Security Bits Logo

Security Bits – 08 December 2017 – macOS Root Bug, HomeKit Bug, iOS Backup Encryption

Security Medium 1 — macOS High Sierra Root Bug

A nasty bug was found in macOS 10.13 High Sierra — it was possible to cause the root account to become enabled, and to do so with a blank password.

To trigger this bug all you had to do was go into the control panel, click the padlock to un-lock the sensitive settings, change the username to root, enter no password, then hit enter. At this point the authentication would fail, but, the root account would have been made active. Hit enter again, and root with a blank password will be accepted as valid. At this point you can do anything in the control panel, no matter how restricted your account is in theory, and, anything you can get full terminal access as root.

By default this bug requires physical access, but if you enabled screen sharing it can be triggered remotely. Also, if you enable SSH then once the bug has been triggered anyone can get command-line root access remote.

Another default setting that compounded this bug was guest access — you can trigger this bug from the guest account!

When the news broke, Apple were very quick to fix the bug, so, initially, Apple looked to have responded very promptly, but, alas, reporters soon found mentions of the bug in the Apple support forums from weeks back. Personally, I think that should have triggered alarm bells within Apple, and this should have been fixed before it became major news.

Once the news broke Apple responded very quickly, and for only the second time ever, they used their ability to automatically push updates to users automatically. This meant that without any user action, most affected Macs were quickly patched.

That patch was not without some issues though.

Firstly, the current version of High Sierra at the time the news broke was 10.13.1 (and this bug only ever affected High Sierra, never older versions of the OS). If a user was running 10.13.0 when the automated update was applied, and if they then updated to 10.13.1, their computers became vulnerable again! However, just a few days after the quick-fix Apple released 10.13.2, and that has the fix baked in, so if you’re not sure whether or not you are safe, all you have to do is be sure you’re on macOS 10.13.2 or later.

Secondly, the quick-fix broke some sharing features. Apple released a support document with instructions for fixing that issue though, and, the issue was also fixed by 10.13.2.

All in all this was a very embarrassing bug for Apple. To their credit they did apologise, and, they announced that they will be auditing their security practices. I would have liked more detail, but that may come later.

Links

Security Medium 2 — Apple fix HomeKit Sharing Bug in iOS 11

One of the cool features in HomeKit is that you can share access to your devices with others, presumably friends and family.

If you use this feature, and if you upgraded to iOS 11, then your HomeKit devices could have been accessed by anyone, not just the people you intended to share access with. When you bear in mind that there are HomeKit enabled smart door locks and cameras, that starts to sound like a very serious issue indeed!

Thankfully this problem was responsibly disclosed to Apple, to took action to protect users before the researchers published their findings.

Apple’s initial quick-fix was done on the back-end, so no action was needed by users. A part of that quick-fix was the disabling of some sharing functionality, which seems like a perfectly reasonable trade-off.

Apple have promised a full fix, and restoration of the disabled services next week, so keep an eye out for an iOS update if you’re affected by this temporary loss of functionality.

Links

Security Medium 3 — A Subtle Change in iOS Backup Encryption

If you back up your iOS devices via iTunes, and if you encrypt those backups, then, and only then, are you affected by a subtle change that Apple made to how those backups are encrypted. The change was made as part of the iOS 11 update.

Previously, iTunes backups were encrypted with a completely stand-alone password, and if you lost that password, your backup could never be decrypted.

What has changed is that there are now two ways to decrypt encrypted iTunes backups — the stand-alone password as before, and, via the iOS device itself assuming you have the devices pass code.

Links

  • A great explanation of the tradeoff Apple made here, and why it probably makes sense over-all — tidbits.com/…
  • Apple’s support document on iTunes backup encryption — support.apple.com/…
  • Elcomsoft’s original post out-lining the change that triggered the controversy — blog.elcomsoft.com/…

Notable Security Updates

Notable News

  • Facebook begins trialing a messaging app for kids age 6–12 that’s designed to give them a safe place online to chat, free from ads, and with explicit parental consent — Facebook brings Messenger to kids as young as 6 — nakedsecurity.sophos.com/…
  • 🇺🇸 NY attorney general demands FCC vote on net neutrality set for December 14 be delayed because the public comment process was ‘deeply corrupted’ — nakedsecurity.sophos.com/…
  • 🇺🇸 Newly released transcripts form testimony given over the summer shows the US government believe they don’t even need the approval of the secret FISA courts to compel companies to break encryption — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published.

Scroll to top