Updating to 10.9.2 for security reasons, but the biggest backdoor is still there [updated]
So even if 10.9.2 removes "goto fail", one wonders which interesting new security problems will it bring me ? After all Obama really needs all the information he can get.
Another question I asked myself was: Is Software Update actually contacting Apple servers or am I being served a compromised update with even more security holes by the NSA ?
No https, no certificates
Hmm, so lets see, is the download going through https ? I doubt it, downloads from support.apple.com are all by http and https isn't even supported by the servers. So there is no certificate to check the validity of swcdn.apple.com or support.apple.com, meaning a poisoned DNS entry could send me to fake servers.
Who serves me the update ?
Little Snitch tells me I am actually downloading from
swcdn.apple.com.c.footprint.net Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: Name: swcdn.apple.com.c.footprint.net Address: 4.23.39.254 Name: swcdn.apple.com.c.footprint.net Address: 207.123.48.126 Name: swcdn.apple.com.c.footprint.net Address: 4.23.38.254
tcpdump says I am getting the packets from 8.27.133.254. And what does traceroute say ?
kempe:~ nat$ sudo /usr/sbin/traceroute 8.27.133.254 traceroute to 8.27.133.254 (8.27.133.254), 64 hops max, 52 byte packets 1 192.168.2.1 (192.168.2.1) 0.806 ms 0.725 ms 0.615 ms 2 fabian (192.168.1.1) 1.937 ms 1.878 ms 1.624 ms 3 fritz.box (192.168.5.248) 2.214 ms 2.199 ms 2.248 ms 4 xxxx-xxxx-de0x.nw.mediaways.net (x.x.x.x) 713.684 ms 829.704 ms 652.302 ms 5 xxxx-xxxx-de0x-chan-xx.nw.mediaways.net (x.x.x.x) 26.494 ms 25.655 ms 27.233 ms 6 xxxx-xxxx-de0x-xe-0-x-x.nw.mediaways.net (62.53.2.140) 66.522 ms 239.739 ms 497.485 ms 7 rmwc-dsdf-de02-xe-1-0-3-0.nw.mediaways.net (62.53.1.222) 620.301 ms rmwc-dsdf-de02-xe-0-1-0-0.nw.mediaways.net (62.53.1.220) 737.256 ms 896.806 ms 8 xmwc-dsdf-de02-chan-5.nw.mediaways.net (62.53.0.161) 31.221 ms 32.206 ms 31.614 ms 9 dialup-212.162.17.145.frankfurt1.mik.net (212.162.17.145) 912.939 ms 909.899 ms 917.762 ms 10 vl-3105-ve-135.ebr1.dusseldorf1.level3.net (4.69.161.161) 971.423 ms 1012.815 ms 1002.612 ms 11 ae-1-3102.edge4.dusseldorf1.level3.net (4.69.161.138) 997.428 ms 62.026 ms 70.390 ms 12 * * * 13 * * * 14 * * * 15 * * *
dialup-212.162.17.145.frankfurt1.mik.net WTF ?
I just love to see a router with a name like dialup-212.162.17.145.frankfurt1.mik.net in traceroute. Predictably by that name, it's also upping the ping times to close to a second. Now obviously something is accidentally or purposefully going wrong there. Who is mik.net ? According to who.is it's just an american parked domain and always has been that way. Why would they have a reverse lookup IP and be situated in Frankfurt ? Why not it's a global world.. :)
Let's make another traceroute from a different machine:
