SecureMac, Inc.

Checklist 128: The Matrix, the Bounty, and the Electronic Frontier

March 7, 2019

On this week’s Checklist by SecureMac: Hear ye, the Thunderclap, Google’s Project Zero hits Apple & The EFF wants encryption in the cloud.

Checklist 128: The Matrix, the Bounty, and the Electronic Frontier

A “thunderclap” of a hardware flaw sends reverberations throughout the Mac community, Apple gets its hands on the details of a serious flaw, and the EFF turns up the heat on Apple’s encryption efforts in the cloud — a quick glance at our stories today reveals that we’ve got tons to talk about and unpack. We’ll untangle the mysteries of hardware, bring you an update, and discuss how the cloud could be better — all that on today’s Checklist, where we’re hitting the following topics on our list today:

  • Hear Ye, the Thunderclap
  • Google’s Project Zero hits Apple
  • The EFF Wants Encryption in the Cloud

Let’s start by diving in head-first to the world of hardware, where a new flaw was recently discovered in some Apple devices. 

Hear Ye, the Thunderclap

If you’ve listened to the show for a while, you might be feeling like you’re getting pretty good at spotting some of the things we talk about in the wild. Social engineering traps, password problems, and more — when it comes to issues with software and security, it can be easier to pick up what’s going on and gain some literacy for understanding tech news stories. What about when it comes to the hardware side of things, though? If you remember our episodes on Spectre and Meltdown, then you know hardware flaws are a whole other ball game — and one where the rules can be quite confusing to understand. 

Well, buckle up, because there is a brand new hardware security vulnerability, and it concerns the Thunderbolt interface on Apple’s USB-C ports. It’s called Thunderclap, but before we delve into how it works, let’s construct a useful metaphor based on everyone’s favorite turn-of-the-millennium flick, The Matrix

Recall that the main cast of that movie, characters such as Neo, Trinity, and Morpheus, jacked in directly to the Matrix through a port in the back of their heads. For our purposes, we’ll pretend that’s the USB-C port on your Mac. With that port, the characters could do many things after a quick upload because it was a direct connection to the brain. In your Mac’s case, we’re talking your RAM, or memory. This process completely bypasses any filters you might have — so, assuming you trust the person uploading information into your brain, you’re safe. If you can’t trust them, though — who knows what’s streaming into your brain without your permission?

That’s the essence of Thunderclap: bypassing the security filters on USB ports to make illegitimate changes directly to system memory. USB-C ports use something called Thunderbolt, which is a special interface created to let hardware talk to peripherals, such as printers. According to Mac Observer, researchers discovered that USB-C ports provide DMA, or direct memory access — giving any device that uses Thunderbolt way more access than it should. Based on the research, the bad guys could use a hacked peripheral to do things such as read the data on your network, or even capture your typing like a keylogger.

There is certainly an appeal in creating a unified approach to peripheral connections, but is it worth it if it comes with a risk so large? As it turns out, this may merely be a matter of “no one thought this could happen” — and so it was simply an attack vector left unguarded. There is, in fact, a way to guard against DMA exploits such as Thunderclap, and it turns out not to be very complicated at all. At least, it isn’t complicated if you’ve got a computer science degree. The solution has to do with something called IOMMU, short for an Input-Output Memory Management Unit. 

IOMMUs are meant to be digital security guards. They’re special programs that govern the interactions that a peripheral initiates through a USB-C port and, during correct operation, prevents access to restricted memory. IOMMUs ensure peripherals get the memory they need to function correctly, but nothing else. So, what’s the problem?

As it turns out, most of the systems the researchers studied did a poor job at implementing their IOMMUs — or omitted them altogether. Windows 7 through 10 did not support IOMMUs in fresh installations. macOS, however, had support built-in from the start. That too was not without its faults, however, as the researchers did uncover a vulnerability that Apple has since patched. For Mac users, this is mostly not a problem, but is something we will keep an eye on going into the future. 

Google’s Project Zero Hits Apple

There are a few pieces to this next segment, so let’s start off with an update.

Roughly a month ago, we discussed a German security researcher named Linus Henze in an episode. At the time, according to Apple Insider, Henze disclosed publicly that he’d discovered a critical flaw in macOS Mojave’s Keychain. With a simple app he built himself, he was able to demonstrate that he could steal passwords right out of the Keychain with little to stop him. He let Apple know it existed, then withheld the details in protest of the company’s lack of a macOS bug bounty program. Now we know that Henze initially sent Apple an email, stating:

I’m willing to immediately submit you the full details – including a patch… If an official Apple representative sends me an official (and reasonable!) statement why Apple does not have nor wants to create a Bug Bounty program for macOS.

