August 18th, 2008

Security vs. convenience: Apple chooses poorly

Posted by Ryan Naraine @ 6:06 am

Categories: Apple, Contributors, Data theft, Open source, Passwords, Patch Watch, Pen testing, Punditocracy, Spam and Phishing, Spyware and Adware, Vulnerability research

Tags: Password, Apple Inc., Oliver, Security, Ryan Naraine

Guest post by Oliver Day

My PowerBook is in the third year of its life and has begun falling apart on a regular basis. I’ve had the laptop in for repair at least five times this year alone.

Every time I bring my laptop in Apple employees ask me the same question: “What is your administrator password?”

The first time I heard this question, I thought he was joking. Apple is not kidding.

They have offered every excuse imaginable for this practice but none have come close to convincing me to refuse to hand over my password. Sometimes the technicians would even try to intimidate me by saying that they might not be able to continue the repair if I refuse. One technician even tried to charge me an additional $100 for the installation of OS X for failing to divulge my password. The claim was that he had to perform additional work since I refused to cooperate.

This is official Apple policy and it needs to stop.

Consumers should never be asked for their passwords. It is a practice that defies logic to anyone that is trained in security. Given the state of the art in live OS distros, there is absolutely no reason that Apple should ever need access to consumers files for hardware repairs anyway. It isn’t as if technicians haven’t been caught pilfering files from users in the past.

When bringing Apple computers in for repairs, I strongly recommend that users do the following until this is resolved:

1. Create a clone of the boot drive.
2. Secure erase the contents of the drive.
3. Install a fresh copy of the operating system.
4. Re-image the drive once you receive your computer back.

This adds all kinds of time overhead to a process which already sets the consumer back.  All because Apple still believes this is a valid way to treat its customers.

(Image source: QiFei’s Flickr photostream — Creative Commons 2.0)

* Oliver Day is a security researcher at StopBadware.org, a project of the Berkman Center for Internet and Society at Harvard University.  He has over ten years experience in web and network security, working for companies including @stake, eEye, and Rapid7.  Oliver’s blog can be found here.