root@muller:/home/nat # traceroute 8.27.133.254 traceroute to 8.27.133.254 (8.27.133.254), 64 hops max, 52 byte packets 1 static.1.30.9.5.clients.your-server.de (5.9.30.1) 1.214 ms 1.407 ms 0.742 ms 2 hos-tr4.juniper2.rz16.hetzner.de (213.239.223.225) 0.503 ms hos-tr2.juniper1.rz16.hetzner.de (213.239.222.97) 10.624 ms hos-tr3.juniper2.rz16.hetzner.de (213.239.223.193) 53.773 ms 3 core21.hetzner.de (213.239.245.93) 0.385 ms core22.hetzner.de (213.239.245.133) 0.444 ms core21.hetzner.de (213.239.245.93) 0.604 ms 4 core11.hetzner.de (213.239.245.225) 3.108 ms core12.hetzner.de (213.239.245.29) 4.215 ms core12.hetzner.de (213.239.245.214) 3.172 ms 5 juniper4.rz2.hetzner.de (213.239.245.26) 3.125 ms 3.200 ms juniper4.rz2.hetzner.de (213.239.203.138) 3.051 ms 6 ae55.edge7.Frankfurt1.Level3.net (195.16.162.253) 7.484 ms ae51.bar2.Munich1.Level3.net (62.140.25.101) 9.544 ms 9.626 ms 7 vlan80.csw3.Frankfurt1.Level3.net (4.69.154.190) 11.282 ms ae-18-18.ebr2.Berlin1.Level3.net (4.69.153.250) 25.528 ms vlan90.csw4.Frankfurt1.Level3.net (4.69.154.254) 11.273 ms 8 ae-63-63.ebr3.Frankfurt1.Level3.net (4.69.163.1) 11.493 ms ae-28-28.ebr2.Dusseldorf1.Level3.net (4.69.200.173) 19.093 ms ae-63-63.ebr3.Frankfurt1.Level3.net (4.69.163.1) 11.464 ms 9 ae-2-3202.edge4.Dusseldorf1.Level3.net (4.69.161.142) 18.994 ms ae-45-45.ebr1.Dusseldorf1.Level3.net (4.69.143.165) 11.486 ms ae-2-3202.edge4.Dusseldorf1.Level3.net (4.69.161.142) 18.954 ms 10 ae-1-3102.edge4.Dusseldorf1.Level3.net (4.69.161.138) 11.355 ms * * 11 * * * 12 * * *
No mik.net there. So everything converges at ae-1-3102.edge4.Dusseldorf1.Level3.net (4.69.161.138).
Transparent Level3 proxy for opacity
swcdn.apple.com.c.footprint.net is like a subdomain running on c.footprint.net footprint.net itself is some domain used by Level3. The server at c.footprint.net is apparently some kind of Apache server running the Foot Print Managed Cache Protocol FPMCP 4.8
This presumably acts as a transparent proxy, redirecting and/or caching traffic for swcdn.apple.com.
No proxy and no mik.net with support.apple.com
kempe:~ nat$ sudo /usr/sbin/traceroute supportdownload.apple.com Password: traceroute: Warning: supportdownload.apple.com has multiple addresses; using 2.16.218.146 traceroute to a781.gi3.akamai.net (2.16.218.146), 64 hops max, 52 byte packets 1 192.168.2.1 (192.168.2.1) 0.863 ms 0.830 ms 0.728 ms 2 fabian (192.168.1.1) 1.993 ms 1.859 ms 2.047 ms 3 fritz.box (192.168.5.248) 2.049 ms 2.192 ms 1.981 ms 4 xxxx-xxxx-de0x.nw.mediaways.net (x.x.x.x) 713.684 ms 829.704 ms 652.302 ms 5 xxxx-xxxx-de0x-chan-xx.nw.mediaways.net (x.x.x.x) 26.494 ms 25.655 ms 27.233 ms 6 xxxx-xxxx-de0x-xe-0-x-x.nw.mediaways.net (62.53.2.140) 66.522 ms 239.739 ms 497.485 ms 7 rmwc-dsdf-de02-xe-0-1-0-0.nw.mediaways.net (62.53.1.220) 106.696 ms 106.996 ms 102.321 ms 8 rmwc-dsdf-de01-chan-6-0.nw.mediaways.net (62.53.1.92) 85.159 ms 107.993 ms 102.052 ms 9 213.140.50.148 (213.140.50.148) 102.359 ms xe4-0-3-0-grtdusix1.253.52.176.in-addr.arpa (176.52.253.169) 103.872 ms 213.140.50.148 (213.140.50.148) 103.209 ms 10 xe-5-1-3-0-grtfraix4.red.telefonica-wholesale.net (94.142.120.250) 106.925 ms 99.661 ms so3-1-2-0-grtfraix4.red.telefonica-wholesale.net (94.142.121.6) 106.702 ms 11 172.52.252.174 (172.52.252.174) 98.832 ms 101.219 ms 97.487 ms 12 a2.18-218-146.deploy.akamaitechnologies.com (2.16.218.146) 107.367 ms 95.680 ms 106.963 ms
But in the end, I have no idea what I am being served. "Software Update" is a giant backdoor, noone talks about.
Using Software Update to destroy a machine
Coincidentally, just a day after I posted this, someone presented an attack on Macs by fake firmware, which I assume was delivered via Software Update: RSA security attack demo deep-fries Apple Mac components .
Nice.