...On the outside of the shipping box for the Mac mini server (and I presume this is the case for other Apple products), the serial number of the server was prominently displayed. This means that everyone in the shipping chain between Apple and my home had access to the serial number of my new computer.
Most Fedex people are very cool people, but you never know much about the people who carry your packages. Since we get a lot of deliveries here at Camp David, our regular Fedex guy is always just a little too curious about our daily business.
While I don’t like that curiosity, I don’t think he’s a risk. Besides, the property is heavily protected and monitored, with both active and passive defenses. So he doesn’t worry me.
But others who get deliveries might not want their Mac serial numbers available to their delivery people, who already know their addresses.
Even so, that’s not the biggest flaw I discovered. That’s just the appetizer.
Let’s talk WiFi security for a moment. WiFi security generally has three layers of protection. The simplest is simply not broadcasting the SSID. In this way, unless someone knows the name of your network, he or she won’t be able to find your network (unless that person is actively engaging in wireless sniffing, of course).
A second way to protect your network is through encryption. That’s why we always recommend you set up encryption on your WiFi network, and give it a unique key. Encryption is difficult to crack, but not impossible. It’s definitely a good defensive tactic.
But the third layer of protection is actually quite valuable. That’s MAC address filtering. Each network device has (or should have) a unique MAC (Media Access Control) address, essentially a network serial number. If you tell your router to only let in devices that have certain specific MAC addresses, it’s much harder for someone spying on your network to connect.
Of course, if someone technically astute knew one of your MAC addresses, it’d be much easier to gain access to your network. All that person would have to do is spoof the MAC address, and your router wouldn’t be able to tell that the spoofing device wasn’t the one that was authorized on the network. Once allowed onto the network, the intruder would simply have to begin the process of cracking your encryption.
It’s always better to keep intruders off your network in the first place. MAC address filtering does that.
So, now, imagine you’re someone shopping at, say, a Best Buy or Apple store and you want to buy a Mac. Perhaps the store clerk helping you takes what seems an unhealthy interest in you. Perhaps it’s someone you knew in high school who’s been interested in you for years. Or perhaps it’s someone who wants to date you (and you don’t share the attraction). Or perhaps it’s someone who knows your buying patterns and thinks you might make an interesting target for criminal activity.
I’m not saying that all Best Buy and Apple store clerks are trouble. But I am saying that not all people have your best interests at heart.
Now, let’s extend this scenario a notch. When you make a large purchase at someplace like an Apple store, you have to present identification, often a credit card, sometimes a driver’s license, often your home address and phone number. Essentially, you’re telling the clerk a lot about yourself when you make a purchase.
If the clerk had bad intentions in mind, you’ve already given him or her your home address, phone number, and credit card information. In other words, you’re now easy to find.
Thanks to Apple, if you bought a Mac mini (and probably their other products), you’ve also given the clerk your new MAC address. This is essentially one more key to gain access to your network and, for some incredibly short-sighted reason, Apple prints this information on the outside of the box.
WTLet me repeat that: Apple prints MAC address information, along with the machine’s serial number, on the outside of the box. In fact, Apple prints your WiFi MAC address (what they call AirPort ID), your wired MAC address, and even your new computer’s Bluetooth network address!
This is a very dangerous risk.
Now the clerk has access to not only your credit card information, possibly your driver’s license information, your home address and your phone number, but the MAC address that’s one of the layers used to keep people out of your network.
Courtesy of Apple, you’ve just handed over one of the only keys safeguarding your digital domain to a complete stranger.
I call on Apple to change this practice immediately.
I can understand how picking and packing might be easier with an easily visible serial number, but there’s absolutely no reason network security codes need to be displayed on the outside of retail packaging for all to see.