I update my Apple devices regularly so when, four days ago, a security alert was issued and then an iOS software update appeared, I did not think too much about it.
But this article in Slate about what the security issue was and how it was found piqued my interest. It is worth reading, take a look and come back.
Basically, something terrible and very minor happened in Apple’s coding that led to a duplicate line that left a huge security hole. This isn’t a hole that can be exploited but it is a hole we no longer expect to be there and so any past exploit (such as a malicious website) could have found itself working. What is more, the hole seems to have been there for 18 months so in all likelihood, if you were going to be exploited you already have been exploited.
One interesting question is how this could have occurred? The consensus seems to be that it was not malicious or the NSA but was an error. What was problematic is that no one picked it up. Not Apple whose own testing should reveal this. Not any of the security companies who are supposed to monitor operating systems for this (or if they did, public disclosure wasn’t their chosen course of action). Not even Google.
[By the way, as an aside, in case you have wondered how we economic theorist check the maths in the increasingly complex models we write, it is often through a set of procedures similar to the way code is tested. That is, we don’t always redo the calculations but stress test the output to see if it makes sense and works as expected as certain variables are taken to limits. That system is imperfect but efficient as well.]
The precise line of code was revealed on Y Combinator 4 days ago by pencilo who should have a superstar Karma rating by now. This was not from discovering the hole per se but through their examination of the code itself. The code was provided by Apple as open source. Yes, it took 18 months but it also demonstrates something quite powerful about open source and being a willing participant in it as Apple is. This is Linus’s Law at work: “many eyes make bugs shallow.”
Apple famously work in small teams. That means that there are fewer people internally to catch these things. Instead, by open sourcing its code, Apple allows others to potentially find these issues. That said, 18 months is a long time. If there had been a bounty on finding such bugs, one suspects there would have been many eyes, sooner.