Security flaw found on Mac retail packaging

Security flaw found on Mac retail packaging

Summary: Courtesy of Apple, you've just handed over one of the only keys safeguarding your digital domain to a complete stranger.

SHARE:

Image courtesy Flickr user hyku.

Macs have the reputation for being safer online. They're known to have less virus exposure and less malware. Although fellow ZDNet blogger Ed Bott has written extensively about Mac malware, there's no doubt there's less of it on Macs than on Windows PCs.

In fact, many of my colleagues in federal agencies tasked with doing cyberdefense have chosen Macs over Windows PCs for just that reason.

Although my ongoing annoyance with all things Apple is a matter of public record, I've generally stipulated that if you want a safer experience, you're probably better off with Macs.

That's why I was so surprised and disappointed to see a series of what I consider to be major security flaws, not in Apple's software, but directly on its packaging.

Yesterday, I bought one of the brand-new Mac mini servers with Thunderbolt.

This won't be my daily driver (that's a hot Windows 7 machine). The new Mac mini server is intended for some specialized video work I'm doing in the studio I'm building.

Since I got the system the day after Apple announced it (kudos to Apple for a very fast turnaround), I decided I'd do an unboxing gallery so everyone could share in the oh-so-exciting excitement that comes from opening a box.

See also: Mac mini server with Thunderbolt, unboxing

I'm telling you this because I never would have noticed the security flaws I'm documenting in this column if I hadn't done the unboxing. I just don't look at Apple retail packaging all that much.

Before I go into the flaws, let me give you a background on identity theft and personal security. Identity theft is a huge problem. It can cost victims tens of thousands of dollars and take years to clean up. Identity theft is on the rise and it's an ongoing challenge to fight.

Related to identity theft is the issue of personal security. Some of us have experienced stalkers and other assaults on personal safety. That's why I have long recommended you NOT tweet your location on Twitter and keep where you're going to yourself on Facebook.

Most people are cool, but some people are not. Those who are not cool can range from disturbing and freaky to downright dangerous.

This brings me back to the Apple packaging.

On the outside of the shipping box for the Mac mini server (and I presume this is the case for other Apple products), the serial number of the server was prominently displayed. This means that everyone in the shipping chain between Apple and my home had access to the serial number of my new computer.

Most Fedex people are very cool people, but you never know much about the people who carry your packages. Since we get a lot of deliveries here at Camp David, our regular Fedex guy is always just a little too curious about our daily business.

While I don't like that curiosity, I don't think he's a risk. Besides, the property is heavily protected and monitored, with both active and passive defenses. So he doesn't worry me.

But others who get deliveries might not want their Mac serial numbers available to their delivery people, who already know their addresses.

Even so, that's not the biggest flaw I discovered. That's just the appetizer.

Let's talk WiFi security for a moment. WiFi security generally has three layers of protection. The simplest is simply not broadcasting the SSID. In this way, unless someone knows the name of your network, he or she won't be able to find your network (unless that person is actively engaging in wireless sniffing, of course).

A second way to protect your network is through encryption. That's why we always recommend you set up encryption on your WiFi network, and give it a unique key. Encryption is difficult to crack, but not impossible. It's definitely a good defensive tactic.

But the third layer of protection is actually quite valuable. That's MAC address filtering. Each network device has (or should have) a unique MAC (Media Access Control) address, essentially a network serial number. If you tell your router to only let in devices that have certain specific MAC addresses, it's much harder for someone spying on your network to connect.

Of course, if someone technically astute knew one of your MAC addresses, it'd be much easier to gain access to your network. All that person would have to do is spoof the MAC address, and your router wouldn't be able to tell that the spoofing device wasn't the one that was authorized on the network. Once allowed onto the network, the intruder would simply have to begin the process of cracking your encryption.

It's always better to keep intruders off your network in the first place. MAC address filtering does that.

So, now, imagine you're someone shopping at, say, a Best Buy or Apple store and you want to buy a Mac. Perhaps the store clerk helping you takes what seems an unhealthy interest in you. Perhaps it's someone you knew in high school who's been interested in you for years. Or perhaps it's someone who wants to date you (and you don't share the attraction). Or perhaps it's someone who knows your buying patterns and thinks you might make an interesting target for criminal activity.

I'm not saying that all Best Buy and Apple store clerks are trouble. But I am saying that not all people have your best interests at heart.

Now, let's extend this scenario a notch. When you make a large purchase at someplace like an Apple store, you have to present identification, often a credit card, sometimes a driver's license, often your home address and phone number. Essentially, you're telling the clerk a lot about yourself when you make a purchase.

If the clerk had bad intentions in mind, you've already given him or her your home address, phone number, and credit card information. In other words, you're now easy to find.

Thanks to Apple, if you bought a Mac mini (and probably their other products), you've also given the clerk your new MAC address. This is essentially one more key to gain access to your network and, for some incredibly short-sighted reason, Apple prints this information on the outside of the box.

