[Fnoord]

Interestingly the article on the bottom links to a Usenix 2019 (held Aug 14 - 16) paper with the title "A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct Link"

Abstract:

"Apple Wireless Direct Link (AWDL) is a key protocol in Apple's ecosystem used by over one billion iOS and macOS devices for device-to-device communications. AWDL is a proprietary extension of the IEEE 802.11 (Wi-Fi) standard and integrates with Bluetooth Low Energy (BLE) for providing services such as Apple AirDrop. We conduct the first security and privacy analysis of AWDL and its integration with BLE. We uncover several security and privacy vulnerabilities ranging from design flaws to implementation bugs leading to a man-in-the-middle (MitM) attack enabling stealthy modification of files transmitted via AirDrop, denial-of-service (DoS) attacks preventing communication, privacy leaks that enable user identification and long-term tracking undermining MAC address randomization, and DoS attacks enabling targeted or simultaneous crashing of all neighboring devices. The flaws span across AirDrop's BLE discovery mechanism, AWDL synchronization, UI design, and Wi-Fi driver implementation. Our analysis is based on a combination of reverse engineering of protocols and code supported by analyzing patents. We provide proof-of-concept implementations and demonstrate that the attacks can be mounted using a low-cost ($20) micro:bit device and an off-the-shelf Wi-Fi card. We propose practical and effective countermeasures. While Apple was able to issue a fix for a DoS attack vulnerability after our responsible disclosure, the other security and privacy vulnerabilities require the redesign of some of their services." [1]

I got nothing to add regarding OpenDrop other than that I love interoperability, and that I love it when FOSS enables this.

[1] https://www.usenix.org/conference/usenixsecurity19/presentat...

[toxik]

I can’t hep but think that these seemingly numerous security flaws are a product of proprietary software development. There is the old “many eyes” idea for software bugs, but even on a standards level. Did Apple not send out an RFC? Isn’t this type of architectural level screw up exactly what you want to avoid with an RFC?

I’m glad Apple are taking the privacy issue to heart, but for every inch we’ve won in privacy, we lost an inch in openness and interoperability. Apple is perhaps one of the worst offenders when it comes to vendor lock-in.

I use almost only Apple products out of sheer laziness (and honestly inertia.) At least their war with Qualcomm and NVIDIA creates some competition in their respective markets...

[adestefan]

The “many eyes” hypothesis is routinely debunked when severe security bugs are found in things like the Linux kernel that have been there for years. The same is true for standards that end up being fundamentally broken at later dates. In the end software and hardware is so overly complicated that we cannot currently build secure systems.

[imglorp]

Debunked is a loaded term.

It's a tradeoff. The point is not MANY eyes, it's ANY eyes. Proprietary software has NO public eyes on it, zero, and the vendor must (1) report to you promptly when there's a new vulnerability, (2) produce a fix for it. Most vendors do neither until forced. How many undisclosed vulns does your vendor have? You'll never know.

Of course FLOSS has bugs, it's software, and ALL software has bugs. In the FLOSS case you know what everyone else knows, AND you can fix them, hire someone to do it, or choose not to use the software, all with that knowledge.

[jodrellblank]

> Proprietary software has NO public eyes on it, zero

If that were true, security flaws would never be found in proprietary software by outsiders. And they are, so it's not true. Eyes have less visibility into the codebase, but people are looking and do find flaws.

> How many undisclosed vulns does your vendor have? You'll never know.

How many undisclosed vulns does RedHat, Canonical, or Mozilla have in their FLOSS software? You'll never know.

> Of course FLOSS has bugs, it's software, and ALL software has bugs.

Then "many eyes makes bugs shallow" is at least partly debunked and your "ANY eyes make bugs shallow" is debunked completely - otherwise the original developers would see every bug, in FLOSS and proprietary software.

> In the FLOSS case you know what everyone else knows

There may be bugs which nobody knows about. The claim "many eyes make bugs shallow" suggests that open source software has more eyes on the code, and that having more eyes on the code is all it takes to reduce bugs. OpenSSL turned out to have very few eyes on the code, and it wouldn't be too surprising if codebases with many eyes on them had the developers focused on the bits they were developing and not looking for security flaws.

[whoopdedo]

Complexity counteracts the many eyes principle. That doesn't invalidate it. A large codebase that is difficult for one person to read will bury a bug for the same reason being open source reveals it.

What you're falling to is the selection bias because bugs in open source software are more often publicised than when a private team discovers something and patches it without telling anyone. Same as an open source bug being fixed quietly. Like the so-called VLC vulnerability that turned out to be the fault of the tester's out of date system library that had already been fixed upstream.

[pbhjpbhj]

>The “many eyes” hypothesis is routinely debunked when severe security bugs are found in things like the Linux kernel that have been there for years. //

Surely to debunk the theory you have to show that fewer bugs are in proprietary software of the same vintage?

AFAIK the many eyes hypothesis is that: as time progresses fewer exploitable bugs will exist in software that has the source open for inspection than in comparable closed source software(?).

When an ages old exploit/bug gets patched that is the many eyes principle working; a piece of software can't get more secure (or otherwise improve) without patching old code, surely.

[toxik]

I don't think it's as easy as saying "measles exists therefore vaccines don't work." Do you have actual studies on this that you can cite?

[pritambaral]

It is just as easy, and just as wrong, as saying "measles exists therefore vaccines don't work".

[wadkar]

I would like to read more about this many eyes hypothesis (and its falsification). Could you please share some links for the same?

[toxik]

https://en.m.wikipedia.org/wiki/Linus's_Law This is the term notable hacker Eric S. Raymond (esr) popularized in his seminal work, The Cathedral and the Bazaar. Read it if you care at all about software engineering processes.

I don’t, so I didn’t.

[tinus_hn]

If you allow anyone to send you files over the air without authenticating you or them, there is no way to prevent the files from being modified in transit.

[atombender]

There's also this 2018 paper by the same authors: "One Billion Apples’ Secret Sauce: Recipe for the Apple Wireless Direct Link Ad hoc Protocol" [1]. Not sure which paper came first.

[1] https://arxiv.org/pdf/1808.03156.pdf

[HNcantBtrustd]

FOSS may have downsides, for instance it's free, but doesn't have iTunes built in.

I consider both of these advantages, but some users don't. I consider the benefits of open source far exceeds the perceived benefits of Apple's Ecosystem.

Maybe as developers it's important to teach our Apple Peers the problems they perpetuate by paying for walled gardens.

[oarsinsync]

What about your apple peer developers, who have made a deliberate and conscious choice to use Apple devices in their day to day life, and stable open source solutions in production / deployment environments?

Some of us used to live in the FOSS garden, and decided to trade extra money in exchange for receiving a lot of time back and a shiny finish. Everyones values vary.

[HNcantBtrustd]

I don't think your premise that you are saving time is correct.

Apple advertises similar to Luxury car buyers to make you believe you are getting a high quality product. But it's going to be really hard to prove things are quicker.

[opless]

I think the apple experience is friction-less for their target market.

Live in their ecosystem, and everything 'just works'. Watch, Phone, Tablet, Laptop.

Linux/Windows you don't quite have that level of integration ...

You expect more from luxury items than with a $300 windows/linux laptop, a $100 fitbit, or a $200 android tablet - good luck with getting a similar level of interoperability between them...

[JetSpiegel]

To be pedantic, the integration outside of Apple's ecosystem is available for the cognoscenti. Not for the masses.

[chipotle_coyote]

I know you didn't explicitly say "you only use Apple products because you've been suckered in by advertising," but it's hard not to take it as the subtext, and it's something that's long rubbed me the wrong way.