Apple Blows Security

Reaching for Apple Security

Apple is mismanaging security, and its quality assurance and attention to detail have gone to hell. Apple followed up the worst security botch ever—not securing the root account on High Sierra for 73 days—with what may be the second worst security botch ever. Namely, Apple didn’t correct the widely accepted misunderstanding that its AirPort routers were not afflicted with the KRACK Wi-Fi exploit. Some might call that a lie of omission. And oh yea, and it took them 57 days to fix it.

Reaching for Apple Security

Worst Security Botch Ever: TLDR No Root Password

In what could only be described as the worst security blunder in the history of commercial computing, Apple released macOS High Sierra on September 25, 2017. Unknown to users, included in that operating system was that no password was required to gain super user root access.  This might be likened to leaving your front door open with a sign that says “Please, please rob me.”

If that were not bad enough, the we-dont-need-no-steenkin-root-password episode was followed by an update that patched that blunder on November 29, 2017. That was followed by another update, 10.13.1, on December 4, 2017, that undid the fix. That was followed by a “WTF is the state of my machine” week of no clarity. And then that was followed, finally, with a 10.13.2 update on December 6, 2017 fixing the mess.

In other words, Apple shipped an operating system where the root account was insecure for 73 days. And from the time the vulnerability was announced, Apple bumbled for a full week before managing to close the vulnerability.

They Keystone Cops of Cupertino have decided to make it clear to the world, that in comparison, Microsoft—even in its hey day—were a bunch of rank amateurs in blundering security. To prove Apple’s, now, undisputed status, I present you with the Apple KRACK debacle

Second Worst Security Botch Ever? The Apple KRACK Debacle

In October, Wi-Fi experienced the uncovering of, perhaps, its greatest ever security vulnerability with the KRACK exploit.  A few router manufacturers came out with patches on day 1, while most vendors provided clear announcements that they would supply patches in short order.

Apple provided information to iMore, who reported that Apple routers were not vulnerable to the KRACK exploit. In short, Apple’s position regarding its routers seemed to be: “we-dont-need-no-steenkin-patches.” Now, 2 months later, Apple released a patch for the KRACK exploit after allowing the world to believe its routers weren’t vulnerable to KRACK.

We really need to take a pause here—a moment of silence if you will—where you, dear reader, can imagine a dripping scatological screed of deep guttural derision and exasperation. ARE YOU KIDDING ME! YOU CANNOT BE SERIOUS! How could Apple let users believe their routers were invulnerable to such a serious exploit for so long?

So here are a few possibilities of how this might have happened:

  1. Apple’s routers were indeed invulnerable, but it still released a patch for the KRACK vulnerability, which doesn’t make much sense.
  2. Apple believed that its client devices might not be vulnerable, and as such, it didn’t matter that its router was vulnerable. That doesn’t excuse not informing users of a vulnerability that would still affect non-Apple client devices (e.g., your Android devices, Internet of Things, PCs, Xboxes, etc.) working through the un-patched Apple routers.
  3. Apple allowed this misrepresentation of its routers’ invulnerability to KRACK to persist knowing otherwise.
  4. Apple was so grossly incompetent as to not realize their routers were vulnerable.

Regardless of which above theory you subscribe to, it does not speak well of how Apple handled this.

Apple Needs To Get Serious About Quality Assurance & Security

What’s sad is the above is not the extent of all Apple’s recent security/bug snafus. Many of these lapses simply evince a profound lack of caring. Apple needs to get super serious about quality assurance and security, and quick.  The company should consider creating something like a ‘Senior VP of Quality Assurance and Security’ role. And it must get someone who really knows the field to add much needed attention to detail and quality control. It is clearly and sorely needed without Steve Jobs’s exacting eye.

Right now, the best way to describe Apple security is “total $%*@ show.” With regard to the Airport KRACK vulnerability, at best, it’s a disaster of miscommunication.  At worst, it’s blithe incompetence.

18 thoughts on “Apple Blows Security

  • This is Tim Cook’s Apple, now. Remember, one of the first things he did was whack Scott Forstall from the ranks. Now that Cook has his everyone-gets-along leadership team, quality has gone to hell. Who cares? As long as Cook can rake in money and play politics, he’s happy.

