Lion and iOS 5

07 Jun 2011 Chengyu Song security

Today Apple unveiled the next generation of OS X, Lion and new iOS 5. Among the features, I’m concerned about two features: AriDrop and iCloud.

My worry for AriDrop comes from its automatic discover ability. While services like Bonjour also has automatic discover ability, they are passive. On the contrary, AriDrop is active, allows user to send (drop) a file to another user. Sounds pretty convenient. But this just reminds the old Bluetooth worms. Although saving a file requires user’s permission, the worm continually pings the victim for ‘dropping’ the file, and most users will then get annoyed and permit the saving. So without further restriction, I would say AirDrop opens a new door for worms. Cheers!

Another concern is iCloud. As mentioned in this paper at Oakland ‘11, the old Hiptop/T-mobile attack may happen again. Apple has failed once on protecting user’s account, and most user’s are not good at choosing strong password. So this time they don’t need to steal the top stars’ phone to get those photos, they just need to get their user account and Apple will automatically push those photos to them.

Hope this is just my paranoia. Good luck, Apple.