"My Precious..." (Apple)

by lg0p89

For full disclosure, I do drive an iPhone.  There are absolutely no complaints regarding the iOS or the hardware from myself.  This is recommended for any users.  Back to the story.

One thing we could depend on day after day, month after month, up until one or so years ago, was Apple products being relatively safe from malware and the other bugs that can haunt PCs and Android OS devices.  One could sleep soundly at night knowing with a reasonable certainty that everything was safe.

Resume Generating Event (RGE)

Well, all was not well in Mudville, Cupertino.  In July of 2013, the Apple developer site went down.  The message provided was that the site was being maintained for a longer than expected period.  The site stated "We'll be back soon."  (Osborne, 2013)

This was on a fateful Thursday.

There was an update from Apple stating the maintenance was still in process as of that Friday.  Given Apple's attentiveness and proactive nature, this was an odd effect of something.  Finally on Sunday, the actuality of the situation was released to the public, a.k.a., the truth.  The updated message on the Apple website was that there was a breach of their system.  A portion of the data that was accessed was not encrypted.  Based on the potential for issues by non-authorized persons accessing the compromised accounts, Apple sent out password resets.  (Zorz, 2013)

On a positive note, the Apple customer information was not in the same location.  This was a blessing, as it turns out.  It was also caught in a very timely manner and managed.

The point, however, is that this is not the standard operating procedure.  Apple, with its closed-source, was the bastion against intrusion and malicious penetration.  The system segment that was breached was where the developers would visit for downloads, documentation, and discussion forums.  This was a black eye and bad news for Apple's infosec team.

Twist

Up until this point, it appeared there was a malicious attack and successful breach.  This clearly would have been bad news.  A few days later, a security researcher (Ibrahim Balic) claimed responsibility for this.  He even went so far as to post a video on YouTube showing the methods used for the breach.  This was on his Twitter account.  (Osborne, 2013)

It was also posted on TechCrunch that he found 13 bugs and had reported these with bugreport.apple.com.  (Zorz, 2013)

Thus, it is clear to a reasonably prudent person that Balic did this, due to his own admission published by at least three sources.

Ethics

For penetration testing, generally the contractor speaks with the client, reviews the parameters for the project, prepares a contract, both parties read and understand the ground rules, and the testing starts at the opportune time.

In this case, he allegedly completed the penetration test successfully.  However, he did not secure permission from Apple to do any of the work.  None.  Apple had no idea this activity was inbound.  Granted, he had the best intentions, however, these do pave the road to Hell.  His intent was, as it appears, for a friendly to explore the vulnerabilities.  His comments show there was no malicious intent.  The vulnerabilities were reported to Apple so they could be closed and also to lower the attack surface.  Although his intent and subsequent actions show no malice, the breach may be actionable by Apple.

It is hoped Apple will see the light and not pursue any legal action against Balic.  He should not have done this without permissions and a contract, however, it was done solely to benefit Apple.

Lesson Learned

The professional e-security researcher does not conduct a penetration test or active measures in an attempt to breach another's system without express permission, generally in the form of a contract so there are no misunderstandings later, a.k.a., lawsuit.  The security researcher may only want to help the company out by letting them know about their vulnerabilities or that they need to push patches now.

As an analogy, think of your neighbor's home.  As you drive home late one evening, you notice their floodlight has burned out.  Wanting to be a good neighbor, you walk onto their property, prop up their ladder against the barn, and exchange the light.  Think of your neighbor's physical property as Apple's digital playground.

Some people on the Federal level may call this trespassing or a breach of several Federal computer laws.  As a security researcher, you don't want the criminal or civil issues that could be pursued because of this.  Being a good Samaritan at times does not pay.  No good deed goes unpunished.

Remember, always have express permission to do a penetration test unless you enjoy a rather large bulls-eye on you or your smart phone being tracked via its GPS by government employees wearing black suits.

References
Return to $2600 Index