Security Through Obscurity
Tomorrow Apple is holding its big media event to debut the new iPhone, Apple TV, and Apple Watch. Unfortunately, the details of these products were leaked. According to John Gruber, a disgruntled Apple employee obtained the URLs to the device “golden master” firmware and sent the URL list to 9to5Mac and MacRumors. This leak isn’t going to hurt Apple’s bottom line. It’s stock price was up 1.81% today. However, the leak knocks the anticipation and surprise out of the presentation. These events have long been an important part of Apple’s marketing strategy.
So what went wrong? Quite simply, Apple relied on security through obscurity to protect this firmware. In short, someone at Apple thought that a very long, unguessable URL would prevent the software from leaking. As any information security practitioner knows, security through obscurity doesn’t provide any security at all. It’s the equivalent of saving your financial documents in a cookie recipe folder, hoping that no one will find them. Or putting your house key in a potted plant next to the front door. Hiding something doesn’t make it secure. I doubt that Apple’s security engineers had anything to do with this mishap. Apple has world-class security talent. I’m guessing that a step in the software release process was bypassed or perhaps the process didn’t receive the scrutiny that it should have.
This error will never happen again at Apple. The lesson has been learned. For most companies, top-secret intellectual property is never going to be placed on an internet-facing server. It’s going to be put in a protected network segment (or even air-gapped), leveraging strong access control, audit logs, data loss protection, and encryption.
Here’s hoping for an entertaining show tomorrow, despite the leaks!