Security Review: iTunes DAAP Authentication
I am, at the moment of writing this, sitting in Cafe Solstice on the Ave. There are probably about a dozen computers in here, and judging from my neighbor’s screen, 4 of them are running iTunes with the “sharing” feature (via Apple’s Digital Audio Access Protocal – DAAP) turned on, which allows them to stream audio files off eachothers computers, but not to download them. What’s to stop these young coffee-drinkers from forming their own small-scale (illegal) filesharing network? DAAP’s authentication mechanisms, which have grown increasingly more secure with successive versions of iTunes, has yet to be broken in it’s latest form.
Previous authentication protocals integrated into DAAP used either an MD5 hash or a custom hashing algorithm to encrypt the streaming music. Both methods were later cracked, leading to programs such as OurTunes, which allowed listeners on the network to save the mp3s made available over DAAP to their hard drives. Programs like this were extremely popular on large public networks like those at universities.
The current version forces the connecting hosts to authenticate through an Apple-controlled Certificate Authority, which can then exchange trusted public keys. This effectively blocks third-party applications (like OurTunes) from participating in iTunes file sharing. Because the official iTunes application does not permit saving the shared files, the mp3 sharing is effectively blocked.
Assets/Security Goals:
* The assets involved are the audio files on the users’ computers. Users themselves, who have the option of turning sharing “off” or “on”, aren’t really the focus of this encryption functionalty; intellectual property owners are worried about rampant copying of their files without recieving compensation for their works. The goal is really to protect copyrighted material from being copying – and along the way, all material is encrypted and blocked from download, regardless of copyright status or the user’s intent.
* Still, it is important to keep in mind the assets on the users computer. Having done a lab on network security, we all now know the risks of a allowing an external computer to provide commonds or access data from a secured machine. It is important to make sure that all files on the computer that are not supposed to be shared are secured from external access, and furthermore, that no one can provide commands to or take control of the machine.
Adversaries/Threats:
* Large scale piracy operations don’t really operate through iTunes. The big threat for mp3 theft is lazy, normal people, unwilling to pay for music if they can get it for free across the network.
* As far as security of other files and the user’s machine, any hacker with malicious intent, who may want to steal the user’s data, or just mess with their computer.
Weaknesses:
* So far, it’s quite difficult to see any weaknesses – this version of encryption has been out for some time and has yet to be broken. Still, while the usage of the CA is theoretically secure, all implementations are written by imperfect humans. It may be that there is a bug somewhere or a potential hack. Perhaps there will be a way to spoof as a valid iTunes client and register with the CA. Perhaps there will be a flaw allowing a third-party machine to spoof as a CA and provide keys to invalid clients. Perhaps by intercepting the packets for key exchanges enough times, hackers will learn about proprietary algorithms being used and find a weakness in that. It’s yet to be seen.
Potential defenses:
* The community trying to break the DAAP encryption is rather public about their efforts – and when a client is released, it will be rather easy to see what flaws they are exploiting. No doubt, Apple is already watching reports as they show up online, and allowing the real hackers to investigate flaws for them – which Apple can rapidly patch through automatic updates.
* Artists obsessed with being paid for every single mp3 they release could just stop releasing CDs and recorded music, or playing music at all. That way their fans will stop trying to steal it.
Evaluation:
DAAP so far has been frustratingly secure! Not only can I not steal mp3s from my neighbors in the coffee shop, but I can’t even listen to their music streaming, because iTunes isn’t available for Linux.