After much criticism about the security of Apple’s Back to My Mac feature in Mac OS X Leopard, Apple has posted a guide that details the security issues, and what steps users should take to secure their systems while using the service.
Back to My Mac combines several network technologies to ease remote access of a Mac. It uses VNC Screen Sharing technology, combined with complex NAT technology, to bypass common problems with accessing remote desktops. The service requires .Mac, which is actually one of the times the .Mac service is offering something exclusive (the .Mac servers handle NAT translation in lieu of more-complicated dynamic DNS processing… in other words, it does a better job than the the existing stuff).
However, Back to My Mac has major security concerns. Namely, anyone with your .Mac login and password can gain access to remotely login to all computers under your .Mac account… remotely, of course. This is in-part because, unlike Windows Remote Desktop, Mac Screen Sharing does not associate a screen sharing session with a login token. This allows Windows users to have multiple users remotely accessing the same computer, with their own secure accounts. Mac cannot do this, and the logged-in user has their screen shared… all someone needs is to borrow the .Mac login and password.
To work around this issue, Apple has posted a support article, aptly titled “About Back to My Mac security“…
The take-home messages from this article are:
1) Enable the Security option (in System Preferences) to “Require password to wake this computer from sleep or screen saver”. Once the screen goes dark (after you walk away from your computer), it will lock. A Screen Sharing session would then require password entry, or give the option to go to the Login Window, and enter a different password. It won’t let a remote user have their own account while someone is at the same computer’s desktop however… anything on the screen sharing session will be replicated on the physical display.
2) Lock the keychain when away from your computer. Now, this one is pretty cheap in terms of security. You shouldn’t have to lock your keychain if the remote session is actually secure from unwanted login attempts. Also, if someone were to gain access to a logged-in user, locking the keychain would only protect keychain passwords, not your important documents.
3) Harden your .Mac password by making it complex… if you’re using Back to My Mac, your system’s security may depend on it.
4) Lock your screen before getting up from your computer (basically a repeat of Step 1, but will protect your account from that period of time before the screen auto-locks).
5) Disable automatic login for any account that has .Mac associated with it on the computer (similar to steps 1 and 4… but to prevent a totally logged-off system from auto logging-in with a compromised .Mac account).
6) Before disconnecting a Back to My Mac session… you guessed it, lock the screen… so someone else can’t get in after you.
Of course, to pull off the security breach, even under the worst of circumstances, someone needs to get your .Mac login and password. That’s not hard to do in an era of keyloggers, prying eyes, spyware, etc. And don’t forget about .Mac password recovery, the obvious concern of pretexing to gain access to that is always possible. However, by following the steps above, you can make your computer secure even if someone gets that information.
My moral of the story: Apple needs to enable remote sessions that don’t capture the screen… and before Mac OS X Kitten (okay, 10.6 until they pick a cat). This is a case-in-point of Apple making an excellent front-end for an existing open source product (VNC), and then not backing it up with modifications to CoreServices (the core of Mac OS X) to make it safe, secure, and reliable.