Earlier this week, we wrote about a significant security issue with Apple’s new AirPort Extreme base station. Macworld magazine has published a review of the base station, which doesn’t mention the issue, although the review’s author does mention it in his blog. The review is definitely worth reading, as it provides a good summary of the base station’s new features and how well it performs.

One of the great new features of the base station is its hard disk sharing mode, which makes any USB hard disk attached to it available over any network it supports. This feature is mentioned in the review, along with a good start on thinking about security issues associated with that sharing:

1. ...supports the Mac-native HFS Plus (Hierarchical File System Plus) drive format and AFP, Apple’s Personal File Sharing protocol. AirPort Utility offers a variety of access controls to protect the hard drive’s files and folders, including setting up user accounts and passwords with read only or read and write permission. Individual folders can’t be separately protected, however, which prevents the feature from being as useful in larger offices.
   

To add to the review, the hard disk (or disks -- you can add multiple through a USB hub) are accessible on any of the three networks supported by the base station: the 802.11n wireless network that it creates, the switched Ethernet network that is creates or connects to on its so-called LAN ports, and the Ethernet network it connects to on its Ethernet WAN port (often the Internet itself, via a cable or DSL modem, but alternatively a local intranet). You can turn off the hard disk’s availability to the Internet through the AirPort Utility, which is probably a good idea in most cases. Just be sure "Share disks over Ethernet WAN port" is unchecked (as it correctly is by default).

Another security concern that the article doesn’t mention is that the hard disk is shared using the SMB (Server Message Block) protocol as well as AFP. SMB is the protocol used for Windows Sharing, so Windows machines should be able to share the hard disk as well. But Internet hackers, who often go after SMB (it’s listed as the single most-attacked service in chapter 13 of our book), could target the disk too, which is another reason to disable access to it from the Internet. Unfortunately there doesn’t seem to be a way to turn off or block SMB access.

Finally, the software included with the base station seems to install a few interesting “add-ons” to Mac OS X Tiger (10.4). It’s unclear what these do, or what the security ramifications of them are, but be on the lookout for a strange new dialog that appears whenever a base station’s shared hard disk becomes available (for instance when you plug a new drive into the base station). That dialog is probably displayed by a new “AirPort Disk Agent” application installed and run as part of your login items. There’s also a menu-bar icon for disk sharing that can be enabled through the AirPort Disk Utility, which is itself another new software component of the system.