Apple TV password disclosure

Not long after the update to fix the goto fail SSL issue with iOS came out we’re greeted by a new update. Enter, iOS 7.1. One interesting piece that I noticed is that there is a password disclosure problem with the Apple TV.

The problem is in the Apple TV applications. Detailed data is written to the log file which includes hex of the configuration including wifi and iTunes passwords in clear text. 

The issue was discovered by David Schuetz of the Intrepidus Group.

From the Intrepidus Advisory:

In the case of the Apple TV unit, the data are generally written to the log 

two or even three times: First, the raw encrypted data as received from the 

mobile device, then the decrypted, yet compressed, plaintext of that data, 

and then finally the uncompressed data itself.

 

The decompressed data containing configuration information required to 

complete the Touch Setup process is provided as a binary property list 

(plist). The plist contains, among other data, the following information:

 

AppleID (iTunes account) information:

  * First Name

  * Last Name

  * AppleID (email address)

  * Password

 

Local Wi-Fi information:

  * SSID

  * Password

I see that Apple has the patches available and this interesting missive on their page, “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.” Hmm.

I’ve wondered why people have not spent more time targeting these devices in the past. They may very well have and I had just missed it but, it seems like a perfect candidate. If attackers are willing to go after refrigerators then why not these almost always on devices?

Patch your Apple TV as soon as possible. 

(Image used under CC from _zand)