Following this missive, Apple responded to ask for more information about the bug — but stayed silent on the issue of the bounty program. Now, though, Apple Insider says that Henze has relented and sent in his data to the company without payment, believing the flaw too critical to leave unpatched any longer. So how does Henze come out looking in all of this?

On the one hand, it does still look a bit like he held Mac owners and Apple hostage over a personal point of view — and there’s a strong argument to be made that it was reckless behavior. On the other hand, as we’ve said several times on The Checklist, Apple’s missing macOS bug bounty program is a serious problem. Plenty of researchers aren’t happy about it, and Henze is just the latest in a long line of complaints from passionate researchers who feel left out in the cold. It would’ve been better, though, if he had taken a different approach.

Given this and other recent concerns, we find it worth asking if Apple, the giant corporation that it is, takes Mac security as seriously as they should. Do they? 

It’s important to remember that no one, no matter how dedicated to privacy and security, will get things right 100% of the time. However, the massive amount of attention focused on iOS for more than a decade has left the Mac in its shadow. It’s often clear where Apple’s resources flow, and it’s not often to the Mac. iOS makes the company the most money, though, so it should be no shock that it receives the bulk of the development time. 

Now, on to a story that ties in here — although they aren’t exactly the same, they are in the same category. This week, Google’s Project Zero hit Apple with news of a major flaw.

We’ve mentioned Project Zero in stories on The Checklist previously, but what is it? Project Zero is a special team of researchers probing and looking for vulnerabilities to make the web and our computers safer — and they don’t give affected companies much choice in the matter.

When Project Zero identifies a flaw, it reaches out to the organization or company affected and shares everything they’ve learned on the problem. From the moment PZ shares this information, a 90-day deadline clock is ticking down. If a company is close to developing a patch at the end of those 90 days, they may receive an additional two-week grace period. When the timer expires, though, Project Zero publishes everything it has publicly — even if the flaw remains unpatched. Isn’t that holding companies hostage?

Maybe not so much — after all, three months is a lot of time to allow for the development of a fix. Let’s be real, too: how many companies can we think of need that sort of a fire burning beneath them to motivate them to develop a fix at all? There’s no ransom here — it’s just peer pressure from one of the biggest tech companies in the world. 

According to Engadget, this week Google dropped word of a macOS zero-day flaw, a severe bug that affects the system kernel — the most fundamental part of the operating system. A hacker exploiting this bug could start making modifications to user files without the OS ever noticing anything strange happened. Users would be left in the dark, too, and you might never know something was wrong until it was too late. Though Apple said it was in the process of developing and deploying a patch, it did not meet Google’s deadline. The technical specs on the flaw are public now.

Engadget goes on to say that while there’s no evidence of anything exploiting Macs in the wild, users should be extra cautious. Visit only trustworthy sites and don’t download strange files — the usual advice, in other words. The good news, though, is that this flaw doesn’t seem like it’s going to be something that could easily be exploited — and Apple dropped the patch just a few days after Google went public with the information. Coincidence? Hmm…

The EFF Wants Encryption in the Cloud

Moving on to our final story for this week, we’re talking about encryption again!

This time, we’ve got a call for Apple, a company known for its privacy commitments, to be even more privacy-minded. The request comes from the EFF, or Electronic Frontier Foundation, who are asking the company to create iCloud backups that users can encrypt independently of Apple — meaning only the original user would be able to access the data after its encryption.

The EFF requests the change because right now there is a procedure in place that allows law enforcement to ask Apple to divulge information contained within a user’s iCloud account. This info includes everything from emails and photos to iMessages and more — and this is simply unacceptable, says the EFF. Instead, they say, users should have the option to protect their own data with “truly encrypted iCloud backups.”

Part of the issue here is that it has become increasingly unclear what is encrypted and when it comes to iOS devices, although we can reasonably assume Apple has taken reasonable precautions. The law enforcement scenario the EFF describes would seem at first glance not to be possible if the decryption keys are only available to users — but at the same time, there is no way to know for sure. The need for better transparency from Apple on this front is part of why the EFF made the public statement it did. 

Apple, for its part, says that iCloud backups are not encrypted currently in the way the EFF wants. Both the user and Apple has a key, they say, and this is to allow them to assist users in recovering their data when they’ve lost their password or encountered a similar problem. CEO Tim Cook, though, says that in the future this won’t be the case, and the EFF’s scenario will come to pass — just not quite yet.

It sounds to us like they’re stalling for time. For now, there may be some reason, legal or technical, preventing Apple from deploying full encryption that remains solely in the user’s hands. The EFF isn’t just picking on Apple, though — they’re making other demands of related tech companies in the push for better security for all. Android, Twitter, Facebook, and WhatsApp were all targets of specific requests, from implementing end-to-end encryption to banning the use of phone numbers for advertising purposes. 

Will these tech giants listen? We’ll have to wait and find out.

Get the latest security news and deals