Yves here. Historically, one of the reasons for owning a Mac was that the Apple OS was far more secure than Microsoft’s. Microsoft had lost control of its kernel, making it vulnerable to viruses and hacks, while OSX was a proprietary version of Unix, which was rugged and more attack-resistant.
The Apple OS has gotten worse and worse with every supposed upgrade as Apple has tried to make the desktop OS integrate into its phones, which simply serves to make those machines more kludgey. I was inconceivably at least as memory constrained with 16 GB of RAM on my new-ish laptop shortly after I got it in 2016 than I was on my aged MacBook Air running a seriously out of date version of the OS with a mere 4 GB of RAM. That’s a disgrace.
Apple’s stunning security breach is yet another warning to users. Apple has gotten away with this nonsense because the Windows OS is still more cumbersome and requires more tech tinkering and Linux boxes require that users become technically proficient, when most computer owners just want tools that work, and don’t want to have to fool around under the hood. But another incident like this, and even the geekery-averse will have to think seriously about abandoning Apple.
By Michael Olenick, a research fellow at INSEAD
In an epic security meltdown last week, Apple handed the keys to anybody who could get a few seconds of physical access to a logged-in Mac regardless of what security level the logged-in person had. This also allowed ordinary users to bypass any enterprise restrictions.
First, some background. All operating systems have a hierarchal system of user security. Mac OS is a Unix variant, originally built from BSD. Like all Unix variants the top-level user, which has access to everything, is called “root.” Even people with administrative rights have fewer privileges because root is so powerful it is easy to accidentally destroy one’s computer. System administrators and computer programs sometimes need root level access and, when required, they invoke it for a short amount of time. A hacker’s holy grail is root access.
Apple allowed anybody who could touch a Mac that was logged in to gain root access and, later, invisibly control the Mac indefinitely. Our hacker would first go to System Preferences, click Users & Groups, and create a new administrative user. Then they’d click back one level and enable remote login. After the 5-10 seconds this would take they’d skedaddle, doing the rest of their work at their leisure.
Remotely, the hacker would download the contents of a hard drive or install a key logger to capture username/password combinations for more secure systems. They could add other programs making it impossible to get rid of them without reinstalling everything. They could use the microphone to eavesdrop. If the user had access to other systems the hacker might be able to quietly take control of those too through private keys stored on their computer. Only strong two-factor authentication on remote machines or, say, bank accounts would prevent a complete takeover, assuming it is enabled.
To gain root and create their user the hacker, when prompted for a password, would type root and leave the password blank. This wouldn’t work and they’d try again; the second time would work. That’s the vulnerability Apple somehow missed.
I tried this on three separate Macs and it worked. One report said it could take up to seven tries for the root/blank password trick to work. Maybe, but it always worked on the second try for me.
How obvious is the ability to change a computer with this exploit? My eleven-year-old daughter used it to remove all parental controls from her own login. She’s a smart brat kid – this made me realize she’s outgrown the need for parental controls – but also illustrates that a master’s degree in isn’t required to dream up exploits for this bug.
To their credit Apple rolled out a patch that fixed the bug about 18 hours after it was discovered. Except they later rolled out an update to the operating system and restored the bug. The original fix didn’t work a second time so Apple eventually remotely fixed all the Macs (theoretically). Of course, if a hacker created a phantom user and took control remotely the patches would not undo the fake user.
Before a well-deserved harangue about quality control, or lack thereof, I’d urge all Mac users to 1) click on the Apple menu, 2) choose Users & Groups, and 3) see if there is anybody there they do not recognize (and, if so, call Apple: your computer is hopelessly and compromised without a system wipe). If you do not have a compelling need to log in to your Mac remotely disable it: Apple menu -> Sharing -> unclick Remote Login (actually, unclick everything unless you’re sure you know why it’s clicked). To make sure the bug is patched click the lock on the user screen and replace the username with root but leave the password blank. Then try to click OK a few times. If the key eventually opens go to the Mac app store and update your Mac immediately.
Now, the harangue.
Apple – seriously?! Since the untimely death of Steve Jobs the company has been off their game. It’s not only this boneheaded move: despite a quarter-trillion dollars in the bank Apple has repeatedly failed to do anything interesting in about five years.
Maybe they’re waiting to repatriate money from Europe. Snooze. They could have purchased a European car company, no repatriation required, and had an Apple electric car on the streets by now. Tell Carl Icahn to piss off – Jobs would have – and knock it off with the stock buybacks: they’re pure waste. Apologize to employees for the oversight and build a daycare in the new $5 billion headquarters (Jobs probably wouldn’t have, but whatever). It can be a collection of low-rise buildings in the park in the center of the spaceship, a reminder about the importance of playfulness and magic. Start from scratch with an Apple watch that’s more like a customized wristband. Recognize that the sticks darting from the earbuds look ridiculous. Catch up by adding OLED’s to all iThings. Reassure the desktop group they still matter but that they have to wake up and try harder. Add touch to Mac OS and make an iMac with a pivoting stand like the Surface.
The root security bug is an obvious severe process failure but I think the flaw runs a lot deeper: Apple management just doesn’t seem to care anymore. The company lacks a passion that once fueled users even in the darkest days. Every senior person is insanely rich and just doesn’t seem to give a shit. The money might explain things but every senior person at Google, Facebook, Amazon, and Netflix is also ridiculously wealthy and they still seem to care. Even Microsoft management seems to be waking up: their Surface Studio computer is genuinely cool.
Lower level employees are friendly and competent. When the High Sierra upgrade destroyed a colleague’s computer Apple employees spent hours patiently talking to and texting her; they eventually restored it. Contrast that to Dell: family members bought my daughter a new Dell as a present from the US. It intermittently will not turn on and has been a brick for weeks. Nobody has been able to resolve the problem and Dell customer service is abysmal. But just because competitor computer makers are godawful doesn’t mean you have to be too. Besides, it makes better business sense to not nuke a computer with an update in the first place rather than providing friendly and helpful employees to spend hours restoring it.
There are countless articles comparing Apple CEO Tim Cook to former Microsoft CEO Steve Ballmer, who succeeded Bill Gates. Ballmer, like Cook, raised revenue but sat idly by while Microsoft was clobbered in search, mobile, social, cloud, and virtually every other new tech development during his tenure. Now we’re watching Cook languish. I can’t tell Siri “next song” (well, I can but it doesn’t understand). iCloud is awful. The iPhone X looks suspiciously like a Samsung Galaxy from a few years ago. And, oh yeah, my eleven-year-old rooted the family Mac in seconds.