Apple and the Terrible, Horrible, No Good, Very Bad Week
posted Saturday Sep 27, 2014 by Scott Ertz
It isn't often that a company has an entire week they would like to Ctrl-Z. This week has been exactly that for Apple, or however you might accomplish an Undo on a Mac. It seemed that every time we turned around, Apple was making negative headlines again for a new reason. Between shoddy products, security disasters and knowledge thereof, plus an update that could brick phones, this is a week Apple would like to strike from the record. I don't think that's going to happen.
Let us begin with Bendgate, the unfortunate hardware issue amusingly named to mock Antennagate, which was another major Apple hardware issue. This issue, however, is not so easily fixed as to hold your phone by the top with just 2 fingers: this is destroying handsets, though not the first release manufacturing issue.
If you are a woman, you know the burdens of pants pockets - they almost do not exist in the front. This is why most women, especially younger women, carry their phones in the back pockets - there's actually room. Men, on the other hand, tend to carry theirs in the front pocket, halfway down their leg. Either way, the phone lives in a part of the body that receives pressure against a curved surface when sitting. While Samsung and LG are releasing curved screen phones, Apple's iPhone 6 is not even designed to be close to curved surfaces.
Because of the pressure placed on the phone when sitting, users on social media have reported that their phones has physically curved or bent. Apple has claimed that only 9 customers have complained of phones bending or curving, but the results on Twitter seem to suggest a higher rate of failure. Even if we are to assume Apple's number, how in the world could 9 phones have bent, other than cheap aluminum in the manufacturing?
Nearly every publication has tested the issue, with most coming up with the conclusion that the phone is far easier to bend than most other phones on the market, but still higher than what would be normal pressure. The iPhone 6 comes in around 55 pounds of pressure, whereas the Samsung Galaxy Note 3 comes in around 150 pounds of pressure. That is a pretty huge swing, but for anyone who has worn skinny jeans and sat on their phone, you know that more than 55 pounds of pressure is placed on your phone. Maybe Apple will blame Gap for this one the way they blamed BlackBerry for Antennagate.
iOS 8 Updates
Let us pretend that you plan on keeping your phone iPhone 6 in a bag protected with an Otterbox case, preventing all chances of it bending. The ability to use one of the most advertised new features of the phone, HealthKit, is something many customers expected to use right out of the box. Unfortunately, that wasn't really how it worked. Apple promised that iOS 8.0.1 would bring HealthKit, and it did. It also brought about TouchID failure and reception issues. Some users even saw their phones completely fail to download and install.
Many customers discovered that their cellular reception was less than optimal. In fact, it appeared to be iPhone 4 quality, which is not something of which to boast. Apple discovered an issue in iOS 8.0.1 that was iPhone 6 specific, for which they released a patch, iOS 8.0.2, which was capable of downloading, installing and fixing the reception issue! No need for Nokia to get offended this time.
The celebrity photo hacking issue has become almost epidemic - personal iPhone photos being stolen and leaked online. Apple initially claimed that their platform was secure and that the data could not have come from iCloud. Well, that is not exactly true. In fact, their platform is almost certainly to blame, and they know it.
In fact, Apple received reports 6 months ago from a security firm in London informing them of the iCloud API issue. Ibrahim Balic sent in reports to the company through various means, including email and the company's own bug reporting platform. In a March 26, 2014 email he said,
I found a new issue regarding on Apple accounts (sic)...By the brute force attack method I can try over 20,000 + times passwords on any accounts. I think account lockout should probably be applied. I'm attaching a screen shot for you. I found the same issue with Google and I have got my response from them.
Unfortunately, this problem was left unattended. In fact, it was entirely discounted by Apple.
Based on the information you provided, it appears that it would take an extraordinarily long time to find a valid authentication token for an account. Do you believe that you have a method for accessing an account in a reasonably short amount of time?
Time to hack is not an issue when there are Russian hack shops with hundreds of people, paid a dollar an hour, to exploit exactly these types of vulnerabilities. Coincidentally, celebrity photos were leaked to the public. Shocking, isn't it? A known vulnerability, reported and discounted, was eventually exploited by hackers on the Internet? That has never happened before. No, I'm sorry, ask Target and Home Depot about how well it works out after the class action lawsuits.
Security: Apple Pay
How secure will Apple Pay really be? Well, if Payment Token documents are even remotely accurate, not very. As you can see, the token that is passed around contains a tremendous amount of data, all accessible via Apple's NFC radio. This data includes Card number and expiration date, optional cardholder name.
Now, Apple will tell you that since it uses two-factor authentication on every transaction (iPhone and fingerprint), simply making this data available from the phone is not unsecure. The issue is that the iPhone fingerprint scanner is remarkably easy to fool. While it may not be "an easy attack" it is something to be concerned about. A simple lifting of your phone, and a hacking of the fingerprint scanner, and the ability to lift all of your personal credit information is EASY. In fact, this token has enough information to generate a whole new physical card. At least Apple is really good at protecting its data (see above).
Security: Bash Bug
When Steve Jobs returned to Apple after being fired, he brought with him the company he founded while he was gone: NeXT. This company had developed a UNIX-based operating system, which no one cared about, except Jobs. In fact, he cared so much, it kind of became MacOS X, which is still in use today. How could a "modern" operating system running on a 40-year-old backbone possibly cause a problem?
This week, a new bug was discovered, called Bash Bug. This simple command-line bug can cripple a computer with ease. Luckily, it only runs on UNIX-based machines. This means that UNIX, Linux (including Android, webOS and Tizen) and MacOS X are all susceptible. Because of the ease of use and nature of this bug, it is considered to be considerably bigger than Heartbleed, which nearly shut the Internet down for a few weeks; at least that part running on UNIX, Linux and MacOS X servers.
Apple claims that Bash Bug is not a real threat to MacOS X users, as the command line itself is not exactly a known feature to most, and the permissions required to execute it are, by default, not granted to any user of the computer. Oh, for that pesky root access I might believe this one, but Apple has already not been forthcoming about its security issues this week, so maybe don't believe this one as gospel, either.