SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 124: Returning to the Nest

Posted on February 7, 2019

This week, a return to form — at least in terms of format. We’ve got follow-ups on stories from previous weeks for you, but we’re also hitting some big stories in security news this week. That includes another major event concerning Apple security and the ongoing tension over its bug bounty programs (or lack thereof), while smart home device maker Nest tries to smooth things over and assure users that yes, everything is absolutely fine! Those stories and in-depth discussions about them feature on today’s Checklist, which includes:

  • A Keychain Security Standoff with Apple
  • Following Up on the Facebook and FaceTime Stories
  • Nest Tries to Un-Ruffle Some Feathers

We’ve got a packed episode today, so let’s get things started. What’s going on with Apple now?

A Keychain Security Standoff with Apple

According to a piece coming out of MacRumors, a security researcher has gone a bit rogue because of a beef with Apple over their bug bounty program. Linus Henze, a known German researcher, went public this week with a zero-day exploit for macOS. He’s calling it “KeySteal,” and he’s uploaded a video showing it in action. With just a single keypress, he’s able to instantly reveal all the passwords stored inside the macOS Keychain — something that is ostensibly meant to be one of the most secure features in the entire system.

We don’t know exactly how it works, because although Henze revealed the exploit as a zero-day (meaning he did not tell Apple about it before release), he is also not sharing the technique with anyone. That includes the Cupertino tech giant, too; Henze has left Apple in the dark about how the bug works, too.

While Henze did say that the exploit is somewhat similar to a flaw uncovered by Patrick Wardle last year, it utilizes a different attack method. Henze’s KeySteal app does not require users to run software as administrator, nor do they need to possess or set any special system privileges; the app “just works,” as Apple likes to say. While just a proof of concept, one could easily imagine a way for the exploit to find its way into real malware someday.

So why would a “white hat” researcher release a zero-day, which is usually considered a scorched earth tactic? 

“Blame Apple,” Henze says, for their lack of a macOS bug bounty program. If you’ve been listening to the Checklist for a while now, you probably know that while Apple runs an invitation-only bug bounty program for iOS, there is no such program in place for macOS. Not only that, but Apple’s bug bounty system is notoriously difficult to work with, creating further consternation among researchers attempting to contribute in a positive way to the hardening of Mac security. Speaking to Forbes, Henze said the following:

“Finding vulnerabilities like this one takes time, and I just think that paying researchers is the right thing to do because we’re helping Apple to make their product more secure.”

So, what is there to unpack about this story? First, for users, there’s not much to worry about right now; best practices should keep us safe. Since this exploit depends on a rogue app to execute the bug, users simply need to continue to take care not to install and run untrusted software from unknown vendors. Remember that there are built-in security settings to macOS governing what apps you can download and install. 

These settings include “App Store Apps Only,” which is the safest setting to use; “App Store and Trusted Developers” is the next level down. For some who use software from third parties you’ve trusted for a long time, this is the way to go, but be aware of the potential risks. There is a third “wild west” option now hidden in the system, but it is not worth the trouble or risk of enabling for the average user. 

While the exploit could make its way into an actual app, that seems unlikely right now, especially with no clear details on the “behind the scenes” mechanics of KeySteal. So, it’s a splashy story, and certainly a wake-up call for Apple, but it is not a direct threat to users right now.

Now, here’s the second part of this story: Apple’s bug bounty programs. Say what you want about the tactics Henze used, it’s certainly been effective at restarting the conversation surrounding the lack of a bug bounty for macOS. In fact, we’ve heard so many complaints from researchers on this topic over the past year that it seems almost silly that Apple has not put in the time and effort necessary to overhaul their system to be more in-line with the way the rest of the industry operates. 

Not everyone agrees. On Twitter, some called Henze’s move “garbage,” and insisted he should have followed proper channels, using follow-ups with Apple to discuss the need for the bug bounty. In other words, hand over the work for free and hope the company decides to keep paying attention to the researcher later.

So far, that’s not a winning strategy. Apple already had to be shamed into paying the winners of the #ShotOniPhone contest it ran at the start of the year, and we’ll shortly discuss how it seems they’ve been shamed into paying out a bounty to the teen who discovered the Group FaceTime bug we talked about last week. While some in the security community alleged that Henze was holding users hostage for his own “entitlement” by releasing a zero-day, it leaves us to wonder what’s it going to take to get Apple to stop ignoring the consensus opinion about a macOS bounty program. Of course, maybe Apple will ignore Henze anyway and fix the issue quietly.

If we see developments here, we’ll be sure to bring you an update in a future episode. 

Following Up on the Facebook and FaceTime Stories

Moving on, let’s follow up on one of the stories covered in last week’s Checklist —Group FaceTime.

Last week, Apple said they would have a fix for the bug out in short order… but it hasn’t materialized yet. If you don’t remember what the bug was, be sure to head back and check out Episode 123, but here’s the gist: it let you eavesdrop on a Group FaceTime call recipient even if they never pressed “accept” on the call. After the story broke, Apple took the Group FaceTime servers offline and said that it knew what was wrong and was working on a fix.