Let me repeat that: Apple prints MAC address information, along with the machine's serial number, on the outside of the box. In fact, Apple prints your WiFi MAC address (what they call AirPort ID), your wired MAC address, and even your new computer's Bluetooth network address!

This is a very dangerous risk.

Now the clerk has access to not only your credit card information, possibly your driver's license information, your home address and your phone number, but the MAC address that's one of the layers used to keep people out of your network.

Courtesy of Apple, you've just handed over one of the only keys safeguarding your digital domain to a complete stranger.

I call on Apple to change this practice immediately.

I can understand how picking and packing might be easier with an easily visible serial number, but there's absolutely no reason network security codes need to be displayed on the outside of retail packaging for all to see.

Topics: Security, Apple, Hardware, Networking

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

117 comments
Log in or register to join the discussion
  • The only way that this would "expose"....

    ...you to risk would be if you exposed the server directly to the internet, i.e. without use of a hardware router or firewall. A little bit of NAT would even protect you to some extent, but turning off ping etc. would definately protect you from external intrusion. So.... I'm not sure what you're grasping at here? I can't imagine anyone, in this (security oriented) day and age, to not have a hardware firewall for a critical piece of equipment like a server ....?!?
    rock06r
    • This is right up there with giving your doctor and drug store...

      @rock06r
      your REAL SS#.
      Leaves the door wide open.
      Look at how many boxes of files from these places are found at public dumps everyday (not withstanding federal law)!
      kd5auq
    • RE: Security flaw found on Mac retail packaging

      @rock06r You are correct that a hardware network firewall helps prevent an intrusion from an *external* network such as the Internet. Likewise a software firewall on your PC will also help prevent an intrusion of the PC from computers on the "internal" wireless network, regardless of the security on the wireless access point.<br>But no network firewall prevents *sniffing or using the wireless connection* between your computer and wireless access point, unless you consider the wireless security settings in the wireless access point to be part of the network firewall.<br>(NAT only hides IP addresses, but has no affect on MAC addresses)<br>Sniffing or using the wireless connection is prevented by the means listed by David Gewirtz, and does potentially include using MAC address filtering as an additional (albeit weak) layer of security.
      Spatha
      • Basic security....

        @Spatha

        Look, knowing a MAC address is easy if you're on the intranet of someone's system. Anyone who knows how to google "ping" can figure this out. The issue here isn't whether or not someone on the "inside" of your firewall can get at your server -- they OBVIOUSLY can if they're already on the inside (DUH!). They can also get the MAC with just a couple of keystrokes - no special software required...and that is true regardless of whether or not they are on your intranet or sniffing your WIFI signals.

        The question at hand here, which is a little obfuscated by all the non-relevant ramblings in this article, is whether or not internet "pirates" can do anything with your MAC address. And the answer is: No, because the internet effectively hides your MAC three different ways from Tuesday, and definately no, if you have a firewall/router facing the internet from your connection (which you *should* if you know ANYTHING about servers and networks).
        rock06r
      • RE: Security flaw found on Mac retail packaging

        @rock06r Regarding your reply, I agree, and did say, MAC address filtering adds a *weak* layer of security. Were we disagree is on the main point of the article. Yes, it does cover a few different topics, and I was responding to the article's discussion of MAC filtering, which did not concern attacks from "Internet pirates." It concerned attacking a Wi-Fi network over the air, something a firewall will not prevent.
        Spatha
      • RE: Security flaw found on Mac retail packaging

        @rock06r<br>The flaw to your logic is your statement that finding a mac address for someone is easy AS LONG AS you are on their intranet. <br>Thats like saying stealing something from your house is easy...as long as I'm inside the house. Well duh.<br><br>lol, I think its pretty lame to put someone's MAC address publicly for all to view. So many wonderful ways of abusing your computer with it.
        rengek
    • RE: Security flaw found on Mac retail packaging

      @David Gewirtz: "This means that everyone in the shipping chain between Apple and my home had access to the serial number of my new computer."

      What a moron!

      Almost every tech product is packaged with the serial number on the box. This is both for inventory purposes, and so that purchaser or seller can register the product in the store without having to open the box, if they want to do this.

      Move along. Nothing new to see here. ;-)
      Harvey Lubin
      • You are right

        @Harvey Lubin
        Finally someone with common sense. Many computer makers do this. I just bought a New Modem with the Mac address right on the box! So what. This is not news.
        jscott418-22447200638980614791982928182376
      • No doh!

