Monday, July 25, 2011

Security Flaws Found on Mac Retail Packaging


...On the outside of the shipping box for the Mac mini server (and I presume this is the case for other Apple products), the serial number of the server was prominently displayed. This means that everyone in the shipping chain between Apple and my home had access to the serial number of my new computer.
Most Fedex people are very cool people, but you never know much about the people who carry your packages. Since we get a lot of deliveries here at Camp David, our regular Fedex guy is always just a little too curious about our daily business.
While I don’t like that curiosity, I don’t think he’s a risk. Besides, the property is heavily protected and monitored, with both active and passive defenses. So he doesn’t worry me.
But others who get deliveries might not want their Mac serial numbers available to their delivery people, who already know their addresses.
Even so, that’s not the biggest flaw I discovered. That’s just the appetizer.
Let’s talk WiFi security for a moment. WiFi security generally has three layers of protection. The simplest is simply not broadcasting the SSID. In this way, unless someone knows the name of your network, he or she won’t be able to find your network (unless that person is actively engaging in wireless sniffing, of course).
A second way to protect your network is through encryption. That’s why we always recommend you set up encryption on your WiFi network, and give it a unique key. Encryption is difficult to crack, but not impossible. It’s definitely a good defensive tactic.
But the third layer of protection is actually quite valuable. That’s MAC address filtering. Each network device has (or should have) a unique MAC (Media Access Control) address, essentially a network serial number. If you tell your router to only let in devices that have certain specific MAC addresses, it’s much harder for someone spying on your network to connect.
Of course, if someone technically astute knew one of your MAC addresses, it’d be much easier to gain access to your network. All that person would have to do is spoof the MAC address, and your router wouldn’t be able to tell that the spoofing device wasn’t the one that was authorized on the network. Once allowed onto the network, the intruder would simply have to begin the process of cracking your encryption.
It’s always better to keep intruders off your network in the first place. MAC address filtering does that.
So, now, imagine you’re someone shopping at, say, a Best Buy or Apple store and you want to buy a Mac. Perhaps the store clerk helping you takes what seems an unhealthy interest in you. Perhaps it’s someone you knew in high school who’s been interested in you for years. Or perhaps it’s someone who wants to date you (and you don’t share the attraction). Or perhaps it’s someone who knows your buying patterns and thinks you might make an interesting target for criminal activity.
I’m not saying that all Best Buy and Apple store clerks are trouble. But I am saying that not all people have your best interests at heart.
Now, let’s extend this scenario a notch. When you make a large purchase at someplace like an Apple store, you have to present identification, often a credit card, sometimes a driver’s license, often your home address and phone number. Essentially, you’re telling the clerk a lot about yourself when you make a purchase.
If the clerk had bad intentions in mind, you’ve already given him or her your home address, phone number, and credit card information. In other words, you’re now easy to find.
Thanks to Apple, if you bought a Mac mini (and probably their other products), you’ve also given the clerk your new MAC address. This is essentially one more key to gain access to your network and, for some incredibly short-sighted reason, Apple prints this information on the outside of the box.
WTF Apple?
WTLet me repeat that: Apple prints MAC address information, along with the machine’s serial number, on the outside of the box. In fact, Apple prints your WiFi MAC address (what they call AirPort ID), your wired MAC address, and even your new computer’s Bluetooth network address!
This is a very dangerous risk.
Now the clerk has access to not only your credit card information, possibly your driver’s license information, your home address and your phone number, but the MAC address that’s one of the layers used to keep people out of your network.
Courtesy of Apple, you’ve just handed over one of the only keys safeguarding your digital domain to a complete stranger.
I call on Apple to change this practice immediately.
I can understand how picking and packing might be easier with an easily visible serial number, but there’s absolutely no reason network security codes need to be displayed on the outside of retail packaging for all to see.


  1. The term "Ripe for Exploitation" comes to mind.

  2. I agree. It does seem that there is unnecessary info printed on the outer label.

    There's a theoretical risk, I suppose. But an actual exploit is highly unlikely. After all, how many package-handling clerks have the technical chops, much less the motivation to actually make the attempt described?

  3. Hmm, maybe next time we put your VISA card info on your box just to piss you off. Gotta love haters, they find anything and everything to hate on. This is pretty insignificant.

  4. I agree that it's not the worst thing in the world but it really is an unnecessary risk putting that on the box.

  5. Wow, a lot of hot air over very little. I would think if you are concerned about someone hacking into your wireless network because they got your MAC address from the store where they also got your home address and CREDIT CARD number, perhaps you should be more worried about them having your credit card.

  6. Just about every computer company that ships you a computer/laptop prints the serial number on the outside of the box. What is the big deal?

  7. Well, the serial number is one thing, the mac addresses are another. While it's unlikely that someone would steal one to spoof their own mac and do something evil, it really is not necessary to put it on the outside of the box.

  8. MAC address filtering is extremely easy to bypass (easier than cracking WEP encryption, which can be done in a handful of minutes). It's possible to see all the MACs of clients that are connected to an access point, thus giving anyone a list of MACs that are allowed through the filter. Simply wait for one of those devices to disconnect (or you can attempt to force a disconnection using special software), then set your MAC to match that device (a feature found right in most Windows NIC drivers, or with separate software), and you're instantly past the MAC filter.

    MAC filtering is the equivalent of having a voice-activated lock on the door to your house. It asks you your name, and only lets you in if your name is on the list. However, someone only has to stand nearby and wait to overhear the name of someone that is allowed in. The attacker can then simply walk up to the door and say the other person's name to gain entry.

    Just as also having a good deadbolt on the door is the way to secure your house, proper encryption (which is close enough to impossible to crack that you shouldn't worry about it) is the way to secure your Wi-Fi.

    I'm not saying that there's not excessive info printed on the box (of most electronics, not just Apple's), but I'd generally be more worried about the serial number. This could be used for product registration or redeeming special offers. At the very least, someone else could cause a decent bit of annoyance, and at the most, completely prevent you from properly claiming ownership of the product or taking advantage of included promos.