  • After reading the comments it’s obvious that most of you like Apple don’t take security seriously. So be it. When you get bitten I’m sure you’ll have an epiphany… lol The author brings to light a serious issue at Apple and it’s not just security, it’s the sloppiness that has impacted OSX, IOS, WatchOS. Apple has not released a working OS that would have passed the Jobs Test in 2-3 years. One respondent even went with the ” No one even knows what the root user is” which is such a flawed display of logic that’s it’s laughable. Credos to the author for taking Apple to task, they deserve it.

  • The link to the patch for apple airport routers only includes extreme base stations and time capsules, what about the airport express? Is it patched, invulnerable, or inherently flawed and never to be fixed?

  • 90% of Apples customers don’t know who or what “root” is. They also don’t care how to access the system as a superuser. I am a beta tester ever since the public beta program started. I have reported hundreds of issues to apple. Never has it come to my mind to look at the “root-issue”.

    Mr. Kheit, You obviously neither have noticed the flaw.

    So as we say in Germany: “Keep the ball flat”.

    Greetings from Germany

  • @Justcause, not the FBI, the NSA are the governments script kiddies.

    In case you hadn’t noticed Cyber attacks are the new normal [have been for quite a while] but it takes big hacks to get the journalist hacks of the daily newspapers to take notice.
    In Europe there’s a piece of legislation coming into force in May 2018 called GDPR [google it], the penalties for losing customer data are big, huge, enormous, big enough to put ANY business in serious financial trouble. Not a slap on the wrist Talk-Talk style half a million give or take. Tens of millions.
    This is making all businesses in Europe, Britain included [as GDPR is being adopted regardless of any other changes] SIT UP AND TAKE NOTICE. Any US business with a presence in Europe is also impacted.

    @Apple – you are sleeping on the job, a reputation takes years to build, and seconds to destroy.

    Cyber security will be, for the foreseeable future, simply be a cost of doing business, like having lawyers and accountants.

    Makes Cyber a good career choice as the experience and skills are as rare as rocking horse manure.

  • So, what’s the solution?

    A C-suite position, in charge of (and directly answerable to) quality and security?

    Or is this a DNA problem that isn’t going to be fixed from the top?

    1. I think it’s worth a try to get someone in that really knows security super well. To build an infrastructure that constantly tests, beats the snot out of software, looks at details, and has a seat at the table with designers to point out detail flaws to nip them in the bud.

      It’s fair to say that might fail, and it might, but it might be worth trying. There are probably better ideas than that, but I threw that one out, as off the top of my head.

      I worry that it could be what you note, a change in the DNA where this becomes the new normal. I hope not, but their recent performance has me worried.

  • I’ll take your comment on the FBI as admission of failed argument.

    Just a figure of speech, dont read into it too much.

    And yes, as most human beings capable of both inductive and deductive reasoning ought.

    Cheers! 😀

  • @Just cause, and no, you didn’t need direct access. If your computer had remote services turned on, then anyone could remotely own your computer through the root bug.

    And if direct access is such a trivial bar, then please let the FBI know that it should have no problem opening all those iPhones that they have ‘direct access’ to sans user, much less, root password access.

  • @JustCause, way to miss the point. Yes everyone was subject to it. But you know what everyone but Apple did. Said, ‘hey, our router is vulnerable, we’ll fix it soon.”

    In contrast, what did Apple do? Let you believe you were not vulnerable, failed to inform you that you were vulnerable, then took orders of magnitude more time than even schlocky companies to actually fix it.

  • Didn’t bad guys need direct access to exploit the “No root password”, isn’t security 101, direct access means your system is compromised no matter what!

    KRACK, was a WPA2 bug, so it impacted every router and you needed to specifically be targeted and it wasn’t an easy thing.

    Mac Observer (The Apple sky is falling website), just an idea for a new tag line

    Security should be taken serious, but on a percentage basis I’ll put my money, again and again on Apple until I see a legit pattern of security issues.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.