Slashdot Mirror
Security Flaw Found That Allows Control of iPhone
i_like_spam writes "The NYTimes is running a story about an iPhone flaw that has been found and documented by researchers from Independent Security Evaluators. Attackers were able to gain full control of the iPhone either through WiFi or by visiting a website with malicious code. The exploit will be demonstrated at BlackHat on Aug. 2nd at 4:45pm. Until then, 'details on the vulnerability, but not a step-by-step guide to hacking the phone, can be found at www.exploitingiphone.com, which the researchers said would be unveiled today.'"
Of course, the down side is that so can everyone else...
I am TheRaven on Soylent News
Sounds like someone's going to be getting Apple Fanboy death threats tonight....
Have a read of the technical paper from the article - Quite interesting. They used fuzzing to find a heap overflow vulnerability. They go on to talk of "Blackbox Exploitation", which I later realise has nothing to do with the cinematic genre.
As a loyal Mac user and iPhone user I have to kill you.
Signed,
Mac Zealot
My life for Aiur!....errr Steve Jobs!
"Some books contain the machinery required to create and sustain universes."-Tycho
Does that mean I can take control of an iPhone remotely and deliver a brisk shock to those smug b*stards proudly brandishing their "new baby" on the train?
Peter
It's interesting to see what the response to this will be and how long it will take to for Apple to to release and deploy a patch. Mobile phones don't typically the "fast background patching"-systems like PC's (mobile data typically costs so you can't keep checking for updates). And everyone remembers from "pre sp2"-XP what it means if it's up to the user to check and deploy patches (e.g. iTunes).
Systems like Symbian have mobile security built in from the ground up; for example, the system asks before any new application can access phone data or the network (similar to capabilities-based UNIX security).
Evidently (and, I suppose, not surprisingly), an OS X-based phone lacks these safeguard. I guess that's the real reason Apple has been refusing to permit third party phone apps on the iPhone, even though they don't cause problems on other phones: the iPhone software architecture just doesn't seem designed for it.
Apple iPhone users should be content with the finding of an exploit by responsible security researchers. Unlike InfoSec Sellout (who is likely blowing smoke up his as*), Charles Miller and the rest of the Independent Security Evaluators team should be applauded for their work. They responsibly reported the vulnerability (and a potential fix) to Apple for investigation.
The Apple community should not in any way, shape or form, harass this group like they harassed InfoSec Sellout. I.S.E. are the good guys and as a 15-year Apple veteran, I give my best to those who are out to help Apple keep security at its tightest on their products and services.
You have been iPwned!
Maybe Duke can use this exploit to shut off iPhones before they bring their entire wireless network to its knees this fall.
I cannot image the hole will last long or anyone will really care all that much. I've seen a number of exploits demonstrated to hack into bluetooth enabled phones and do malicious things like delete contact lists. This is only a hot story because of the phone's popularity.
Some people have a way with words, and some people, um, thingy.
Now let's see how long until the first iPhone patch comes out, and if any of the other glitches will be fixed at the same time or if it's strictly for security. Obviously Apple's already been working on iPhone patch #1 and is probably just about ready to push it out after a month.
One functionality change that _should_ come out of this, though - I would turn off the default behavior of scanning for open networks and asking to join them. It wastes battery power, and the pop-ups for new networks are intrusive. In its place I'd put the AirPort icon in the display full-time (instead of just replacing the EDGE "E" when you are on a WiFi network) and allow quick access from there. I think, altogether, iPhone will be a pretty secure device after the initial flushing out of bugs, but this is a little different from traditional devices. iPhone has a classic desktop OS stripped down into a cellphone, whereas mainstream other devices (Palm, Windows CE, and Symbian) were designed more as cellphone systems (or PDA systems) and scaled up.
(not replacing my iPhone with a Razr anytime soon!)
-- Josh Turiel
"2. Do not eat iPod Shuffle."
Systems like Symbian have mobile security built in from the ground up
It's a pity that they're so bug ridden and the APIs are so fussy about inputs, and there is no proper memory protection, so it's trivially simple to make a symbian app that breaks the security completely, reboots the phone, records phone conversations, stops the phone starting up at all, reads phone numbers etc. And that because symbian never really had any trusted source of software, anyone who installs symbian apps is used to installing unsigned apps left right and centre, and ignoring security warnings! Oh not to mention that they have 3 major versions and multiple minor versions of each of the sdks, which are all incompatible depending on which phone you are developing for, and only sometimes backwards compatible.
