Today at the HIMSS symposium on Medical Device Security Risks and Challenges, I had a conversation about physicians who demand BYOD products like iPads for delivery of patient care. Nothing fundamentally wrong with considering the benefits of BYOD, but what is wrong is blind faith and overconfidence in the trustworthiness of software. This conversation is all in the context of the critical security flaw across several Apple products, and for which Apple is scrambling to patch. The flaw allows a network adversary to mount a "man in the middle" attack, effectively defeating the security normally provided by SSL (layperson speak: that little lock symbol in your web browser). You can go to GOTOFAIL.com with your web browsers to test this particular flaw. Some organizations are recommending that people not use Apple Mail or the Safari web browser on wireless networks until Apple releases a MacOS patch.
The consequences may range from invasion of privacy (network adversaries reading your sending and receiving of mail and web browsing) to security issues (capturing long-term secrets, authentication cookies, and passwords transmitted using an unpatched device). What might be most disturbing is how fragile our computing systems are. A single line of code appears to have led to this flaw that effectively turns secure SSL-protected communication into unprotected communication. Things to ponder:
- All software has security and privacy risk. Consider the consequences when the rug is pulled out from under your feet.
- Failures are rarely independent. A single flaw can affect multiple product lines, causing havoc with continuity plans.
- "reasonably secure" and "completely insecure" are indistinguishable at the surface. Manage the risk.