By Friday, though, Apple issued a statement admitting that it was not going to meet its original deadline for a fix. The company also tried to correct some PR missteps from earlier in the week by thanking the Thompson family, the individuals responsible for discovering and attempting to report the flaw before it became public. Here’s what Apple’s statement to VentureBeat said:

“We have fixed the Group FaceTime security bug on Apple’s servers, and we will issue a software update to re-enable the feature for users next week. We thank the Thompson family for reporting the bug. We sincerely apologize to our customers who were affected and all who were concerned about this security issue. We appreciate everyone’s patience as we complete this process.

We want to assure our customers that as soon as our engineering team became aware of the details necessary to reproduce the bug, they quickly disabled Group FaceTime and began work on the fix. We are committed to improving the process by which we receive and escalate these reports, to get them to the right people as fast as possible. We take the security of our products extremely seriously, and we are committed to continuing to earn the trust Apple customers place in us.”

Of course, by press time for this week’s episode, there was still no patch yet available. It’s looking like the bug might be more of a bear to fix than Apple originally anticipated. Speaking of bug bounties from earlier, though, it does look like Apple is going to pay a handsome reward to the 14-year-old member of the Thompson family who found the bug while just trying to get in a few rounds of Fortnite.

That’s not the end of the story, though. In fact, someone else wants to weigh in on the issue — or rather, someones. And those “someones” would be the U.S. Congress. According to MacRumors, the Committee on Energy and Commerce would like a bit of a follow-up from Apple as to how all this went down and how it could happen. Quoting now from the Congressional committee’s letter:

“While these are wonderful tools when used right, the serious privacy issue with Group FaceTime demonstrates how these devices can also become the ultimate spying machines. That is why it is critical that companies like Apple are held to the highest standards… Your company and others must proactively ensure devices and applications protect consumer privacy, immediately act when a vulnerability is identified, and address any harm caused when you fail to meet your obligations to consumers.”

Following this introduction, the Committee requested a written response to several questions from Apple’s CEO. Among these were queries such as:

  • When did Apple first know about the bug?
  • Did they know before being contacted by the Thompsons?
  • Did anyone else report the flaw privately?
  • How will Apple determine how many people were exposed to the flaw?
  • Will Apple inform and compensate those individuals, and when will they do so?
  • Are there other, similar bugs yet to be disclosed?

Congress has requested a response by the 19th of February. Will anything come of this? We’ll have to wait and see — it’s not clear yet what the committee’s goal is here.

The other update we have for you is a brief hit on the story we brought you last week about Facebook and the way it hoovered up user data through a “VPN” that was abusing Apple’s enterprise development certificates. During that discussion, our own Nicholas Ptacek supposed that other companies were likely up to the same shenanigans as Facebook — and it turns out that Google was doing it, too. Apple subsequently gave Google the same punishment it gave Facebook, revoking their enterprise certificates and knocking out the company’s ability to use legitimate internal apps on company iOS devices. 

The punishments were a bit short-lived, however. Facebook got their certificate back within about 36 hours, while Google got theirs back in just five. This is disappointing given the severity of what both companies were doing; it constitutes, in our view, an egregious abuse of user trust and privacy. Of course, it makes sense at the same time — Google did apologize and was up-front about it, pulling the app quickly, but it doesn’t seem as though these efforts will really change the behavior of either company.

Nest Tries to Un-Ruffle Some Feathers

Let’s start winding down this week’s discussion with a nicer story, this one relating to device maker Nest. Some weeks ago, we did a story about a family in Northern California whose Nest home security camera was taken by over by some pranksters who likely took advantage of some poor password security to gain access. They proceeded to terrify the family by telling them that a nuclear attack was on the way. It wasn’t, of course, and the family was hopping mad that Nest did not somehow prevent the pranksters from figuring out their bad passwords.

To Nest’s credit, they have decided to do something — all while subtly continuing to say “Hey, it was their fault.” This week, Nest sent out an email to all their users and customers reassuring them that no breach has occurred at Nest, and the company’s services and security remain unimpacted by outside forces. They didn’t stop there, though — they sent out their very own checklist of things people can do to ensure the ability to continue safely using Nest devices.

Warning users that password breaches from the past and present can mean your email and password combos are freely available out there on the web, the company passed along several helpful suggestions users can keep in mind to better protect themselves. These tips included:

  • Enable 2-step verification.
  • Choose strong passwords.
  • Set up Family Accounts, so you never have to share your password with someone else.
  • Be alert and on the lookout for phishers and scammers trying to feel out your information.
  • Protect your home network by using strong security and only allowing those you trust to connect.

Overall, a great set of tips from Nest, and an excellent response when they could have simply released a statement to the media and moved on with business. It’s nice to see one of the big IoT companies working to help keep users smart and safe. As for where you can learn more about how to do many of those things? Well, we’ve got a suggestion — and you’re in the perfect place to start learning more.

Isn’t it great when we can actually wrap up an episode with a helpful how-to? While Apple wrestles with researchers over bug bounties and Facebook continues its shady ways, we can at least maintain our own personal efforts to create a safer environment for ourselves online. With that, though, we’ll put a bow on this week’s episode.

Join our mailing list for the latest security news and deals