The OpSec Blog

Security and privacy information and advice at home and abroad.

Side Channel Information: Peeling Back Apple, Inc.’s Secrecy

leave a comment »

Side channel information is usually discussed in the context of attacking cryptographic systems with means other than attacking the algorithm itself.  In the larger picture, side channel information can be used to alert an adversary or questioning mind of anything from military plans (like the Pentagon ordering thousands of pizzas leading up to major military efforts) to a company’s business plans.

Apple, Inc. is arguably the most secretive business in history.  With billions of dollars at stake and a virtual stranglehold on several markets, its corporate security is the envy of competitors and governments alike.  While hard evidence of Apple’s latest and greatest device is rare, here are several examples of how side channel information helps paint a pretty clear picture of Apple’s intentions and future areas of innovation.Perusing Apple’s corporate job listings provides numerous clues on where the company is headed.  The latest example of a job posting giving away major plans was back in February when 9to5 Mac noticed a position opening for a power supply engineer.  “The position primarily involves high-density offline power supply’s development for Apple’s next generation Macintosh platforms spanning from notebook computers, desktop computers, servers, standalone displays and TV.”  Currently, Apple does not offer stand-alone TV sets.  Other telling job postings elude to iOS on devices other than the iPhone, iPod, and iPad, video recording on future iPad models, and more powerful ARM processors, all of which have come to fruition in one form or another.

Speculation about Apple products also centers on when new products will hit the shelves.  Apple’s nondisclosure habits drive informed buyers up the wall; especially those who don’t want to spend top dollar on a piece of technology that will be outdated a week after they buy it.  For major product releases, a great indicator in recent years has been the holiday restrictions on employees at Apple Retail Stores, AT&T stores, and more recently Verizon and Sprint stores.  With demand for Apple products at all time highs, retailers obviously do not want to be short-staffed during a major product release.  While vacation blackouts are not enough to give away exactly what product is being released or updated, it’s enough to convince the smart consumer to hold off for another week.

Supply chain indicators can often start the buzz about product refreshes.  It’s been well established that Apple stops production of products several weeks before updating them, causing an increase in shipping time (implied low supply) from various retailers.  In addition, Apple’s massive purchases of essential electronic components for their devices like flash memory and displays can give away technical specifications of new releases.

Product appearance for Apple mobile products is often eluded to in leaked case designs.  Dimensions are sent to case manufacturers ahead of the release so they can put cases on sale immediately after launch.  Unfortunately for Apple, their business partners often don’t emulate their security measures and case photos have leaked on a very consistent basis (iPhone 5, iPhone 3GS, iPhone 3G, iPod Nano, iPad).  Other lapses in corporate security include posting stock keeping unit (SKU) codes online before the official release and numerous product pages updating to show the new product (by accident) ahead of time.

Another more recent trend is to dig through various code to see if there are any variables with revealing names.  A preference file (plist) found in a version of the iOS SDK revealed that the new iPad model would have a rear-facing camera.  This also happens to other companies, portending things like Google Games and features to be included in Amazon’s new tablet.

These are just some of the more common types of “side channel” information about Apple that, when paired with what firm information one can find about Apple’s plans, can help those interested get a better idea of what direction Apple is moving in or what the next big release will include.  As is usually the case, lone tidbits are virtually useless, but when when paired with complementary information or corroborated by an independent source become much less of a “Mac rumor” and much more of a reality.

When the stakes are raised in the arena of global politics, side channel vulnerabilities can have devastating consequences.   In a well-known, declassified example, the Soviet Union captured and analyzed signals from IBM Selectrix typewriters in the American Embassy in Moscow which they were able to convert back into the letter being typed through electronic analysis.  This allowed them to circumvent the elaborate cryptography being used to keep the message’s contents from being compromised.  Security professionals must be aware that the obvious vulnerability (aka the one being mitigated with countermeasures) is not always the one being exploited.

Advertisements

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: