Security flaw found on Mac retail packaging

Courtesy of Apple, you've just handed over one of the only keys safeguarding your digital domain to a complete stranger.
Written by David Gewirtz, Senior Contributing Editor

Image courtesy Flickr user hyku.

Macs have the reputation for being safer online. They're known to have less virus exposure and less malware. Although fellow ZDNet blogger Ed Bott has written extensively about Mac malware, there's no doubt there's less of it on Macs than on Windows PCs.

In fact, many of my colleagues in federal agencies tasked with doing cyberdefense have chosen Macs over Windows PCs for just that reason.

Although my ongoing annoyance with all things Apple is a matter of public record, I've generally stipulated that if you want a safer experience, you're probably better off with Macs.

That's why I was so surprised and disappointed to see a series of what I consider to be major security flaws, not in Apple's software, but directly on its packaging.

Yesterday, I bought one of the brand-new Mac mini servers with Thunderbolt.

This won't be my daily driver (that's a hot Windows 7 machine). The new Mac mini server is intended for some specialized video work I'm doing in the studio I'm building.

Since I got the system the day after Apple announced it (kudos to Apple for a very fast turnaround), I decided I'd do an unboxing gallery so everyone could share in the oh-so-exciting excitement that comes from opening a box.

See also: Mac mini server with Thunderbolt, unboxing

I'm telling you this because I never would have noticed the security flaws I'm documenting in this column if I hadn't done the unboxing. I just don't look at Apple retail packaging all that much.

Before I go into the flaws, let me give you a background on identity theft and personal security. Identity theft is a huge problem. It can cost victims tens of thousands of dollars and take years to clean up. Identity theft is on the rise and it's an ongoing challenge to fight.

Related to identity theft is the issue of personal security. Some of us have experienced stalkers and other assaults on personal safety. That's why I have long recommended you NOT tweet your location on Twitter and keep where you're going to yourself on Facebook.

Most people are cool, but some people are not. Those who are not cool can range from disturbing and freaky to downright dangerous.

This brings me back to the Apple packaging.

On the outside of the shipping box for the Mac mini server (and I presume this is the case for other Apple products), the serial number of the server was prominently displayed. This means that everyone in the shipping chain between Apple and my home had access to the serial number of my new computer.

Most Fedex people are very cool people, but you never know much about the people who carry your packages. Since we get a lot of deliveries here at Camp David, our regular Fedex guy is always just a little too curious about our daily business.

While I don't like that curiosity, I don't think he's a risk. Besides, the property is heavily protected and monitored, with both active and passive defenses. So he doesn't worry me.

But others who get deliveries might not want their Mac serial numbers available to their delivery people, who already know their addresses.

Even so, that's not the biggest flaw I discovered. That's just the appetizer.

Let's talk WiFi security for a moment. WiFi security generally has three layers of protection. The simplest is simply not broadcasting the SSID. In this way, unless someone knows the name of your network, he or she won't be able to find your network (unless that person is actively engaging in wireless sniffing, of course).

A second way to protect your network is through encryption. That's why we always recommend you set up encryption on your WiFi network, and give it a unique key. Encryption is difficult to crack, but not impossible. It's definitely a good defensive tactic.

But the third layer of protection is actually quite valuable. That's MAC address filtering. Each network device has (or should have) a unique MAC (Media Access Control) address, essentially a network serial number. If you tell your router to only let in devices that have certain specific MAC addresses, it's much harder for someone spying on your network to connect.

Of course, if someone technically astute knew one of your MAC addresses, it'd be much easier to gain access to your network. All that person would have to do is spoof the MAC address, and your router wouldn't be able to tell that the spoofing device wasn't the one that was authorized on the network. Once allowed onto the network, the intruder would simply have to begin the process of cracking your encryption.

It's always better to keep intruders off your network in the first place. MAC address filtering does that.

So, now, imagine you're someone shopping at, say, a Best Buy or Apple store and you want to buy a Mac. Perhaps the store clerk helping you takes what seems an unhealthy interest in you. Perhaps it's someone you knew in high school who's been interested in you for years. Or perhaps it's someone who wants to date you (and you don't share the attraction). Or perhaps it's someone who knows your buying patterns and thinks you might make an interesting target for criminal activity.

I'm not saying that all Best Buy and Apple store clerks are trouble. But I am saying that not all people have your best interests at heart.

Now, let's extend this scenario a notch. When you make a large purchase at someplace like an Apple store, you have to present identification, often a credit card, sometimes a driver's license, often your home address and phone number. Essentially, you're telling the clerk a lot about yourself when you make a purchase.

If the clerk had bad intentions in mind, you've already given him or her your home address, phone number, and credit card information. In other words, you're now easy to find.

Thanks to Apple, if you bought a Mac mini (and probably their other products), you've also given the clerk your new MAC address. This is essentially one more key to gain access to your network and, for some incredibly short-sighted reason, Apple prints this information on the outside of the box.

Let me repeat that: Apple prints MAC address information, along with the machine's serial number, on the outside of the box. In fact, Apple prints your WiFi MAC address (what they call AirPort ID), your wired MAC address, and even your new computer's Bluetooth network address!

This is a very dangerous risk.

Now the clerk has access to not only your credit card information, possibly your driver's license information, your home address and your phone number, but the MAC address that's one of the layers used to keep people out of your network.

Courtesy of Apple, you've just handed over one of the only keys safeguarding your digital domain to a complete stranger.

I call on Apple to change this practice immediately.

I can understand how picking and packing might be easier with an easily visible serial number, but there's absolutely no reason network security codes need to be displayed on the outside of retail packaging for all to see.

Editorial standards