Last Week on My Mac: Compromised, or conned?

We’re barely three months into 2017, and it has already been a very difficult year for Mac (and iOS) security. Not that we’ve all been exploited, or even compromised. At least, it doesn’t look like it.

And that is the provisional conclusion at the end of a week in which a London-based group of hackers claimed that they had compromised hundreds of millions of iCloud accounts, and in which Wikileaks generously released details of the hacks it claims have been used by US security agencies to exploit large numbers of Mac and iOS devices.

So why is this the first that I have mentioned these issues here? Because neither is quite what it seems, and most Mac and iOS users shouldn’t be panicking and changing passwords, or investing in additional security protection. Misleading if not false news is very much the order of the day. Just as the citizens of London are having to learn again the lessons acquired during the many decades over which the city has come under sporadic violent assault, so we have to learn to cope.

The possible compromise by a fragmentary group calling itself the Turkish Crime Family is reported in careful detail in several good articles, including Zack Whittaker’s on ZDNet. The gist is their claim was made in a ransom bid to Apple, which has led to a careful investigation. We don’t know exactly what Apple has discovered about the group and its claim, but we do know that attempts to verify it have failed to find convincing evidence that the claimants have what they say they have.

Whittaker’s investigation concludes that “we can’t be sure that this is something big, but based on our reporting, we can’t say that it’s nothing.” Apple, meanwhile, has stated that “the alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.”

There are a lot of things about this episode which simply don’t add up. The ransom demand, based on compromise of over 300 million accounts, is just $75,000 in bitcoins, or $100,000 in iTunes gift cards, which puts the price per account at around 0.025 cents. I’m sure that they would be able to make far more selling a smaller number of compromised accounts at lower personal risk on the black market. If they really did have full details including passwords for what must be close to a sixth of all active iCloud accounts, surely any serious criminal would be expecting more than $100,000 in iTunes gift cards.

Even more valuable would be details of how they were able to compromise so many accounts. Presuming that this exploited a vulnerability in iCloud, that knowledge would surely be worth far more in the active marketplace for security vulnerabilities. Apple is confident that is not the case, and that there has been no new compromise, and there is no vulnerability. We’ll find out soon enough, as the hackers claim that they will start resetting passwords on iCloud accounts and remotely wiping iPhones if they don’t receive the ransom by 7 April – another odd feature, as it gives the enormously profitable Apple a long time to come up with a pitifully small ransom.

The other dark cloud which came scudding across from the horizon was that Wikileaks published documentation detailing the vulnerabilities in Macs and iOS devices which are being used by the CIA to ‘spy’ on targets. A good but short article about this was written by Sam Shead for Business Insider UK.

Just as with the Turkish Crime Family’s ransom demand, we need to look carefully at Wikileaks’ claims and the contents of the released documents. Although Apple has not made its full analysis available, the fact that the documents refer to an iPhone 3G vulnerability fixed in 2009, and Mac vulnerabilities fixed in Macs launched after 2013 should give you a good idea that, as far as security experts are concerned, Wikileaks’ much-vaunted Vault 7 documents are of largely historical and political interest.

It is just as well for Wikileaks that they are, as releasing details of current exploits which can be used to compromise today’s Macs and iOS devices would surely only confirm that Wikileaks has complete disregard for anyone other than its paymasters.

Wikileaks on its part fails to recognise the fuller history of these “techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones”, nor the historical nature of the vulnerabilities. There’s a good analysis in context of the Sonic Screwdriver and DarkSeaSkies projects by Trammell Hudson which is well worth reading. Hudson knows what he is writing about, as he developed more sophisticated attacks using similar techniques.

Sonic Screwdriver is believed to have been based on a 2012 Black Hat presentation by ‘snare’, which required physical access to the Mac to take advantage of the vulnerability. In any case, Apple added a security option which blocks the exploit in December 2015. DarkSeaSkies was only useful againt some older MacBook models, and again required physical access in order to install it.

So whatever political impact these leaked documents might merit or achieve, in security terms there is little new here, and nothing of current impact.

I hope that you haven’t spent the last few days anxiously trying to get your Mac(s) firmware checked out, worrying whether your Thunderbolt cables have been doctored, and changing your iCloud password. Unless Apple tells us otherwise, the Turkish Crime Family’s ransom demand is a confidence trick, and only the CIA knows what vulnerabilities it might be exploiting now.

Should you automatically change your iCloud password? No – threats like these should make you check that you are using a really robust, unguessable password and two-factor authentication for your Apple ID. You should also change your password periodically, but if it is robust and has been changed in the last couple of years, do not feel compelled to change it yet.

It is far better to use a really good, secure password for longer, than to keep changing it to those which are easy to remember, unless you believe that your password may have been compromised.

Meanwhile, we all need to get used to the fact that some computer and device security ‘news’ is now as untrustworthy as any other ‘news’, and designed to manipulate us rather than to inform or protect.