Apple Blows Security

3 minute read
| Devil's Advocate

Apple is mismanaging security, and its quality assurance and attention to detail have gone to hell. Apple followed up the worst security botch ever—not securing the root account on High Sierra for 73 days—with what may be the second worst security botch ever. Namely, Apple didn’t correct the widely accepted misunderstanding that its AirPort routers were not afflicted with the KRACK Wi-Fi exploit. Some might call that a lie of omission. And oh yea, and it took them 57 days to fix it.

Reaching for Apple Security

Worst Security Botch Ever: TLDR No Root Password

In what could only be described as the worst security blunder in the history of commercial computing, Apple released macOS High Sierra on September 25, 2017. Unknown to users, included in that operating system was that no password was required to gain super user root access.  This might be likened to leaving your front door open with a sign that says “Please, please rob me.”

If that were not bad enough, the we-dont-need-no-steenkin-root-password episode was followed by an update that patched that blunder on November 29, 2017. That was followed by another update, 10.13.1, on December 4, 2017, that undid the fix. That was followed by a “WTF is the state of my machine” week of no clarity. And then that was followed, finally, with a 10.13.2 update on December 6, 2017 fixing the mess.

In other words, Apple shipped an operating system where the root account was insecure for 73 days. And from the time the vulnerability was announced, Apple bumbled for a full week before managing to close the vulnerability.

They Keystone Cops of Cupertino have decided to make it clear to the world, that in comparison, Microsoft—even in its hey day—were a bunch of rank amateurs in blundering security. To prove Apple’s, now, undisputed status, I present you with the Apple KRACK debacle

Second Worst Security Botch Ever? The Apple KRACK Debacle

In October, Wi-Fi experienced the uncovering of, perhaps, its greatest ever security vulnerability with the KRACK exploit.  A few router manufacturers came out with patches on day 1, while most vendors provided clear announcements that they would supply patches in short order.

Apple provided information to iMore, who reported that Apple routers were not vulnerable to the KRACK exploit. In short, Apple’s position regarding its routers seemed to be: “we-dont-need-no-steenkin-patches.” Now, 2 months later, Apple released a patch for the KRACK exploit after allowing the world to believe its routers weren’t vulnerable to KRACK.

We really need to take a pause here—a moment of silence if you will—where you, dear reader, can imagine a dripping scatological screed of deep guttural derision and exasperation. ARE YOU KIDDING ME! YOU CANNOT BE SERIOUS! How could Apple let users believe their routers were invulnerable to such a serious exploit for so long?

So here are a few possibilities of how this might have happened:

  1. Apple’s routers were indeed invulnerable, but it still released a patch for the KRACK vulnerability, which doesn’t make much sense.
  2. Apple believed that its client devices might not be vulnerable, and as such, it didn’t matter that its router was vulnerable. That doesn’t excuse not informing users of a vulnerability that would still affect non-Apple client devices (e.g., your Android devices, Internet of Things, PCs, Xboxes, etc.) working through the un-patched Apple routers.
  3. Apple allowed this misrepresentation of its routers’ invulnerability to KRACK to persist knowing otherwise.
  4. Apple was so grossly incompetent as to not realize their routers were vulnerable.

Regardless of which above theory you subscribe to, it does not speak well of how Apple handled this.

Apple Needs To Get Serious About Quality Assurance & Security

What’s sad is the above is not the extent of all Apple’s recent security/bug snafus. Many of these lapses simply evince a profound lack of caring. Apple needs to get super serious about quality assurance and security, and quick.  The company should consider creating something like a ‘Senior VP of Quality Assurance and Security’ role. And it must get someone who really knows the field to add much needed attention to detail and quality control. It is clearly and sorely needed without Steve Jobs’s exacting eye.

Right now, the best way to describe Apple security is “total $%*@ show.” With regard to the Airport KRACK vulnerability, at best, it’s a disaster of miscommunication.  At worst, it’s blithe incompetence.

18
Leave a Reply

Please Login to comment
15 Comment threads
3 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
11 Comment authors
jbruniJustCause Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Member
Bartholomew J. Woodcocke

Alternative article title: “Apple Security Blows”.

jbruni
Member
jbruni

This is Tim Cook’s Apple, now. Remember, one of the first things he did was whack Scott Forstall from the ranks. Now that Cook has his everyone-gets-along leadership team, quality has gone to hell. Who cares? As long as Cook can rake in money and play politics, he’s happy.

Member
lemon4611

After reading the comments it’s obvious that most of you like Apple don’t take security seriously. So be it. When you get bitten I’m sure you’ll have an epiphany… lol The author brings to light a serious issue at Apple and it’s not just security, it’s the sloppiness that has impacted OSX, IOS, WatchOS. Apple has not released a working OS that would have passed the Jobs Test in 2-3 years. One respondent even went with the ” No one even knows what the root user is” which is such a flawed display of logic that’s it’s laughable. Credos to… Read more »

Member
Greg Gehr

The link to the patch for apple airport routers only includes extreme base stations and time capsules, what about the airport express? Is it patched, invulnerable, or inherently flawed and never to be fixed?

JustCause
Member
JustCause
SuperTed
Member
SuperTed

Are poor writing and heavy doses of snark now requirements for writers on this site, or are those qualities unique to Mr. Kheit?

JustCause
Member
JustCause
Gero
Member
Gero

90% of Apples customers don’t know who or what “root” is. They also don’t care how to access the system as a superuser. I am a beta tester ever since the public beta program started. I have reported hundreds of issues to apple. Never has it come to my mind to look at the “root-issue”.

Mr. Kheit, You obviously neither have noticed the flaw.

So as we say in Germany: “Keep the ball flat”.

Greetings from Germany

cubefan
Member
cubefan

JustCause, not the FBI, the NSA are the governments script kiddies. In case you hadn’t noticed Cyber attacks are the new normal [have been for quite a while] but it takes big hacks to get the journalist hacks of the daily newspapers to take notice. In Europe there’s a piece of legislation coming into force in May 2018 called GDPR [google it], the penalties for losing customer data are big, huge, enormous, big enough to put ANY business in serious financial trouble. Not a slap on the wrist Talk-Talk style half a million give or take. Tens of millions. This… Read more »

d'monder
Member
d'monder

So, what’s the solution?

A C-suite position, in charge of (and directly answerable to) quality and security?

Or is this a DNA problem that isn’t going to be fixed from the top?

JustCause
Member
JustCause

FBI isn’t the high bar in hacking and exploiting anything…

Son? Hahahaha

If you see a pattern, you must see patterns everywhere!

JustCause
Member
JustCause

Didn’t bad guys need direct access to exploit the “No root password”, isn’t security 101, direct access means your system is compromised no matter what!

KRACK, was a WPA2 bug, so it impacted every router and you needed to specifically be targeted and it wasn’t an easy thing.

Mac Observer (The Apple sky is falling website), just an idea for a new tag line

Security should be taken serious, but on a percentage basis I’ll put my money, again and again on Apple until I see a legit pattern of security issues.

Member
quakerotis

Where do you get your hyperbole pills? I’m running low, and my doctor has cut me off.