Even with all Apple's expertise and investment in cybersecurity, there are some security problems that are so intractable the tech titan will require a whole lot more time and money to come up with a fix. Such an issue has been uncovered by Don A. Bailey, founder of Lab Mouse Security, who described to Forbes a hack that, whilst not catastrophic, exploits iOS devices' trust in Internet of Things devices like connected toasters and TVs. And, as he describes the attack, it can turn Apple's own chips into "skeleton keys."
There's one real caveat to the attack: it first requires the hacker take control of an IoT technology that's exposed on the internet and accessible to outsiders. But, as Bailey noted, that may not be so difficult, given the innumerable vulnerabilities that have been highlighted in IoT devices, from toasters to kettles and sex toys. Once a hacker has access to one of those broken IoT machines, they can start exploiting the trust iOS places in them.
That's because of the technical workings of something known as an MFi chip - an Apple design it licenses to other manufacturers who want to connect their products with iOS devices. Bailey found iOS devices can be tricked into handing over private network keys to hacked devices that contain such chips.
"If you hack a device with MFi, you can use that board to impersonate any host device you want that's enabled with Apple MFi," Bailey explained. "There's no way for an Apple iOS device to guarantee the MFi chip isn't being instrumented for malicious purposes... iOS will automatically provision security keys to the hacked MFi device.
"You can impersonate an Apple device or accessory using an MFI chip ... and trick the security network into getting the security keys." He said to keep in mind that the iOS user has to accept the keys will be provisioned to the device, another possible barrier to a successful attack.
That means it's possible to have an iOS device pass along cryptographic keys. The keys can be used to join the Wi-Fi network, a useful platform for straight surveillance or further attacks. As Bailey described it during his talk at Hack In The Box in Amsterdam earlier this month, "Apple's secure element is unintentionally a skeleton key into any environment controlled by iOS." That environment, he suggested, could be a house that uses Apple's HomeKit.
Once a hacker is on the IoT device, not much malicious code is required to start stealing secrets on the network. As Bailey told Forbes, he was able to squeeze it all onto a few slides. And in a diagram for this publication, he imagined a scenario of a connected toaster being hacked so it can impersonate a smart TV and trick an iOS device into giving it keys to get onto a home's previously private Wi-Fi.
Cybersecurity researcher Don Bailey highlights potential security risks with Apple's MFi technology.
Don BaileyAn old warning
Bailey doesn't believe sophisticated hackers - think the NSA or Russia's elite digital spies - will be using the skeleton key hack; it would prove trickier than simpler attacks on private networks, such as targeting the Wi-Fi router itself.
He's more concerned that something he'd warned about years ago has become a reality. Back in 2016, he helped draw up guidelines from the GSMA on securing endpoints making up the Internet of Things. Back then, he feared problems of trust, where devices couldn't guarantee what they were connecting to was safe. Now those fears have come true.
If Apple is going to fix the problem, it could take years, Bailey warned. That's because Apple would have to update not just its own tech, but also the licensed MFi chips of its partners. Bailey thinks it would mean changes to entire manufacturing processes as well as internal systems.
He said he'd initially contacted the tech giant about the problem a year ago and Apple accepted it as a potentially critical bug. He's been working with the Cupertino company to come up with solutions since then.
An Apple spokesperson, whilst highlighting the attacks couldn't steal data from an iOS device directly or compromise their Apple ID, confirmed it was working on addressing the issues discovered by Bailey. "We're aware of these theoretical exploits and have already started implementing some fixes in our latest version of iOS," the spokesperson said. Apple also confirmed a fix addressing the issue in HomeKit was added in iOS 11.3. No more specifics were given on what the other fixes were. Bailey said the exploits weren't theoretical, he'd proven them.
One solution could be for Apple to change its Wireless Accessory Configuration (WAC) specification to send signed data to guarantee the authenticity of where it came from, "which is quite unrealistic," Bailey said. Or Apple could find a way to cryptographically tie the MFi identity to the host device. The latter would be more effective, but require those significant manufacturing changes.
But for now, little can be done. "[Apple's] improvements are superficial at this point because there is nothing they can do," Bailey added.
