A new "hack my Mac" challenge has shown that Apple's Mac OS X might not be such a pushover after all, after the challenger's Mac Mini survived a sustained barrage of attacks for the duration of the contest.
Dave Schroeder, an Apple systems engineer at the University of Wisconsin, launched the contest following publicity around an earlier contest, which he regarded as misleading.
The earlier contest, initiated by a Swedish Mac enthusiast, gave user-level accounts to anyone wanting one, allowing a much deeper level of access to the system than would be typical on a real Mac server - much less a consumer system, Schroeder said.
An attacker called "gwerdna" gained root access to the Swedish Mac about two hours after that contest began, and said the system took about half an hour to crack.
Schroeder's PowerPC Mac Mini was running a fully-patched Mac OS X 10.4.5 with two local accounts and SSH and HTTP open in their default configurations. This might be a fairly typical set-up for a server, but "most users of Mac OS X in a consumer or desktop setting will never even enable any of these services at all," Schroeder noted on his Web site.
The SSH service enables remote users to execute commands on a networked computer via the SSH protocol.
Interest was far greater than Schroeder had expected, with traffic to the Mac hitting 30 Mbit/s at one point, he said. Most of the traffic was made up of exploit scripts, SSH dictionary attacks and port scans from tools such as Nessus, Schroeder said.
Overall, the site received almost half a million requests, with 4,000 login attempts via SSH. There were two periods of denial-of-service, but the Mac didn't crash during them, he said.
Indeed, the Mac hadn't been successfully penetrated by the time Schroeder ended the contest on Tuesday night, after 38 hours. Schroeder said the contest shows that, while not perfect, OS X is relatively secure - or at least, is unlikely to fall over when an attacker sneezes on it.
"The general architecture and design philosophy of Mac OS X, in addition to usage of open source components for most network-accessible services that receive intense peer scrutiny from the community, make Mac OS X a very secure operating system," Schroeder said.
He said Apple has become much more responsive to security concerns in recent months, noting that Apple was quick to patch a recent, highly serious bug in the Safari browser.
While the OS X kernel may, as gwerdna claimed, be riddled with unpatched security flaws, attackers typically wouldn't have the opportunity to exploit those flaws without local access to the system - as was granted in the Swedish contest, Schroeder said.
"While local privilege escalation exploits can certainly be dangerous... this isn't very informative with regard to the general security of a Mac OS X machine sitting on the Internet," he said on the Web site.<
To the outside world, the only parts of those machines that would be likely to be exposed would be the Apache Web server and SSH, Schroeder said.