I'll be ariving in Vegas on the 1st for Defcon this year, so sneaking into Blackhat to see this presentation will definitely be on the top of my list of things to do.
- Aetheral Research -
What the hell are you talking about?
If I find an exploitable buffer overflow in a default Symbian application, no amount of fancy security models can prevent me from owning your phone. As the security issue resists in an already trusted application!
I don't know the newer Symbian versions 8 and 9, but till version 7 there was no security in Symbian at all. Every program could do everything. I have programmed an installation program that opened a GPRS connection, downloaded a SIS file and installed it on the Symbian phone without user interaction!!!
This was a bit tricky but it worked fine on Nokia Series 60 phones an on Sony Ericsson P800 and P900.
I don't think that Symbian managed it in version 8 and 9 to build in a ground up security, because the SDK is huge with thousands of classes.
Yeah, I can see how you're confused, because all the news outlets reporting about how the iPhone destroyed Duke's network did not bother to report that it was all made-up crap.
Last week:
This week:
Maybe at least /. could bother to retract the story?
Nah, who cares, it's just your usualy weekly Apple bashing.
http://www.thebestpageintheuniverse.net/c.cgi?u=ip hone
Symbian has been cracked. Every mobile OS has been cracked.
Isn't this the same Safari exploit that's been known for a while?
Java did not exist when NeXT chose Objective C as their development language. Objective C was arguably the technically most superior language for applications development. It was (is!) cleaner and more object-oriented than C++.
C-like languages may increasing have less merit for appsdev today, but they certainly still have their place. You and I know little about the iPhone. It may indeed be the case that running a JVM on it for all apps is a poor choice.
Lies about crimes
This has reached the point of silliness. Efforts to “crack open” the iPhone have been met with large degrees of success. As has been reported elsewhere, a developer tool chain is in the early stages. The iPhone has been owned and the genie is out of the bottle. Apple, why not just open it up officially? Face up to the obvious fact that it is a hand-held computer with decent horsepower that many technology geeks will want to use creatively and constructively. Releasing official development tools will give a segment of the market what it clearly wants anyway (look at the rapid progress hackers have made) and give incentive for us hold-outs to buy-in. How much simpler does this have to get?
Why bother.
If Apple releases an iPatch, does that mean they support piracy? Arrrrrr, avast ye LAN-lubbers!
Windows CE as used in 'Windows Powered' devices is pretty much a desktop OS. The WinCE API is derived from Win32, cleaned up and modularized and with its own set of libraries and a real-time kernel. It does support a traditional embedded OS model where code is executed in place from whatever file system is wrapped around it, but the "Windows Powered" handhelds don't work that way.
The first WinCE-based handhelds were pretty much "laptop replacements" with stripped down versions of Windows applications that run by copying them from a file system to RAM, explicitly use an open/read/write/seek/close mechanism to access files, and so on. There's a set of database calls for PDA applications that run on top of this. Microsoft subsequently stripped down the applications, removed the more desktop-like ones, and repurposed Windows Powered handhelds as "Palm Killers". By the time Palm lost the plot and sent haring off trying to port BeOS to the Palm in a quixotic attempt at fighting Microsoft on a field Microsoft was already abandoning they'd done a good enough job at "cloning" enough of Palm's look and feel that their current character recognizer is a better clone of Graffiti than Palm's current offering... but under the hood they're very "desktop-like".
I haven't worked with Symbian devices, so I can't say if they're more like a stripped down desktop or a classical embedded system like Palm, but the older high-end devices certainly looked more like a desktop.
The OS isn't the problem, here. It's Safari. The comments about finding crashes in Safari make me suspect that this is probably a stack/buffer overflow attack. If it's easy to crash Safari on the iPhone then they've got problems in the implementation of Safari on the iPhone... especially in the extensions to webcore that are unique to the device. If Pocket Internet Explorer had the same problems, then Windows CE would have the same exposure (luckily for Windows CE users, Pocket IE seems to be the most secure version of IE out... probably due to the fact that it doesn't include the same kind of "active content" support as the desktop version).
And the original article is right, the presence or absence of an official dev kit has very little to do with this... it just makes it harder to switch from Safari to another browser while Apple is easing Safari on the iPhone through its birth trauma.
It's a good job there's no SDK for the iPhone, otherwise there might be security problems with the device, eh Steve?
