember the situation a few years back where someone was able to trick Apple support into helping them gain access to celebrity accounts, in order to steal their nude photos from iCloud.
On a different topic, Sarah Edwards (@iamevltwin) talked about the Apple Wallet. As a forensics expert, Sarah has a deep understanding of data and how to access it, and demonstrated the kind of data that could be obtained with access to iPhone backups. If an attacker could gain access to those backups, there’s a wealth of information about your daily activities, places that you frequent, and many other things to be harvested.
Apple has gone bananas… and who is Keith?
The most amusing part of the conference came during Sarah Edwards’ talk, when she discussed the data found in a particular database for Apple Wallet. This database contained hundreds of tables, and most of them were named after fruit. Yes, you heard me correctly—bananas, oranges, lemons, …durians! These are all the names of tables in a database relating to your wallet.
On first glance, this is quite puzzling. But it does make a certain amount of sense. If you’re trying to extract some data from this database, you’re going to have to put in a lot of work to figure out how to find it. The table names are not going to help you at all. That’s a pretty good thing, although I don’t envy the developers who have to keep all those databases straight. (“Where did we put the data on library cards again? Oh, yeah, in ‘kiwis!'”)
Although many of those tables are still a mystery, Sarah had been able to determine the purpose of some of them, through experimentation and observation. Still, many tables contained only things like identification numbers and timestamps, which by themselves are meaningless.
(As an aside, if the “durians” table doesn’t contain information relating to pay toilet transactions, I’ll be extremely disappointed!)
All privacy-related discussions aside, these table names remind me of Apple’s fun and playful side, which we so rarely get to see these days. Everyone knows Apple’s secretive facade, and security researchers often experience Apple’s sharp edges.
However, long-time Apple users know and love the “fun Apple.” This is the Apple that inscribed the signatures of all the engineers on the inside of the early one-piece Mac cases, where only a few would ever see them. Or the Apple that included a calendar file containing a history of Tolkien’s Middle Earth hidden in every copy of macOS. Or the Apple that used to Rickroll you on their Apple Watch support page!
Especially amusing was the discovery that, buried in the midst of all the fruit, there was a database simply named “keith.” Who is this Keith, and why is he in the wallet? Inquiring minds want to know!
For all of Apple’s flaws that we love to complain about, the discovery of this database brought back memories of the Apple that I love, and reminded me that it’s not just a faceless corporation, but is also a company full of people who also know and love the same Apple that I do.