        [i]Almost every tech product is packaged with the serial number on the box. This is both for inventory purposes, and so that purchaser or seller can register the product in the store without having to open the box, if they want to do this.[/i]

        I know Dell does this. So does HP. Does that make it any less dangerous for them?
        ScorpioBlue
      • Message has been deleted.

        nickmcel
      • RE: Security flaw found on Mac retail packaging

        @Harvey Lubin , i agree with your response the the headline... Here is a good question, which computer manufacturer does not use labels with serial numbers on the outside of the box ? Answer: they all do. So the headline is misleading, and yes it may be a good idea not to leave the information so visible, but once again the article is misleading. As to the MacMini not having redundant power supplies etc... I agree Apple made a Mistake by discontinuing xserve. It has left a hole in their hardware lineup. However, it does give you the opportunity to experiment with OSX server on apple hardware for a good price.
        freethinkerinfl
      • RE: Security flaw found on Mac retail packaging

        @Harvey Lubin If I showed Mr. Gewirtz the Bill Of Lading document, he might have a fatal heart attack. :-(
        jgm@...
      • @scorpioblue

        Sheesh, isn't it obvious? Dell and HP aren't spelled A-P-P-L-E.
        fr_gough
      • RE: Security flaw found on Mac retail packaging

        @Harvey Lubin

        I agree with you about this Harvey L.

        I work at a College in the media dept. and just last week, we received about $80K in EXTRON Equipment and EVERY Single Piece has the S/N. printed on the Box, Along with MAC Address if applicable? (which was more than 1/2 the order)
        All of our TV's & DVD Players & Echo 360 recorders & Every piece of Eqt. ordered that uses Network, Has it's S/N and MAC Address Tattooed right on the box which Arrives just the Apple Box.
        Our IT Dept. Buys 1,000's of PC's throughout the year? All of them come with S/N and other ID Stuff Printed on the Factory Label on Each Box. (HP)


        Is this writer just a Apple hater or something? and jumping on the band wagon of "See Apple is just as vulnerable as PC"
        Well DUH, all of us apple users know this? it's just we don't have as many issues as windows does? and when it starts to get bad (Which it hasn't) Apple will implement a new security policy? For Example, Apple will require all Applications to be signed by Apple before it can install/run on OS X. If said application wasn't signed by Apple it will come back as Failed MD5 or whatever they decide to use whenever Apple starts doing this. They might make it so that your computer is within apples network... just thinking out loud about that...

        For everyone that is going to say, "Thats why you hate apple, already locked down system or whatever reason" well I'm sure they'll give the option to go ahead and install... with a stipulation, like mentioned above, if your system is on "apples network" they may warn something like, (If you choose to install this software, you will no longer be protected under apples network) which will put you at a higher risk?
        Who know's? Just a Theory anyways? =)
        Musick7
      • I'll

        @Harvey Lubin
        wright_is
      • I'll 1 that

        @Harvey Lubin my reply at the end of the thread is pretty much the same. We register the serial numbers of all devices we send out to customers for warranty purposes, but we aren't allowed to open the boxes before shipping. Luckily 99% of manufacutrers put the serial number on the outside these days.
        wright_is
      • RE: Security flaw found on Mac retail packaging

        @Harvey Lubin Just another in an ever growing long list of pieces he has written that are only done to bash Apple. As many have pointed out most manufacturers due the exact same labeling that Apple does and I would bet the David was fully aware of this but that wouldn't help promote his hatred for Apple. I also find it funny how he makes it seem like you only give out all your personal info such as credit card number and showing your ID when purchasing Apple products. Does Best Buy not request to see your credit card and photo ID when purchasing items from other vendors?

        I have not seen any in a while but David's anti Apple hit pieces like this have all but taken away any credibility that he might have had at one point.
        non-biased
    • RE: Security flaw found on Mac retail packaging

      @rock06r OR someone could plug in to your switch and ARP spoof your switch... Or if you have wireless, they can spoof that mac address and avoid a mac-address whitelist based network.
      snoop0x7b
    • RE: Security flaw found on Mac retail packaging

      @rock06r

      The internet is routed. Having the MAC address available is a very minor concern. The author mentioned sniffing, but neglected to mention just how easy it is. MAC addresses are used in switching and are therefore broadcast in the clear. All you need to do is identify the source address of a packet with the destination address of the access point your looking for and spoof it.
      tkejlboom
  • You are so wrong about wireless security

    Hiding your SSID is the equivalent of hiding your keyboard under your desk. It doesn't improve your security one bit. In fact, I've read about a couple security issues where remembering a network with a hidden SSID actually makes your client (like your laptop) more vulnerable.

    MAC address filtering is only slightly better but is still not the least bit secure against someone who has a tiny bit of knowledge.

    These 2 security measures would only keep out people who have very little computer knowledge. You know what else does this? WPA2 and Apple doesn't post your WPA2 passphrase on your box.

    A WiFi network using only SSID hiding and MAC filtering is incredibly vulnerable to attack with or without Apple's help. A WiFi network using only WPA2 encryption is far more secure and Apple is doing nothing to make it less secure.

    You will spend more time typing in your SSID on your mobile devices and typing MAC addresses on your router than a good hacker will have to spend getting around these "security" measures.
    toddybottom