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
Here are some more examples of Symbian security (apparently their first priority):
1. The phone randomly locks up and/or turns off - this fools 3v1L hackers.
2. Won't connect to most Bluetooth devices - keeps hackers out. Very clever!
3. When syncing contacts, it mixes up all the fields so that an 3l33t hacker won't be able to make sense of them. You won't either, but at least you're safe.
4. Apparently has a built-in function to slow all operations to a C...R...A...W...L... - this prevents hackers from using high speed automated systems to hack your phone. Ingeneous!
Signed,
A proud owner of a Cingular Nokia (Swedish for moose dung) phone.
PS - Hack my phone. I dare you! Whoops . . . wait a minute. Let me reset it first.
similar to capabilities-based UNIX security...Evidently (and, I suppose, not surprisingly), an OS X-based phone lacks these safeguard.
Damn, mod parent down. Mac OS X is a UNIX-based system, and has exactly those capabilities.
I don't know what kind of crack I was on, but I suspect it was decaf.
Can anybody?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
That guys mother needs to get some windows in her basement. Those are the whitest hands I have ever seen.
... (iPhone) is a little different from traditional devices. (It) has a classic desktop OS stripped down into a cellphone, whereas mainstream other devices (Palm, Windows CE, and Symbian) were designed more as cellphone systemsThe main differentiating feature of the iPhone software is that it is a brand new GUI designed specifically for a portable communicator. It is specifically and closely tailored to the physical attributes of the device and the applications it contains, and merges the software functionality with the physical functionality into a seamless whole. It's very success is tied to this integration and the fact that it does *not* simulate a desktop environment.
The main differentiating feature of WinCE/Windows Mobile (and it's most touted feature on release), is that it *was* built as a clone of the Windows Desktop complete with start button and task bar. It failures as a mobile OS are directly proportionate to the degree in which it tries to emulate a Windows desktop. It even forces users to manipulate the tiny screen of the mobile in the same way as they would a desktop, (albeit a very small one), by necessitating the use of a tiny "pick" (stylus) to emulate the mouse on the reduced scale of the mobile desktop.
A breath of fresh air after Maynor and MOAB.
Apple is not losing any sleep because their handling of bugs isn't joy-making to either Maynor or LMH.
These guys are transparent and helping with the fix and should be rewarded for such.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Not in the slightest. AT&T offer Blackberries and Treos, both having official third-party development tools and mature ecosystems of third-party software (much of it free and open source). Why is the iPhone an exception?
No matter any more, however. To restate my point, with the amount of effort being poured into iPhone hacking, it will only be a matter of time before people begin developing their own applications for the device, and I suspect the caliber of those applications will be substandard—a measure of the tools. Apple and AT&T have three choices: try to put the genie back in the bottle through litigation, do nothing and let hacked third-party tool chains dominate the market, or release official SDKs and at least have some influence over the market. It should be strikingly obvious, taking history into account, that option number one will fail. Of the latter two options, guess which has the best out-come for the providers involved.
Why bother.
No... the reason they don't allow 3rd party apps is so that the EDGE network doesn't get inundated with traffic from such programs as Skype, Adium (or some other multi-protocol chat client), or even Bittorrent (although at ~200k at best, who would want to?)
What a pity it would be if nobody ever tried new, untried, and untested devices. At one point computers fell into this category.
Or maybe they thought features not available on other mobile devices would be compelling and useful. To name a few: powerful conference calling, visual voice mail, and a full-featured web browser. There is also the possibility people who bought them wanted to consolidate their phones and music players. Perhaps I am going out on a limb here. By the way, I have noted some concrete reasons here why someone might purchase an iPhone. Would you care to substantiate your comment suggesting people bought in to be cool and socially hip?
Are we discussing cars, computers, airplanes, or the iPhone?
Why bother.
Explain the intrinsic unsafeness of Objective-C, as opposed to C or C++,
All C-based languages are intrinsically unsafe, and that includes C and C++. If you use one of those languages and you don't have the development processes in place to make sure that you're producing bullet-proof applications (Apple evidently doesn't), people have a right to blame you and hold your feet to the fire over it.
as opposed to Java, and watch us fall asleep while waiting for the Conway's Life game embedded on your home page to load up.
While Java on desktops sucks, there are thousands of mobile Java apps, including several web browsers.
Using Java as the programming language for the iPhone would have made sense from every technical angle. In particular, it would have protected users against buffer overflows in application software, it would have permitted third party programming, and it would have made lots of third party apps available.
Of course, that's the reason Apple didn't do it: they want to control the platform, and they want the platform to be incompatible with the rest of the world.
