Friday, March 25, 2011

Stealing Software Is Too Easy At The Apple Store

When building a secure system, you have to think about all the different ways that it can be attacked or compromised. Unfortunately, that is nearly impossible in today's world.

Defender's Advantage

Historically, defenders have the advantage. While modern military communications and mobility, referred to tactically as "shoot, move, and communicate", have slightly shifted the advantage to an attacker, a good defender will still have the upper hand. Think about how difficult it would be to break into the White House or Fort Knox and you can see how much of an advantage a defender has.

Cyber Security

When dealing with cyber security, the advantage is almost completely turned around since it lies with the attacker. There are so many different ways to launch an attack that a networked computer (including via "sneaker net") can't be fully defended against. It is so difficult to safeguard against all attacks that even industry experts such as HBGary and Steve Gibson are at the mercy of the attackers.

Apple Retail Store

I recently checked out the iPad 2 at an Apple retail store and I noticed it was a special demo unit since I couldn't move the app icons to different locations. Obviously, you don't want customers messing up the demo models. But, this got me thinking about how hard it would be for Apple to wall off the computers in the store which are running Mac OS X.

How To Pull It Off

The first thought experiment I conducted to steal software on the Mac, such as Microsoft Office or Adobe Photoshop, was to drop to the command line to tar and gzip the apps, then scp the apps to one of my servers. Obviously, this isn't a simple operation and anyone sophisticated enough to do it would probably realize they'd leave an audit trail.

MobileMe To The Rescue

As I thought more about it, I realized that each Mac on display in the Apple Store has a subscription to MobileMe. MobileMe comes with iDisk, and iDisk comes with a publicly accessible folder. Unlike a Windows application, which usually requires an installer to update the Windows registry, each Macintosh application's settings are stored under the system and user's preferences folder. If those configuration files don't exist when the application is first launched then they're automatically created. These configuration files usually contain any needed software licenses for basic installations, too.

You can probably see how the rest of this plays out. Simply drag a copy of an application, along with its preferences folders, to the iDisk's public folder and then access it from any other Mac, when you get home, and you now have a copy of Microsoft Office, etc. This is probably a key reason companies like Microsoft and Adobe have moved to a subscription based model

What Did I Steal?

What did I actually steal to test out this theory? Well, even in the name of investigative journalism, I saw an ethical issue with actually stealing anything in this case. Both my ethics training at college and my writing on this subject wouldn't allow it. But, as a test, I took a screen shot of a website, for which I own the copyright, and then dropped it on the iDisk's public folder. That's all there is to it.

Next Steps
For starters, don't actually try conducting the thought experiment that I outlined above. What can Apple do to prevent this? Simply setting the public iDisk folder to require a password would prevent this particular attack. Although, pointing out this vulnerability and its solution to a couple Apple Store employees didn't seem to sink in.

No comments: