2017 Has Possibly Been the Worst Year for Apple Product Security – Is iPhone Maker More Concerned About PR Than User Security?
Apple is one of the few tech companies that are at the forefront of user privacy and security conversation. The company openly and aggressively fought the Federal Bureau of Investigation when it demanded access to an iPhone in 2016. Not only does it offer controls to enable users to protect themselves, it also engages in discussions around user security. But, how much of this is more about PR and less about users?
While the company won 2016 by denying surveillance obsessed intelligence agencies, Apple has had one of the worst years when it comes to software security and user privacy. From concerns voiced by the UN over the company's compliance with the Chinese government's demands to multiple security flaws discovered in its products these past few months - it almost sounds like we are looking at a completely different kind of company.
After a devastatingly stupid flaw in macOS, another security issue was reported in the Cupertino tech giant's HomeKit earlier this month. The flaw came to the fore after the security researcher who discovered it reached out to the folks at 9to5mac. Apple fixed it temporarily in less than 48 hours, winning media accolades. Turns out the security researcher had been asking Apple for a fix for a long time - but the fix only arrived when it became a media issue.
When good PR outweighed user security at Apple
Every report on HomeKit security issue ended up with applauding Apple for quickly delivering a fix, even if it was a temporary fix. However, in a post published today, the security researcher has shared all the details that happened before this issue made it to the headlines.
"Honestly at this stage I think it’s safe to say marketing team at Apple can probably get whatever they want from engineering team with crazy deadline," Khaos Tian wrote. He shared that he first contacted the company's security team in late October after discovering the security issue in HomeKit. Apple did address this bug, however, it also introduced a new one that made this attack even more easy to execute.
I got ONE email (on October 30) from Apple’s product security team saying they are investigating it through the entire November. During that time, I sent multiple emails (Oct 31, Nov 2, and Nov 16. Additionally there was one sent to Federighi on Nov 27.) to try to ensure the engineering team understood the issue but no reply at all.
Then Tian found someone who knew someone at the company's product security team, finally getting an email response.
"I guess that’s how product security works now? I have to know someone to get my security issue handled properly?"
After trying to chase Apple to fix this fix that they had delivered and failing to get any useful information, Tian contacted 9to5mac which apparently pushed the company to deliver a quick fix. "Turned out Apple PR channel is much more responsive than product security, from them reaching out Apple PR to Apple come up with a temporary fix all happened with 48 hours," he wrote.
- Technical details of this HomeKit bug are shared in this post.