Damn, mod parent down. Mac OS X is a UNIX-based system, and has exactly those capabilities.
You don't know what you're talking about. Neither UNIX nor OS X have capabilities-based security by default. The term "capabilities-based UNIX security" refers to an optional security feature available on some versions of UNIX.
You've never used an iphone have you? It takes this type of security to a new a level.
Have you ever been to a turkish prison?
If I don't believe a word of this. But we'll see. At least they claim they are going to demonstrate the hack, rather than lie about it, thumb their nose at the company, fake some "death threats" publicity and then disappear off the radar.
Fiat Homos et Pereat Theos
I don't think that Symbian managed it in version 8 and 9 to build in a ground up security, because the SDK is huge with thousands of classes.
OK, "from the ground up" is probably overstating it, but they are making an effort.
First, Symbian applications do need to get permission in order to get access to private data, phone services, and Internet services. If something equivalent were part of iPhone, it would be a lot less likely that a buffer overflow in Safari could be used to send SMSs.
Second, Java on Symbian requires user permissions for specific capabilities and protects against buffer overflows.
So, overall, while both platforms have problems, I think you're quite a bit better off running a web browser or a Java (MIDP) application on Symbian than you're running a Cocoa application on iPhone. And that's presumably why the iPhone isn't extensible in the first place.
I think the best long-term strategy is to run Java/MIDP on Linux, since Java/MIDP probably has the best security model among the widely-used phone application languages, and Linux has the best security and sandboxing facilities among the widely-used phone platforms. Motorola is moving in that direction, and I expect other phone manufacturers to follow; Nokia has been taking steps in that direction, too.
(And I'm saying that even though I don't particularly like Java.)
Gee, and that's only in reference to the iPhone, correct? How is the weather on Mt. Olympus, by the way?
It is bad "hygiene" to have data pushed onto the same stacks as addresses.
Its like living in India; you have to eat with a different hand than that with which you wipe your arse.
In other cultures you have toilet paper to wipe your arse, soap to wash with afterward and you can eat with knives and forks. Very high tech stuff.
Its an interesting contrast; the C programming culture is one of the oldest in the world. India is (arguably) among the oldest civilisations in the world.
Yet in both cases they have to resort to pretty primitive means to hygienically separate some basic functions such as eating, shitting and buffer overruns.
In the free world the media isn't government run; the government is media run.
http://i12.tinypic.com/4kn800z.jpg
Don't worry, it's not goatse.
And it's just a joke.
Please don't mod me a troll again.
-- Boycott Shell
Hey, you described a [Siemens] TSM30 neatly! Add to that:
5.- You must reboot in order to use an MMC/SD card.
6.- You can't store files in to SIM.
7.- You can't send files by Bluetooth/IR.
I see 57005 people
More likely it's because AT&T doesn't want anyone to port VOIP applications (e.g. Skype, Vonage) to the iPhone.
I have VoIP software on my AT&T phone and on my AT&T-connected laptop, so that's clearly not the reason. It also doesn't make much sense given the pricing of voice vs. data: you get better and cheaper calling with a voice plan than with a data plan. Finally, the iPhone data plan is, effectively, more expensive than the other AT&T data plans already.
Sounds like you need to upgrade to the latest firmware. Symbian is pretty reliable compared to other smartphones.
...is updatable via iTunes so that when nasty little bugs are found they can be fixed. :)
What do those other phone manufacturers do when a vulnerablity is discovered in their phones?
That article was wrong. You can look at the files yourself. It's Mach, BSD, and the Cocoa frameworks:
iPhone OS X Architecture: Cocoa Frameworks and Mobile Mac Apps
iPhone OS X Architecture: the BSD Unix Userland
iPhone OS X Architecture: Disk, Shell, and Password Security
iPhone OS X Architecture: the Mach Kernel and RAM
You can't take the sky from me...
I'll have no problems installing and/or running OS X applications such as Firefox, Entourage, Word, Dreamweaver, SuperDuper! etc...? That's great!...
I get your point, but just because Darwin runs on a hybrid BSD / Mach kernel doesn't make it OS X.
This isn't too far off from claiming Windows Mobile 6 is Windows Vista or Mobile 5 is XP, which they clearly are not. Granted, OS X is much closer to the iPhone OS, but they are two different animals and shouldn't be confused with each other. It's not even a 'watered' down version - it is entirely different both graphically and functionally and it should be treated as such.
Fact: Everything I say is fiction.