Wednesday, November 07, 2007

MacOS 10.5 Leopard Phones Home, Reveals Little Snitch 2

Apple's Mac OS 10.5 Leopard 'loginwindow' process phones home to on port 443 which is only revealed by running the new Little Snitch 2 security monitoring tool.

read more | digg story

I find Alex's story a bit prematurely accusatory toward Apple, though he did seize a worthwhile opportunity for some healthy advocacy of Little Snitch. I just upgraded my license to 2.0, and it's well-worth the $13 :).

It's good to track these types of issues, but there are a lot of processes on OS X that'll communicate to other servers, even over SSL, including webdav client for idisk, for .Mac Mail over IMAP. It's just that loginwindow isn't a process you'd typically expect to connect to some host, which happens to be, so it's definitely worth raising an eyebrow.

Engadget mentions some "secure magic" of the "Back to My Mac" feature, allowing a Mac linked to a .Mac account to control another Mac linked to the same .Mac account:
[...] On the back end of things, Leopard includes "Back to my Mac," which keeps track of your home Mac's IP address through various (and secure!) magicks [... Read More ]
Apple has a page dedicated to the Back to My Mac feature. The requirements section is particularly interesting:
    Requirements to use Back to My Mac
  • A .Mac membership.
  • Two or more Mac OS X 10.5 Leopard-based Macs that are configured for use with the same .Mac account.
  • For screen sharing, a 128Kbps or faster bi-directional network connection between the computers (file sharing may be usable with slower connections).
  • An AirPort base station, or third-party Internet router which supports UPnP or NAT-PMP.
NAT-PMP? Interesting. Wikipedia gives us some interesting information about NAT-PMP, a protocol introduced by Apple in June 2005:
It essentially automates the process of port forwarding.
Included in the protocol is a method for retrieving the public IP address of a NAT gateway, thus allowing a client to make this public IP address and port number known to peers that may wish to communicate with it.
This may be wild speculation but could it be possible that loginwindow is sending public IP and ports information to .Mac, to enable other Macs linked to the same .Mac account to connect?

I don't find the mere fact that Leopard is sending data over an encrypted connection to a security concern in and out of itself. And until a crafty developer manages to extract information out of the perpetrating process before it sends its data over the encrypted connection, i won't just assume this is a privacy concern.

On the other hand, reading more about this "Back to My Mac" feature makes me nervous. A long time ago, I wrote a rant about Layers of Operating System Security, touting the fact that OS X had virtually no open ports on a default installation, dramatically reducing vectors of attack. Making this "Back to My Mac" feature available on default Leopard installations could, possibly, one day, present a vector of attack.

Let's hope Apple's got their proverbial sh*t together, and if not, let's hope some crafty ethical hackers manage to find holes and get Apple to plug them, before some zero-day exploit gets in the wild.

1 comment:

lxpk said...

You're right that my post was a bit prematurely accusatory. I did a google search for the suspicious message expecting to find a document on explaining it and found only Russian livejournal discussions with a picture saying "BIG BROTHER IS WATCHING YOU". I documented it and put it out there for people to explore further and decide for themselves. I think the Apple communications are probably innocent but the general usefulness of tools like Little Snitch in safeguarding against this kind of thing was demonstrated enough that I felt the news story's attention would not be a waste of everyone's time if it made people a little more secure and aware. Plus I'm a blogosphere newb and I smelled a story that Diggers would love.